ardamax | e1eceb0b8bdf4631690be12d1488df50b9babb9e5600f0bed39e42e3c885fcbc

Analysis

max time kernel
141s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2024 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

887e4fbd329e5238367e5c73033ed2e5_JaffaCakes118.exe
Size

4.3MB
MD5

887e4fbd329e5238367e5c73033ed2e5
SHA1

20ebd911eee996e569beb2dd51b35f775a5e0c06
SHA256

e1eceb0b8bdf4631690be12d1488df50b9babb9e5600f0bed39e42e3c885fcbc
SHA512

2bdd1c95ae7fdeae2479d3cce3b7e72d4f645fde291644531a9d2f5ca83c465e9154371f9ca8447af14e60925fd4f201ae9de199ed6b9bb0dadce8ebea26889c
SSDEEP

98304:L/394YXd94uVCpx18A4clyK5ms6TvaYP1DpQiQhV8eVmqkly/h:54YEuVCXp4cMiLYPPiUeVm4h

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\28463\FLRV.exe	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

887e4fbd329e5238367e5c73033ed2e5_JaffaCakes118.exeALE.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	887e4fbd329e5238367e5c73033ed2e5_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	ALE.EXE

Executes dropped EXE 2 IoCs

Processes:

ALE.EXEFLRV.exe

pid process

1616 ALE.EXE
3312 FLRV.exe
Loads dropped DLL 4 IoCs

Processes:

ALE.EXEFLRV.exe

pid process

1616 ALE.EXE
3312 FLRV.exe
3312 FLRV.exe
3312 FLRV.exe

pid	process
1616	ALE.EXE
3312	FLRV.exe

pid	process
1616	ALE.EXE
3312	FLRV.exe
3312	FLRV.exe
3312	FLRV.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

FLRV.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FLRV Agent = "C:\\Windows\\SysWOW64\\28463\\FLRV.exe"	FLRV.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

Processes:

ALE.EXEFLRV.exe

description	ioc	process
File created	C:\Windows\SysWOW64\28463\key.bin	ALE.EXE
File created	C:\Windows\SysWOW64\28463\AKV.exe	ALE.EXE
File opened for modification	C:\Windows\SysWOW64\28463	FLRV.exe
File created	C:\Windows\SysWOW64\28463\FLRV.001	ALE.EXE
File created	C:\Windows\SysWOW64\28463\FLRV.006	ALE.EXE
File created	C:\Windows\SysWOW64\28463\FLRV.007	ALE.EXE
File created	C:\Windows\SysWOW64\28463\FLRV.exe	ALE.EXE

Drops file in Windows directory 4 IoCs

Processes:

887e4fbd329e5238367e5c73033ed2e5_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\ALE.EXE	887e4fbd329e5238367e5c73033ed2e5_JaffaCakes118.exe
File created	C:\Windows\CVDGF058.JPG	887e4fbd329e5238367e5c73033ed2e5_JaffaCakes118.exe
File created	C:\Windows\VDGF058.JPG	887e4fbd329e5238367e5c73033ed2e5_JaffaCakes118.exe
File created	C:\Windows\CALE.EXE	887e4fbd329e5238367e5c73033ed2e5_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

887e4fbd329e5238367e5c73033ed2e5_JaffaCakes118.exeALE.EXEFLRV.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	887e4fbd329e5238367e5c73033ed2e5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ALE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FLRV.exe

Modifies registry class 44 IoCs

Processes:

