ardamax | df77f23a93811be258c168169a6245c3a7c8ee7d37801b985c9e745e88f2c5fd

Analysis

max time kernel
134s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2024 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
Size

1.7MB
MD5

1709e7af5a45280e565fa95f331404b0
SHA1

e30a3c9ba1a0feb4050ff28dec9b8f066972ae5e
SHA256

df77f23a93811be258c168169a6245c3a7c8ee7d37801b985c9e745e88f2c5fd
SHA512

65b4a2f0df5f776d9f9e5fb55585395deb20101a370e49e2e16764d6d9ee83756e440b894696fd58daf27119324b9a7c7279e18ca4023373dc41ef6a0eaf0296
SSDEEP

24576:/ReoHLlYd7vb63wWgombBhfJgey3U5DY/ohuQW/t3jt/g3FsK06G:QohY1vqU1bBhfm0O1v/g3Fn/G

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c91-36.dat	family_ardamax

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	Exporer32.exe

Executes dropped EXE 2 IoCs

pid	Process
3280	Exporer32.exe
4232	DIVI.exe

Loads dropped DLL 1 IoCs

pid	Process
3280	Exporer32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DIVI Agent = "C:\\Windows\\SysWOW64\\28463\\DIVI.exe"	DIVI.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\DIVI.001	Exporer32.exe
File created	C:\Windows\SysWOW64\28463\DIVI.006	Exporer32.exe
File created	C:\Windows\SysWOW64\28463\DIVI.007	Exporer32.exe
File created	C:\Windows\SysWOW64\28463\DIVI.exe	Exporer32.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	Exporer32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PCGWIN32.LI4	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exporer32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DIVI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{11670095-22656874-3E208C5C-826859B9}	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{11670095-22656874-3E208C5C-826859B9}\ = 7fff5dd0cffca2515834f094e479db14b6b4ea1bb9f1a8e04487cac5de68cde280e99e384d6adf80b25b2749f57fd4edc45c5b4ef19cdc8df15cdaa2e56820448a85a6a7a5ba3728559a7bb6a95bdcc9cce001da0b894198f37616dafaced11dcf0f623df06fd5ddcb7046af1b5dc973a42e19428bd6660525db7b0ed1bc77ee55a3477e152d4b5f3ecdd27fb9add43c89107bf0e95c80324a96f874ec58c174b814d638b596a8053ce7908a8c3f7dad90bcc66e05a2e7e1f50c98fec9d3a4beaad21f414dd75ffacdd09c4933dbe90ec4bccaac7f5fedb2e0ee05dd5773b5d994cff4e2255e07cc05c0a7c3f561d4df39cd5700856ca883a0a1e1d0537eb992500744757417d8c54f5b7d71935f8e0d9c433316690a1fe00d05e35b367194d3c876c5a55b47c965e324de344c98e23227de858d88e39846f5b5285bdc49cd6380c988b8612ee3e2c6d805f13b675125b8b76a55b87bd52ec77c5a2ef03cd3ecc1417c1811f4876b1a59f08fdda2f3a896e7853a0bee79dd108cf8a0ab791eebccfeddecf35f6e32e2ee117dcb1006b8b42feb3dbeef6c22004eb2421ea7cce5a108db3c4e6ce282efbf02ad66dcba31572745156bbbd9d68cca617fdf12f2ce21435b1671bae351b64b2559cbcfe6a2f46fa902c4b0541d880f7fddf0e3adb02ec8c2cc480d98262c44f9ed9516dc9b55b5a0620dba7d30426b053798c84d425a6f9eb4509be680452b6e7967e0c108	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{11670095-22656874-3E208C5C-826859B9}\ = 