ardamax | d7d05456dc79039ba0a8292c84b150f2182edd06d671aeb6eddbe35f1308748c

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1d47116dfd00c5197ad0ebb23e61ee92.exe
Size

3.3MB
MD5

1d47116dfd00c5197ad0ebb23e61ee92
SHA1

d5299dcb21a0cbf5826e020da81def99d76a1373
SHA256

d7d05456dc79039ba0a8292c84b150f2182edd06d671aeb6eddbe35f1308748c
SHA512

59f5b04cc3accc8160e431ba0119ba2ed5cb7350aa861ea389407fbb2d3e3d14e5b1c375c43608c2b812a2e3887b06e5f051281630c7fdbb315eb8a87f1474f7
SSDEEP

24576:go/ADMPEzh/5bHYjbXrX4xxkzTf5uhaFHLWQoWilqVD2AwaIu9fMOs70vJZ4jbic:wa8alTl7DMZcACMtZWsKgNVFonN5KGo

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0005000000019506-47.dat	family_ardamax

Executes dropped EXE 5 IoCs

pid	Process
1912	file1.exe
1856	fire-heart-desktop-gadget.exe
3032	Install.exe
1244	system32GBAJ.exe
2568	rkverify.exe

Loads dropped DLL 24 IoCs

pid	Process
1912	file1.exe
1912	file1.exe
1912	file1.exe
1912	file1.exe
1912	file1.exe
1856	fire-heart-desktop-gadget.exe
1856	fire-heart-desktop-gadget.exe
3032	Install.exe
3032	Install.exe
3032	Install.exe
3032	Install.exe
1856	fire-heart-desktop-gadget.exe
1856	fire-heart-desktop-gadget.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
1856	fire-heart-desktop-gadget.exe
1856	fire-heart-desktop-gadget.exe
1856	fire-heart-desktop-gadget.exe
1856	fire-heart-desktop-gadget.exe
1856	fire-heart-desktop-gadget.exe
1856	fire-heart-desktop-gadget.exe
1856	fire-heart-desktop-gadget.exe
1856	fire-heart-desktop-gadget.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system32GBAJ Agent = "C:\\Windows\\system32GBAJ.exe"	system32GBAJ.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Fire Heart Desktop Gadget\fireheart.exe	fire-heart-desktop-gadget.exe
File created	C:\Program Files (x86)\Fire Heart Desktop Gadget\sample.jpg	fire-heart-desktop-gadget.exe
File created	C:\Program Files (x86)\Fire Heart Desktop Gadget\Uninstall.exe	fire-heart-desktop-gadget.exe
File created	C:\Program Files (x86)\Fire Heart Desktop Gadget\Readme.txt	fire-heart-desktop-gadget.exe
File created	C:\Program Files (x86)\Fire Heart Desktop Gadget\License.txt	fire-heart-desktop-gadget.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32GBAJ.001	Install.exe
File created	C:\Windows\system32GBAJ.006	Install.exe
File created	C:\Windows\system32GBAJ.007	Install.exe
File created	C:\Windows\system32GBAJ.exe	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fire-heart-desktop-gadget.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32GBAJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rkverify.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x0009000000018bf3-17.dat	nsis_installer_1
behavioral1/files/0x0009000000018bf3-17.dat	nsis_installer_2
behavioral1/files/0x000500000001970b-229.dat	nsis_installer_1
behavioral1/files/0x000500000001970b-229.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1856	fire-heart-desktop-gadget.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1244	system32GBAJ.exe
Token: SeIncBasePriorityPrivilege	1244	system32GBAJ.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1244	system32GBAJ.exe
1244	system32GBAJ.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe
2568	rkverify.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 1912	2112	JaffaCakes118_1d47116dfd00c5197ad0ebb23e61ee92.exe	30
PID 2112 wrote to memory of 1912	2112	JaffaCakes118_1d47116dfd00c5197ad0ebb23e61ee92.exe	30
