ardamax | 8c870eec48bc4ea1aca1f0c63c8a82aaadaf837f197708a7f0321238da8b6b75

Analysis

max time kernel
39s
max time network
149s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
Size

783KB
MD5

e33af9e602cbb7ac3634c2608150dd18
SHA1

8f6ec9bc137822bc1ddf439c35fedc3b847ce3fe
SHA256

8c870eec48bc4ea1aca1f0c63c8a82aaadaf837f197708a7f0321238da8b6b75
SHA512

2ae5003e64b525049535ebd5c42a9d1f6d76052cccaa623026758aabe5b1d1b5781ca91c727f3ecb9ac30b829b8ce56f11b177f220330c704915b19b37f8f418
SSDEEP

12288:0E9uQlDTt8c/wtocu3HhGSrIilDhlPnRq/iI7UOvqF8dtbcZl36VBqWPH:FuqD2cYWzBGZohlE/zUD8/bgl2qW/

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000019223-16.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
1964	DPBJ.exe

Loads dropped DLL 4 IoCs

pid	Process
1520	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
1520	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
1964	DPBJ.exe
1964	DPBJ.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DPBJ Agent = "C:\\Windows\\SysWOW64\\28463\\DPBJ.exe"	DPBJ.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 38 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_31_18.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_31_20.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_31_00.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\DPBJ.009.tmp	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_30_53.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_31_02.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_31_17.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\DPBJ.001	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
File created	C:\Windows\SysWOW64\28463\DPBJ.007	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_31_07.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_30_57.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_31_04.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_30_55.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_30_59.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_31_01.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_31_14.jpg	DPBJ.exe
File opened for modification	C:\Windows\SysWOW64\28463\DPBJ.009	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_30_54.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_31_15.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_31_03.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_31_11.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\DPBJ.009	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_30_58.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_31_05.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_31_08.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_31_09.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_31_10.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\DPBJ.006	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
File created	C:\Windows\SysWOW64\28463\key.bin	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_31_19.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_30_52.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_31_06.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_31_13.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\DPBJ.exe	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
File opened for modification	C:\Windows\SysWOW64\28463	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_30_56.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_31_16.jpg	DPBJ.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DPBJ.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CDC25F3B-89FD-FC7F-50BF-FD6CEC4F34D2}\1.0\0\win32	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CDC25F3B-89FD-FC7F-50BF-FD6CEC4F34D2}\1.0\FLAGS	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4473737-B395-49A8-2AA6-93ED7EDCD6A0}\TypeLib\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4473737-B395-49A8-2AA6-93ED7EDCD6A0}\ProgID\ = "MsScp.MSSCP.1"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CDC25F3B-89FD-FC7F-50BF-FD6CEC4F34D2}\	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CDC25F3B-89FD-FC7F-50BF-FD6CEC4F34D2}\1.0	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CDC25F3B-89FD-FC7F-50BF-FD6CEC4F34D2}\1.0\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CDC25F3B-89FD-FC7F-50BF-FD6CEC4F34D2}\1.0\FLAGS\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4473737-B395-49A8-2AA6-93ED7EDCD6A0}\InprocServer32\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CDC25F3B-89FD-FC7F-50BF-FD6CEC4F34D2}\1.0\0\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4473737-B395-49A8-2AA6-93ED7EDCD6A0}\TypeLib\ = "{CDC25F3B-89FD-FC7F-50BF-FD6CEC4F34D2}"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4473737-B395-49A8-2AA6-93ED7EDCD6A0}\VersionIndependentProgID\ = "MsScp.MSSCP"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4473737-B395-49A8-2AA6-93ED7EDCD6A0}\ = "Qepila"	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CDC25F3B-89FD-FC7F-50BF-FD6CEC4F34D2}\1.0\HELPDIR	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CDC25F3B-89FD-FC7F-50BF-FD6CEC4F34D2}\1.0\HELPDIR\	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4473737-B395-49A8-2AA6-93ED7EDCD6A0}\Version	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4473737-B395-49A8-2AA6-93ED7EDCD6A0}\VersionIndependentProgID	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CDC25F3B-89FD-FC7F-50BF-FD6CEC4F34D2}\1.0\0	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CDC25F3B-89FD-FC7F-50BF-FD6CEC4F34D2}\1.0\0\win32\	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4473737-B395-49A8-2AA6-93ED7EDCD6A0}\TypeLib	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4473737-B395-49A8-2AA6-93ED7EDCD6A0}\ProgID	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4473737-B395-49A8-2AA6-93ED7EDCD6A0}\ProgID\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CDC25F3B-89FD-FC7F-50BF-FD6CEC4F34D2}\1.0\0\win32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\GROOVE.EXE\\13"	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4473737-B395-49A8-2AA6-93ED7EDCD6A0}	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CDC25F3B-89FD-FC7F-50BF-FD6CEC4F34D2}\1.0\ = "Groove URL Manager 1.0 Type Library"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CDC25F3B-89FD-FC7F-50BF-FD6CEC4F34D2}\1.0\FLAGS\ = "0"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4473737-B395-49A8-2AA6-93ED7EDCD6A0}\Version\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4473737-B395-49A8-2AA6-93ED7EDCD6A0}\Version\ = "1.0"	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4473737-B395-49A8-2AA6-93ED7EDCD6A0}\InprocServer32	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4473737-B395-49A8-2AA6-93ED7EDCD6A0}\InprocServer32\ = "C:\\Windows\\SysWOW64\\msscp.dll"	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CDC25F3B-89FD-FC7F-50BF-FD6CEC4F34D2}	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CDC25F3B-89FD-FC7F-50BF-FD6CEC4F34D2}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4473737-B395-49A8-2AA6-93ED7EDCD6A0}\VersionIndependentProgID\	DPBJ.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2492	chrome.exe
2492	chrome.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: 33	1964	DPBJ.exe
Token: SeIncBasePriorityPrivilege	1964	DPBJ.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1964	DPBJ.exe
1964	DPBJ.exe
1964	DPBJ.exe
1964	DPBJ.exe
1964	DPBJ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 1964	1520	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe	30
PID 1520 wrote to memory of 1964	1520	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe	30
PID 1520 wrote to memory of 1964	1520	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe	30
PID 1520 wrote to memory of 1964	1520	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe	30
PID 2492 wrote to memory of 564	2492	chrome.exe	32
PID 2492 wrote to memory of 564	2492	chrome.exe	32
PID 2492 wrote to memory of 564	2492	chrome.exe	32
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 1868	2492	chrome.exe	34
PID 2492 wrote to memory of 2756	2492	chrome.exe	35
PID 2492 wrote to memory of 2756	2492	chrome.exe	35
PID 2492 wrote to memory of 2756	2492	chrome.exe	35
PID 2492 wrote to memory of 1532	2492	chrome.exe	36
PID 2492 wrote to memory of 1532	2492	chrome.exe	36
PID 2492 wrote to memory of 1532	2492	chrome.exe	36
PID 2492 wrote to memory of 1532	2492	chrome.exe	36
PID 2492 wrote to memory of 1532	2492	chrome.exe	36
PID 2492 wrote to memory of 1532	2492	chrome.exe	36
PID 2492 wrote to memory of 1532	2492	chrome.exe	36
PID 2492 wrote to memory of 1532	2492	chrome.exe	36
PID 2492 wrote to memory of 1532	2492	chrome.exe	36
PID 2492 wrote to memory of 1532	2492	chrome.exe	36
PID 2492 wrote to memory of 1532	2492	chrome.exe	36
PID 2492 wrote to memory of 1532	2492	chrome.exe	36
PID 2492 wrote to memory of 1532	2492	chrome.exe	36
PID 2492 wrote to memory of 1532	2492	chrome.exe	36
PID 2492 wrote to memory of 1532	2492	chrome.exe	36