FLRV.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27D1EA6B-8841-4152-BEAE-C83DACD32410}\InProcServer32\	FLRV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C862A86E-A02C-A4AC-E69F-AB28AA187BDF}\2.8\0	FLRV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C862A86E-A02C-A4AC-E69F-AB28AA187BDF}\6.0\0\	FLRV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27D1EA6B-8841-4152-BEAE-C83DACD32410}\TypeLib\ = "{C862A86E-A02C-A4AC-E69F-AB28AA187BDF}"	FLRV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27D1EA6B-8841-4152-BEAE-C83DACD32410}\VersionIndependentProgID	FLRV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27D1EA6B-8841-4152-BEAE-C83DACD32410}\ProgID\	FLRV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C862A86E-A02C-A4AC-E69F-AB28AA187BDF}\2.8\0\win64\	FLRV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C862A86E-A02C-A4AC-E69F-AB28AA187BDF}\6.0\	FLRV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C862A86E-A02C-A4AC-E69F-AB28AA187BDF}\6.0\FLAGS	FLRV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27D1EA6B-8841-4152-BEAE-C83DACD32410}\TypeLib	FLRV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27D1EA6B-8841-4152-BEAE-C83DACD32410}	FLRV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27D1EA6B-8841-4152-BEAE-C83DACD32410}\InProcServer32	FLRV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C862A86E-A02C-A4AC-E69F-AB28AA187BDF}	FLRV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C862A86E-A02C-A4AC-E69F-AB28AA187BDF}\2.8\0\win32	FLRV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C862A86E-A02C-A4AC-E69F-AB28AA187BDF}\2.8\0\win32\ = "C:\\Program Files (x86)\\Common Files\\System\\ado\\msador28.tlb"	FLRV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C862A86E-A02C-A4AC-E69F-AB28AA187BDF}\2.8\0\win64	FLRV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C862A86E-A02C-A4AC-E69F-AB28AA187BDF}\6.0	FLRV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C862A86E-A02C-A4AC-E69F-AB28AA187BDF}\6.0\0\win32\ = "C:\\Program Files (x86)\\Common Files\\System\\ado\\msador15.dll"	FLRV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27D1EA6B-8841-4152-BEAE-C83DACD32410}\InProcServer32\ = "%SystemRoot%\\SysWow64\\wisp.dll"	FLRV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C862A86E-A02C-A4AC-E69F-AB28AA187BDF}\	FLRV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C862A86E-A02C-A4AC-E69F-AB28AA187BDF}\2.8\FLAGS\ = "0"	FLRV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C862A86E-A02C-A4AC-E69F-AB28AA187BDF}\6.0\ = "Microsoft ActiveX Data Objects Recordset 6.0 Library"	FLRV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27D1EA6B-8841-4152-BEAE-C83DACD32410}\VersionIndependentProgID\ = "Wisptis.TabletManager"	FLRV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C862A86E-A02C-A4AC-E69F-AB28AA187BDF}\2.8	FLRV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C862A86E-A02C-A4AC-E69F-AB28AA187BDF}\6.0\0\win64\	FLRV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27D1EA6B-8841-4152-BEAE-C83DACD32410}\ProgID	FLRV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C862A86E-A02C-A4AC-E69F-AB28AA187BDF}\2.8\	FLRV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C862A86E-A02C-A4AC-E69F-AB28AA187BDF}\2.8\0\win32\	FLRV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C862A86E-A02C-A4AC-E69F-AB28AA187BDF}\6.0\0	FLRV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C862A86E-A02C-A4AC-E69F-AB28AA187BDF}\6.0\0\win64\ = "C:\\Program Files\\Common Files\\System\\ado\\msador15.dll"	FLRV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C862A86E-A02C-A4AC-E69F-AB28AA187BDF}\6.0\FLAGS\ = "0"	FLRV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27D1EA6B-8841-4152-BEAE-C83DACD32410}\ = "Sasonis.Vicoqmasi Object"	FLRV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C862A86E-A02C-A4AC-E69F-AB28AA187BDF}\2.8\FLAGS	FLRV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C862A86E-A02C-A4AC-E69F-AB28AA187BDF}\6.0\0\win32	FLRV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C862A86E-A02C-A4AC-E69F-AB28AA187BDF}\6.0\0\win64	FLRV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27D1EA6B-8841-4152-BEAE-C83DACD32410}\TypeLib\	FLRV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27D1EA6B-8841-4152-BEAE-C83DACD32410}\VersionIndependentProgID\	FLRV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27D1EA6B-8841-4152-BEAE-C83DACD32410}\ProgID\ = "Wisptis.TabletManager.1"	FLRV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C862A86E-A02C-A4AC-E69F-AB28AA187BDF}\2.8\ = "Microsoft ActiveX Data Objects Recordset 2.8 Library"	FLRV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C862A86E-A02C-A4AC-E69F-AB28AA187BDF}\2.8\0\	FLRV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C862A86E-A02C-A4AC-E69F-AB28AA187BDF}\2.8\0\win64\ = "C:\\Program Files\\Common Files\\System\\ado\\msador28.tlb"	FLRV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C862A86E-A02C-A4AC-E69F-AB28AA187BDF}\2.8\FLAGS\	FLRV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C862A86E-A02C-A4AC-E69F-AB28AA187BDF}\6.0\0\win32\	FLRV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C862A86E-A02C-A4AC-E69F-AB28AA187BDF}\6.0\FLAGS\	FLRV.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