7fff5dd0cffca2515834f094e479db14b6b4ea1bb9f1a8e04487cac5de68cde280e99e384d6adf80b25b2749f57fd4edc45c5b4ef19cdc8dce9f4332e26820448a85a6a7a5ba3728559a7bb6a95bdcc9cce001da0b894198f37616dafaced11dcf0f623df06fd5ddcb7046af1b5dc973a42e19428bd6660525db7b0ed1bc77ee55a3477e152d4b5f3ecdd27fb9add43c89107bf0e95c80324a96f874ec58c174b814d638b596a8053ce7908a8c3f7dad90bcc66e05a2e7e1f50c98fec9d3a4beaad21f414dd75ffacdd09c4933dbe90ec4bccaac7f5fedb2e0ee05dd5773b5d994cff4e2255e07cc05c0a7c3f561d4df39cd5700856ca883a0a1e1d0537eb992500744757417d8c54f5b7d71935f8e0d9c433316690a1fe00d05e35b367194d3c876c5a55b47c965e324de344c98e23227de858d88e39846f5b5285bdc49cd6380c988b8612ee3e2c6d805f13b675125b8b76a55b87bd52ec77c5a2ef03cd3ecc1417c1811f4876b1a59f08fdda2f3a896e7853a0bee79dd108cf8a0ab791eebccfeddecf35f6e32e2ee117dcb1006b8b42feb3dbeef6c22004eb2421ea7cce5a108db3c4e6ce282efbf02ad66dcba31572745156bbbd9d68cca617fdf12f2ce21435b1671bae351b64b2559cbcfe6a2f46fa902c4b0541d880f7fddf0e3adb02ec8c2cc480d98262c44f9ed9516dc9b55b5a0620dba7d30426b053798c84d425a6f9eb4509be680452b6e794fcabcce	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{D50DBC70-EDF2330C-38FF8F7C}	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\{D50DBC70-EDF2330C-38FF8F7C}\ = "107532867"	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{11670095-22656874-3E208C5C-826859B9}\ = 7fff5dd0cffca2515834f094e479db14b6b4ea1bb9f1a8e04487cac5de68cde280e99e384d6adf80b25b2749f57fd4edc45c5b4ef19cdc8dce9f4332e2682044c957cea1a5ba3728559a7bb6a95bdcc9cce001da0b894198f37616dafaced11dcf0f623df06fd5ddcb7046af1b5dc973a42e19428bd6660525db7b0ed1bc77ee55a3477e152d4b5f3ecdd27fb9add43c89107bf0e95c80324a96f874ec58c174b814d638b596a8053ce7908a8c3f7dad90bcc66e05a2e7e1f50c98fec9d3a4beaad21f414dd75ffacdd09c4933dbe90ec4bccaac7f5fedb2e0ee05dd5773b5d994cff4e2255e07cc05c0a7c3f561d4df39cd5700856ca883a0a1e1d0537eb992500744757417d8c54f5b7d71935f8e0d9c433316690a1fe00d05e35b367194d3c876c5a55b47c965e324de344c98e23227de858d88e39846f5b5285bdc49cd6380c988b8612ee3e2c6d805f13b675125b8b76a55b87bd52ec77c5a2ef03cd3ecc1417c1811f4876b1a59f08fdda2f3a896e7853a0bee79dd108cf8a0ab791eebccfeddecf35f6e32e2ee117dcb1006b8b42feb3dbeef6c22004eb2421ea7cce5a108db3c4e6ce282efbf02ad66dcba31572745156bbbd9d68cca617fdf12f2ce21435b1671bae351b64b2559cbcfe6a2f46fa902c4b0541d880f7fddf0e3adb02ec8c2cc480d98262c44f9ed9516dc9b55b5a0620dba7d30426b053798c84d425a6f9eb4509be680452b6e79d55c69df	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 3280	4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe	92
PID 4364 wrote to memory of 3280	4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe	92
PID 4364 wrote to memory of 3280	4364	1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe	92
PID 3280 wrote to memory of 4232	3280	Exporer32.exe	93
PID 3280 wrote to memory of 4232	3280	Exporer32.exe	93
PID 3280 wrote to memory of 4232	3280	Exporer32.exe	93

C:\Users\Admin\AppData\Local\Temp\1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1709e7af5a45280e565fa95f331404b0_JaffaCakes118.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Users\Admin\AppData\Local\Temp\Exporer32.exe
  "C:\Users\Admin\AppData\Local\Temp\Exporer32.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3280
- - C:\Windows\SysWOW64\28463\DIVI.exe
    "C:\Windows\system32\28463\DIVI.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@CF17.tmp