PID 2112 wrote to memory of 1912	2112	JaffaCakes118_1d47116dfd00c5197ad0ebb23e61ee92.exe	30
PID 2112 wrote to memory of 1912	2112	JaffaCakes118_1d47116dfd00c5197ad0ebb23e61ee92.exe	30
PID 2112 wrote to memory of 1912	2112	JaffaCakes118_1d47116dfd00c5197ad0ebb23e61ee92.exe	30
PID 2112 wrote to memory of 1912	2112	JaffaCakes118_1d47116dfd00c5197ad0ebb23e61ee92.exe	30
PID 2112 wrote to memory of 1912	2112	JaffaCakes118_1d47116dfd00c5197ad0ebb23e61ee92.exe	30
PID 1912 wrote to memory of 1856	1912	file1.exe	31
PID 1912 wrote to memory of 1856	1912	file1.exe	31
PID 1912 wrote to memory of 1856	1912	file1.exe	31
PID 1912 wrote to memory of 1856	1912	file1.exe	31
PID 1912 wrote to memory of 1856	1912	file1.exe	31
PID 1912 wrote to memory of 1856	1912	file1.exe	31
PID 1912 wrote to memory of 1856	1912	file1.exe	31
PID 1912 wrote to memory of 3032	1912	file1.exe	32
PID 1912 wrote to memory of 3032	1912	file1.exe	32
PID 1912 wrote to memory of 3032	1912	file1.exe	32
PID 1912 wrote to memory of 3032	1912	file1.exe	32
PID 1912 wrote to memory of 3032	1912	file1.exe	32
PID 1912 wrote to memory of 3032	1912	file1.exe	32
PID 1912 wrote to memory of 3032	1912	file1.exe	32
PID 3032 wrote to memory of 1244	3032	Install.exe	33
PID 3032 wrote to memory of 1244	3032	Install.exe	33
PID 3032 wrote to memory of 1244	3032	Install.exe	33
PID 3032 wrote to memory of 1244	3032	Install.exe	33
PID 3032 wrote to memory of 1244	3032	Install.exe	33
PID 3032 wrote to memory of 1244	3032	Install.exe	33
PID 3032 wrote to memory of 1244	3032	Install.exe	33
PID 1856 wrote to memory of 2568	1856	fire-heart-desktop-gadget.exe	34
PID 1856 wrote to memory of 2568	1856	fire-heart-desktop-gadget.exe	34
PID 1856 wrote to memory of 2568	1856	fire-heart-desktop-gadget.exe	34
PID 1856 wrote to memory of 2568	1856	fire-heart-desktop-gadget.exe	34
PID 1856 wrote to memory of 2568	1856	fire-heart-desktop-gadget.exe	34
PID 1856 wrote to memory of 2568	1856	fire-heart-desktop-gadget.exe	34
PID 1856 wrote to memory of 2568	1856	fire-heart-desktop-gadget.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1d47116dfd00c5197ad0ebb23e61ee92.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1d47116dfd00c5197ad0ebb23e61ee92.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\file1.exe
  C:\Users\Admin\AppData\Local\Temp\\file1.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Users\Admin\AppData\Local\Temp\fire-heart-desktop-gadget.exe
    "C:\Users\Admin\AppData\Local\Temp\fire-heart-desktop-gadget.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - C:\Users\Admin\AppData\Local\Temp\rkverify.exe
      C:\Users\Admin\AppData\Local\Temp\rkverify.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2568
- - C:\Users\Admin\AppData\Local\Temp\Install.exe
    "C:\Users\Admin\AppData\Local\Temp\Install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\system32GBAJ.exe
      "C:\Windows\system32GBAJ.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Fire Heart Desktop Gadget\Uninstall.exe

Filesize
75KB

MD5
6d49e21c02a76cc086006b58c396a8a9

SHA1
3032feca39f611111544f2a161ccdb532b2646e9

SHA256
bbae662541399463318d83aa4b84874b9d45124ddc9ca7a7476ef31ec6f0c663

SHA512
f96fdf63a1cf3e6a10d86167026f475fafa06c50067ddcd29ae4ae0015b8fe7b67d80e3ce21b798dfe1ec66d399c36789c73d1cc0288aa84dd20331513638ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\file1.exe