FLRV.exe

description pid process

Token: 33 3312 FLRV.exe
Token: SeIncBasePriorityPrivilege 3312 FLRV.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

FLRV.exe

pid process

3312 FLRV.exe
3312 FLRV.exe
3312 FLRV.exe
3312 FLRV.exe
3312 FLRV.exe

description	pid	process
Token: 33	3312	FLRV.exe
Token: SeIncBasePriorityPrivilege	3312	FLRV.exe

pid	process
3312	FLRV.exe
3312	FLRV.exe
3312	FLRV.exe
3312	FLRV.exe
3312	FLRV.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

887e4fbd329e5238367e5c73033ed2e5_JaffaCakes118.exeALE.EXE

description	pid	process	target process
PID 1520 wrote to memory of 1616	1520	887e4fbd329e5238367e5c73033ed2e5_JaffaCakes118.exe	ALE.EXE
PID 1520 wrote to memory of 1616	1520	887e4fbd329e5238367e5c73033ed2e5_JaffaCakes118.exe	ALE.EXE
PID 1520 wrote to memory of 1616	1520	887e4fbd329e5238367e5c73033ed2e5_JaffaCakes118.exe	ALE.EXE
PID 1616 wrote to memory of 3312	1616	ALE.EXE	FLRV.exe
PID 1616 wrote to memory of 3312	1616	ALE.EXE	FLRV.exe
PID 1616 wrote to memory of 3312	1616	ALE.EXE	FLRV.exe

C:\Users\Admin\AppData\Local\Temp\887e4fbd329e5238367e5c73033ed2e5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\887e4fbd329e5238367e5c73033ed2e5_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\ALE.EXE
  "C:\Windows\ALE.EXE"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\SysWOW64\28463\FLRV.exe
    "C:\Windows\system32\28463\FLRV.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@AE12.tmp

Filesize
4KB

MD5
d73d89b1ea433724795b3d2b524f596c

SHA1
213514f48ece9f074266b122ee2d06e842871c8c

SHA256
8aef975a94c800d0e3e4929999d05861868a7129b766315c02a48a122e3455d6

SHA512
8b73be757ad3e0f2b29c0b130918e8f257375f9f3bf7b9609bac24b17369de2812341651547546af238936d70f38f050d6984afd16d47b467bcbba4992e42f41

Download Submit
C:\Windows\ALE.EXE

Filesize
783KB

MD5
c57e6e9bcf0c0252692a379082353555

SHA1
0d30ba2da6bd3366a4c4f06fccc624989c3df425

SHA256
a0fdf80be32bd36f13b5d0fc53400e33bf84e64d0c8955fc7f88ed77475bdf4e

SHA512
17aa5f1c6a7df4d80e3179bb8ed3aa55ae680450beba57a583e2d9f326bb352dc336ad25209b157a33309a7831eee0c773f2eaa2975c3a38a2b0a361146d796f

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
97eee85d1aebf93d5d9400cb4e9c771b