C:\Users\Admin\AppData\Local\Temp\ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
"C:\Users\Admin\AppData\Local\Temp\ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\SysWOW64\28463\DPBJ.exe
  "C:\Windows\system32\28463\DPBJ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7af9758,0x7fef7af9768,0x7fef7af9778
  2⤵
  PID:564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1124 --field-trial-handle=1272,i,6118702350473109348,9771774213049540478,131072 /prefetch:2
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1280 --field-trial-handle=1272,i,6118702350473109348,9771774213049540478,131072 /prefetch:8
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1508 --field-trial-handle=1272,i,6118702350473109348,9771774213049540478,131072 /prefetch:8
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2044 --field-trial-handle=1272,i,6118702350473109348,9771774213049540478,131072 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2076 --field-trial-handle=1272,i,6118702350473109348,9771774213049540478,131072 /prefetch:1
  2⤵
  PID:1144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1120 --field-trial-handle=1272,i,6118702350473109348,9771774213049540478,131072 /prefetch:2
  2⤵
  PID:2652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1872 --field-trial-handle=1272,i,6118702350473109348,9771774213049540478,131072 /prefetch:1
  2⤵
  PID:2404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3600 --field-trial-handle=1272,i,6118702350473109348,9771774213049540478,131072 /prefetch:8
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3668 --field-trial-handle=1272,i,6118702350473109348,9771774213049540478,131072 /prefetch:1
  2⤵
  PID:2284

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
a70af90cd953d423defb60332b88fb30

SHA1
30f9368f36c8872e231db7a5e7551ebbd937d4d4

SHA256
67dd26a34ebfdf7c107556ce5892dd24835b592b3831b1dfe79f091bc1b1c152

SHA512
e16b48dd0a0f2fdefc3eac397bc3f270de04e8715a1a6f0b7b3ede56a8b7770eae7608abdc5ace3ff9a30bface6004ba271392cee7e0e3fda504c691df2cc194

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
fc96ff6edb3237dfa8f5a0fb61ff1ee5

SHA1
88fcc29e7d53f48e69b4e3f6578086ccebd5f73d

SHA256
156bcf31da2504e21ec68745f1db5be07270f80754d4586c3a1950fb89e4ff11

SHA512
4ecdb90ecab03885e72e4c7a44535cac85026f687e92e7ececdf17114be65d030c6e0243adde668baec43038137cced6ca38132f385f4a583b554c10ee068dd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
9a19fdab4e2e4f6dcba8ca738aca03e0

SHA1
823d512c3661d113f873c3bbfa6adae32c369c66

SHA256
24caa554abc491abc25d867c93ac40788e6ca012f6b25e3d693a03194a74d97c

SHA512
8a82ea3bb777fdf8e2ee799412ff338c7251929395539177ae2882d10e14146488284bd282b7b8c0fcb440af80add951548ed6661d0d1564b18c80b1ea0247c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
33fd46b81cd1f73c322ce44ae682def5

SHA1
13e87b57d286977e1217580e58f690c04b224450

SHA256
32ae4139acac85b88f2571f9934bc894267708b3bb5b6e3912c2ba8bb25217ab

SHA512
d0fe65848ed29f76afca86e3a9c01a28201a3144fce41c210d8fc29683fb5431949fa6812a98788bf7f5bc2676b2308855c151a34774640a974f536dd8538dc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0dfcb5038ddef9ef1ac42eaa8a6818b6

SHA1
881efc5faaa99a521b6fff07d23c49a7fde5b804

SHA256
fc9d3f5c62d5b4aa6e7976eb3717274999d1953b8f0e416aeb99a0f3fdcc8907

SHA512
1fd140062a9531572efa0eb6d46fe5378526f56ed4c9b9cae84e420567ffcb504ab3e97922d5f4bd35fe87170b9af493bbd50e714066b33fe865bd1ea6e719b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
97eee85d1aebf93d5d9400cb4e9c771b

SHA1
26fa2bf5fce2d86b891ac0741a6999bff31397de

SHA256
30df6c8cbd255011d80fa6e959179d47c458bc4c4d9e78c4cf571aa611cd7d24

SHA512
8cecc533c07c91c67b93a7ae46102a0aae7f4d3d88d04c250231f0bcd8e1f173daf06e94b5253a66db3f2a052c51e62154554368929294178d2b3597c1cca7e6