Filesize
1.6MB

MD5
177a0ab800321eeb56da08e744f563de

SHA1
4386f9d3ecc0b9d5b373aef7267770faac68dc01

SHA256
472bd8764586dd344b5598e1d4e2de170b118b16becc20c6efe532e5c6b78b04

SHA512
9964f6bcab4d6543c278e161f8f40d9e841179f9dadc09517cdc6621a6bfee8eb061c669e4c4333e09f25566ae6a480107546fddfcc63830025455245efa1294

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdBD29.tmp\_license_page.ini

Filesize
2KB

MD5
7c2bc369290efcef3d0364b553ee5ee3

SHA1
25a0bf0936c0e04cd9fd8d5bffce1d86de6e5c84

SHA256
67362ca84b70e3c38273ef408ac81006ebbd7ca72aaad397be10249a64ac2890

SHA512
ac2b38b12f3191667e8decd16b5fd4b10ed1140d2841f77e2dca30dfdce593a93b56579211ec81ed5c34de8c5adf0febfbc12e3e928fbf09cf6f739568be8d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdBD29.tmp\_survey_page.ini

Filesize
2KB

MD5
5900f282d6dbd1b233db2eeaa8be3bab

SHA1
b1f0416ad3dc8698606c5d121a9ac5378f552b5d

SHA256
8c6579bfc83e6c7eec8f7442af43a74d556e284450ec155519b30967418803f8

SHA512
06f86213c172e1f0cd8b674e1d1490c9dbda0523e62276e1110edfe72a6aa6545c2aeaa3e8124f3b8709d25e97171670aaa4980ea791fe3d07071bd923b8a9b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdBD29.tmp\_survey_page.ini

Filesize
2KB

MD5
b3b5e6e2e0da6e207a968225f6fab26c

SHA1
bf3931fcb1c1e4d452e58bd6988bab2b89020e48

SHA256
8e32d12316ea152a94c34d361acd21f2e669713694adc56a47840c656a2eabb1

SHA512
fc490757b3315a377926302f07233b45ee8b9db575c3db9772d3feb578db7907c1d431503b74db40e0007330f4e78f1926c83857428a3822d2802c53bb1caf35

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdBD29.tmp\ioSpecial.ini

Filesize
757B

MD5
215680eab6548f0f47087af269dd15cf

SHA1
6d31b875830fa1752204a845a9543031ec92f3cf

SHA256
488d269bc64ddbd23a0568203f01991ca039313b76ef53224cfd5cc236638e2c

SHA512
192af5b3113e89b3ef496c779a429392be2efecea58dc18371e37163126ad2e49e6283dfcc00b731e0497a780c8c040baf9822e8c2035954ac94a31b16b85fc3

Download Submit
C:\Windows\system32GBAJ.001

Filesize
414B

MD5
af2660c5c922592e1daf0d9ee443419c

SHA1
5deba5ed722e39229fb7f1f8571b34459ce74e4a

SHA256
cf3b005c11ca7b75474205ce6f6fe5fe4708a93dd237adb96a4aa7a6d451e8a5

SHA512
113df418d7b42b8b726c31c14b4181885738558b84622a8fd215b7ddfdb3d66c181cf654f2219aa219cd6ada5b4dd18882b4c0e4134e4aa78b3c4a906febbcc5

Download Submit
C:\Windows\system32GBAJ.006

Filesize
7KB

MD5
32dd7b4bc8b6f290b0ece3cc1c011c96

SHA1
b979683868b399c6a6204ebaed9fc9c784a0429a

SHA256
6dcce9bbba5c2de47eea3abf7597a9c4fb2e4d358efc3752fa65c169cccfa2a1

SHA512
9e0d720799fe816f7d09c8a722b762203b6f12a8625c1c93cd640219ecc35969bd641b4d9e6dc04ab6f95ceb73235a438eb7d48ee9402118db3618b5760551ea

Download Submit
C:\Windows\system32GBAJ.007

Filesize
5KB

MD5
e8155b68775ed29590e14df80fdc0e9f

SHA1
ed449da02e648a524004c265f3c37496d2f07f1f

SHA256
b39ba894b0a9a3201461ddd9ee9b297928e793dff221a47f019e75c11df631f3

SHA512
b14e00c46cf9bed0aca0f85775f624ff064f2d2afe1fa68b61bee5729db73cf9a8eced669c52d7cbb9504ff1b369a9a16a0f36c71a70c13c0bd1eaf5e07ccc11