Filesize
4KB

MD5
a33680859a24229dc931c0e8a82ae84a

SHA1
dff1e7e7160ffbfaae221cd3a85de40722fddde6

SHA256
d5913b88289154f5979c03325b29f00d1d8c6a1e5f6195df915d96a46d0f71f3

SHA512
a419214699ab3478926fbb7f621a616e192eae22db20e72c83a4b529ba5307ab4dc906e0b1286bc4e4cb13ba1e28fb93fa4918c3ff7345273197e39c206c10bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exporer32.exe

Filesize
1.5MB

MD5
545ae8f2d286615ce2c143284e446ffe

SHA1
e0c41db5ae6835cfabd402052b10651a2c72feb8

SHA256
be7b8f20c58a171b15fb2001870380e2b1bc9a5fe926172cf908c3017af53180

SHA512
ed7d6d61289101e8291ce99991d5e612b3dad44f331ac0754f71f2c910f76f4b9966aba4025fe73eec1ef450a8a206802a7b8edfe11ed27feb982b53d8b46d18

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
393KB

MD5
1e13f68fd4258a545d262c77e38c76cd

SHA1
b8f6710c83e52ad354d8763a1b51293ee5758956

SHA256
d7785409d6e2512d9d907670f79b313192a85138707c6ca0cc59a71f8fd6a247

SHA512
938880407818a1489ecb9911cf05d4c9b69ecb2e0f908c3d3b8ba87b8c437ae16916e46bdf780bba24c38ad2c3981a5dcd4d3acd8ea227ac4dced12f1ca21eb3

Download Submit
C:\Windows\SysWOW64\28463\DIVI.001

Filesize
380B

MD5
27aff5a3ef3cd098c5c361dfbe80c75b

SHA1
237659b5bdc3f89c835459e6042909aeb95344b6

SHA256
9dae7ebf7fbc9c31ae865d50b7003b25abf3dc2cf90a865fe219e4300af7a8f2

SHA512
cff865341279dea2c648a9a8692968c5d770fca54a5c2db453bea53fe8bef285125958508676e46f4962455befb24dcff264dc730d2f62ad7678af7d32f00011

Download Submit
C:\Windows\SysWOW64\28463\DIVI.006

Filesize
7KB

MD5
46e0f5831dfe24c3105ef20190c5f0d7

SHA1
dbd701062695f9df971bffc1fa433eb18ef61727

SHA256
d7c7932d10e19ebde38c50583b4f5a0215a0ac88a2b131ea1b2a97824af759f9

SHA512
3dbe9e90f989ae3939d304f9f7822c3886e2d76ef575162e6a0518b61f5a52fcd8d0c63e06bbcf920c6f8298cb918ef5f3c0b92d42e99fa3eaabd787fc686a61

Download Submit
C:\Windows\SysWOW64\28463\DIVI.007

Filesize
5KB

MD5
70c68ec7e4e7f18abf35d47976a47f0f

SHA1
f1263f67e712760e055833d3030ed4583611ad6f

SHA256
cb8664787c631611643518ca2853f10ba9d460c25e476f55fb1b9f79838801fb

SHA512
80cad83643c9c83be70809eebb4b662f58a323cbd5f1bfbc328722fbfa16f1a846f9ef159552a066850f12157cb7388d6ab37ea6f4e7563fff7cc26258b77a81

Download Submit
C:\Windows\SysWOW64\28463\DIVI.exe

Filesize
471KB

MD5
328ef8c28309203cfbe5655274d5ea48

SHA1
403399787e94f7d4e3c8e237e25399263e9f4047

SHA256
0f92918405d195ce10b0c897f07a73493d06e9e49505371a525d50cea75213bb

SHA512
93dde6ab2d06af2d09b7f52619f2f475912152bbfd4b4ff93796eeffe7363f0ee777f4a46edb808039466fe0f82036dc291a378d4a8c6e407f0e1d4f3f6ea40a

Download Submit
memory/4232-48-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/4364-17-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4364-31-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4364-32-0x0000000002170000-0x0000000002185000-memory.dmp

Filesize
84KB

Download
memory/4364-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4364-1-0x0000000002170000-0x0000000002185000-memory.dmp

Filesize
84KB

Download