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.001

Filesize
492B

MD5
7a0f1fa20fd40c047b07379da5290f2b

SHA1
e0fb8305de6b661a747d849edb77d95959186fca

SHA256
b0ad9e9d3d51e8434cc466bec16e2b94fc2d03bab03b48ccf57db86ae8e2c9b6

SHA512
bb5b3138b863811a8b9dcba079ac8a2828dae73943a1cc1d107d27faca509fda9f03409db7c23d5d70b48d299146de14b656314a24b854f3ae4fdb6ef6770346

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.006

Filesize
8KB

MD5
35b24c473bdcdb4411e326c6c437e8ed

SHA1
ec1055365bc2a66e52de2d66d24d742863c1ce3d

SHA256
4530fcc91e4d0697a64f5e24d70e2b327f0acab1a9013102ff04236841c5a617

SHA512
32722f1484013bbc9c1b41b3fdaf5cd244ec67facaa2232be0e90455719d664d65cae1cd670adf5c40c67f568122d910b30e3e50f7cc06b0350a6a2d34d371de

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.007

Filesize
5KB

MD5
a8e19de6669e831956049685225058a8

SHA1
6d2546d49d92b18591ad4fedbc92626686e7e979

SHA256
34856528d8b7e31caa83f350bc4dbc861120dc2da822a9eb896b773bc7e1f564

SHA512
5c407d4aa5731bd62c2a1756127f794382dc5e2b214298acfa68698c709fbbe3f2aa8dbdcbef02ed2a49f8f35969959946e9f727895bdca4500d16e84f4ef2e8

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.009

Filesize
1.4MB

MD5
97c1500fa37190074501077f97191f6a

SHA1
eeb19f6a622dcf5caa0af981cd137e83e147b347

SHA256
c44c3eb16c72b75727e3588d8fdb00a69b3bc1f1b2c0516b899065eb01120702

SHA512
682d202e74e8adc533c2a8e3cef1b8fe5f9f7dcd67051de95c9a73099625d1ac4f93cc913cb5b2e1699dcf20ba58c0eab6d40228838f4cdc04e815d504a612ed

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.exe

Filesize
646KB

MD5
b863a9ac3bcdcde2fd7408944d5bf976

SHA1
4bd106cd9aefdf2b51f91079760855e04f73f3b0

SHA256
0fe8e3cd44a89c15dec75ff2949bac1a96e1ea7e0040f74df3230569ac9e37b0

SHA512
4b30c3b119c1e7b2747d2745b2b79c61669a33b84520b88ab54257793e3ed6e76378dea2b8ff048cb1822187ffdc20e921d658bb5b0482c23cfa7d70f4e7aa1a

Download Submit
C:\Windows\SysWOW64\28463\Nov_25_2024__11_30_56.jpg

Filesize
105KB

MD5
81cce3a8a2ac93cfd3b81cf5ba98e9ee

SHA1
16e7be9bb0d938de5645be296e8ebde3f5a5ec36

SHA256
2954effecf0aef28738914f38a4cbe728e8950487f75e21e701e95eef1a4e9e9

SHA512
0fbc4f3eecd7d6d36f1c098d936cf764b80364d044f440c3c8a726a4d5f2df3d9eb8357898ea44818018cc558e49355e9845ccc0d2b58c0928c5855141525541

Download Submit
C:\Windows\SysWOW64\28463\Nov_25_2024__11_31_11.jpg

Filesize
51KB

MD5
67d87d7c96fdead17598f34311d76544

SHA1
25e85484ad31352435d406fb9604cad981b83335

SHA256
5f0d02e93551018fc184b83e5e3a4dfd9430744ca4867c9247fb22056d3ad092

SHA512
e23e23ffa13787293470139c79da90b6a09ffb7867889caa83b9d0b94d31c6e4a4f752c1337b1a0c6060d6b494bf3fd69a2f1f99f5e14874047a1934b6740f36