SHA1
26fa2bf5fce2d86b891ac0741a6999bff31397de

SHA256
30df6c8cbd255011d80fa6e959179d47c458bc4c4d9e78c4cf571aa611cd7d24

SHA512
8cecc533c07c91c67b93a7ae46102a0aae7f4d3d88d04c250231f0bcd8e1f173daf06e94b5253a66db3f2a052c51e62154554368929294178d2b3597c1cca7e6

Download Submit
C:\Windows\SysWOW64\28463\FLRV.001

Filesize
444B

MD5
1c9c169d8bde064ed8770d4be13be8d4

SHA1
868d4b8efc748117f2b4d17e60328c0fe610a203

SHA256
816c7eaf58d1d635afebe3cc21324970cfb51b249e9ba0806cb013046ef6422c

SHA512
b1e34a8510e58ef4f999019ccafc863591e5934b48b4332a019aa9e7d25edd82b125cb138d5a77a84005986b5221d7f78fcf6827bb36fd8e82c5e04cabb9377c

Download Submit
C:\Windows\SysWOW64\28463\FLRV.006

Filesize
8KB

MD5
35b24c473bdcdb4411e326c6c437e8ed

SHA1
ec1055365bc2a66e52de2d66d24d742863c1ce3d

SHA256
4530fcc91e4d0697a64f5e24d70e2b327f0acab1a9013102ff04236841c5a617

SHA512
32722f1484013bbc9c1b41b3fdaf5cd244ec67facaa2232be0e90455719d664d65cae1cd670adf5c40c67f568122d910b30e3e50f7cc06b0350a6a2d34d371de

Download Submit
C:\Windows\SysWOW64\28463\FLRV.007

Filesize
5KB

MD5
a8e19de6669e831956049685225058a8

SHA1
6d2546d49d92b18591ad4fedbc92626686e7e979

SHA256
34856528d8b7e31caa83f350bc4dbc861120dc2da822a9eb896b773bc7e1f564

SHA512
5c407d4aa5731bd62c2a1756127f794382dc5e2b214298acfa68698c709fbbe3f2aa8dbdcbef02ed2a49f8f35969959946e9f727895bdca4500d16e84f4ef2e8

Download Submit
C:\Windows\SysWOW64\28463\FLRV.exe

Filesize
646KB

MD5
b863a9ac3bcdcde2fd7408944d5bf976

SHA1
4bd106cd9aefdf2b51f91079760855e04f73f3b0

SHA256
0fe8e3cd44a89c15dec75ff2949bac1a96e1ea7e0040f74df3230569ac9e37b0

SHA512
4b30c3b119c1e7b2747d2745b2b79c61669a33b84520b88ab54257793e3ed6e76378dea2b8ff048cb1822187ffdc20e921d658bb5b0482c23cfa7d70f4e7aa1a

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
106B

MD5
639d75ab6799987dff4f0cf79fa70c76

SHA1
be2678476d07f78bb81e8813c9ee2bfff7cc7efb

SHA256
fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98

SHA512
4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

Download Submit
memory/1520-25-0x0000000000400000-0x0000000000850000-memory.dmp

Filesize
4.3MB

Download
memory/3312-58-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/3312-54-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/3312-41-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/3312-40-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/3312-39-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3312-38-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/3312-69-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/3312-68-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/3312-67-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/3312-66-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/3312-65-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/3312-64-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/3312-63-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/3312-62-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/3312-61-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/3312-60-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/3312-59-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/3312-43-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/3312-57-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/3312-56-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/3312-55-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/3312-42-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/3312-53-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/3312-52-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/3312-51-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/3312-50-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/3312-49-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/3312-48-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/3312-47-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/3312-46-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/3312-45-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/3312-44-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/3312-71-0x0000000003350000-0x0000000003353000-memory.dmp

Filesize
12KB

Download
memory/3312-75-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/3312-74-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/3312-37-0x00000000022F0000-0x000000000234A000-memory.dmp

Filesize
360KB

Download
memory/3312-35-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3312-73-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/3312-72-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/3312-83-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3312-85-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/3312-84-0x00000000022F0000-0x000000000234A000-memory.dmp

Filesize
360KB

Download
memory/3312-86-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/3312-90-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download