Download Submit
C:\Windows\SysWOW64\28463\Nov_25_2024__11_31_14.jpg

Filesize
60KB

MD5
e0dde6f06a6ffcb2f4c463f4b1c40b42

SHA1
957b29c2cf1bba48bd000b72b853afccfc419a93

SHA256
6b6dc445eddafedc383c0d0e635cd6e058320fedff5dd6356e019e62e783af6f

SHA512
9e1183ec0ca6db04d698e52bf2f0f70dddb444eb2dd1c9ac01daf3c8a1c82b61db56fdd977cf613e49f388f91ab899e54d594932b7a66fc7f362adffa63552a6

Download Submit
C:\Windows\SysWOW64\28463\Nov_25_2024__11_31_24.jpg

Filesize
52KB

MD5
920cea6629421875edb7e32bc6f732e6

SHA1
306b17276d0d87bda708b75408bf645d1efe70bf

SHA256
022d69a077b83418d98c163b00662dfb87e3a68a296e6b5a7f3d0fceeaa76896

SHA512
d68d6b4308ba15db22c2aab5ba91e0a25036dc0ed00899cd63b5665146e9965d88c562a1f87f19e9bee12fa86cf6eec6bb271f15b14dc7f36cd0e4953bfbde03

Download Submit
C:\Windows\SysWOW64\28463\Nov_25_2024__11_31_39.jpg

Filesize
56KB

MD5
38a75e65057e3056bd8cd1f84197c29a

SHA1
e63a9fda7e535c41743d9b1045cf6d381a7c8727

SHA256
93700a79779861f94aae6a7eee6c5aa338c3d15ac1468cf7480a61c236e99ae7

SHA512
9672d6bc5b850f98c4272a6a1cc357d0702b7a607874bf808364c11623fbdc94ca7fd38448262be6fdd28e748f649f2b82c57923e990626c97022df77470abaf

Download Submit
C:\Windows\SysWOW64\28463\Nov_25_2024__11_31_47.jpg

Filesize
155KB

MD5
c08ef56e810fcedd27b37f587525e234

SHA1
a95a42bc00b28089e35207d6eed6efc2ee1a23a4

SHA256
4aa3ec006fb55b6187b10421d5c588ef9ec09bdbf6d5f5196ba33940093f7323

SHA512
2b6bd684ec5981c22bf052b611f7cce97e6390fedb555a4ad6cef7a2ccb8486ee61c310437d82503755e5fe22e1645b0a31deedde0b221e9ae102b1480c0261d

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
106B

MD5
639d75ab6799987dff4f0cf79fa70c76

SHA1
be2678476d07f78bb81e8813c9ee2bfff7cc7efb

SHA256
fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98

SHA512
4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

Download Submit
\Users\Admin\AppData\Local\Temp\@B4FD.tmp

Filesize
4KB

MD5
d73d89b1ea433724795b3d2b524f596c

SHA1
213514f48ece9f074266b122ee2d06e842871c8c

SHA256
8aef975a94c800d0e3e4929999d05861868a7129b766315c02a48a122e3455d6

SHA512
8b73be757ad3e0f2b29c0b130918e8f257375f9f3bf7b9609bac24b17369de2812341651547546af238936d70f38f050d6984afd16d47b467bcbba4992e42f41

Download Submit
memory/1964-25-0x0000000001F30000-0x0000000001F31000-memory.dmp

Filesize
4KB

Download
memory/1964-24-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/1964-35-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1964-36-0x00000000030D0000-0x00000000030D1000-memory.dmp

Filesize
4KB

Download
memory/1964-50-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1964-37-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/1964-53-0x0000000001C70000-0x0000000001CCA000-memory.dmp

Filesize
360KB

Download
memory/1964-55-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/1964-38-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/1964-20-0x0000000001F50000-0x0000000001F51000-memory.dmp

Filesize
4KB

Download
memory/1964-21-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/1964-22-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/1964-23-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/1964-220-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1964-231-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1964-34-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1964-263-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1964-26-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/1964-27-0x00000000030B0000-0x00000000030B3000-memory.dmp

Filesize
12KB

Download
memory/1964-28-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/1964-29-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/1964-30-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/1964-31-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/1964-32-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/1964-442-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1964-33-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/1964-18-0x0000000001C70000-0x0000000001CCA000-memory.dmp

Filesize
360KB

Download
memory/1964-17-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1964-665-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1964-791-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download