Download Submit
C:\Windows\system32GBAJ.exe

Filesize
471KB

MD5
3c06bbc025b61d2182ef5573f2852bda

SHA1
ebc1464c00b13fb5b3f80a59c80b595020e1fe7c

SHA256
e7f64e7215284cdeb8ef1eba28733f7aeae7f6977f82809d8de1e76a2e249085

SHA512
9d839ada211b85fc1efb1fe7bb3ce66fcf0e8069221d958234649c2ac5dc0f1bd06f1a016f9c727077af36fb46cac5409be9c8a8201d17f689c6b473aa01acdc

Download Submit
\Program Files (x86)\Fire Heart Desktop Gadget\fireheart.exe

Filesize
1.9MB

MD5
a661c16d5a8ea0ec4dd12870eaad4aa6

SHA1
e6311368d398e67baf59650c8097e3cfc2c8039a

SHA256
8ac9a3287d73ba17c101438e728f22c61bd9f97fce5190e94a50ab48fb1bd71a

SHA512
95a133839ea494926690031dcebd6ca834a51ab77018283565411485f3c920ee6fc678c50018b974856e90c40c8984d3040990757d21e1886232f35d3ee8cd2c

Download Submit
\Users\Admin\AppData\Local\Temp\@BCE9.tmp

Filesize
4KB

MD5
d9e02f226fc338d14df200ba9a700625

SHA1
414f134a16a309b31e418ed9e08c0c48aaf6e2bc

SHA256
8165757efb79acceb9fd0bfae6b2c19b8f087cc0461abb17941d460dbdf2e260

SHA512
13c73381602fe2593312d41ab4bc5cd5f922ac651f9e71e3fe3c58e7f0c5c73ecc9d79d61ec46f33a0a81cf73373421eeb510bd99650c0f53af30974ed61b8ca

Download Submit
\Users\Admin\AppData\Local\Temp\CSMBDB4.tmp

Filesize
160KB

MD5
5ac09190daf249c3e93c3ac961067024

SHA1
bad9c0d552d54310f669d66b549dcada90583812

SHA256
f4934185f75518a13ef5425959f47516cc8467f513e838a82e749ffb782d7e23

SHA512
2a87686c038e8a34f8e04a844726de564a08baeedc87632219b86f455d5222efe2ed7557fad9658627e304d916a75cfcb3c9dede4e72057a070f64370aa52f39

Download Submit
\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
270KB

MD5
60b27ce2169a9181b34058d6b9cf179a

SHA1
fa43b07ac006d4cd615c4028800aa127468b4368

SHA256
d55d37a7753a6413cc072d1fc2e611c3ce1f3e4704a7fc0f3ad0be12fe22c910

SHA512
4175d291c5cb8b81448f8d61fd36b7b2038c7c7a789b9bfc2afcbaf02e8d7295f969247932593f7ebab3c84a2d210785073bb09fa50ada0480786eeb07258a0a

Download Submit
\Users\Admin\AppData\Local\Temp\fire-heart-desktop-gadget.exe

Filesize
1.3MB

MD5
bdf1df1389bb86a6dbef630f9b9dbe86

SHA1
a3fc52c62a46f9305f5cc6b0934a307fe4e12ec2

SHA256
d4df2a9a0dbc78d75e0a934f8791111d80cbf3db3e2d0662f259432a76e6b902

SHA512
845c78871b653b83a11a4876840d40307dadbf1d15b8009265e11c726e38344777a6fc75faa913e64f22565e43398fdf162d5e88b4c0388a82b9ead23d66d6f3

Download Submit
\Users\Admin\AppData\Local\Temp\nsdBD29.tmp\InstallOptions.dll

Filesize
14KB

MD5
14c212bb2fa90fe52a6424b955c86ad6

SHA1
9e94f8ad17ff9b6b31e5f029ee5f726e307ac8ee

SHA256
1854afccace3053dca2707b10609ea78a30f0ee853bdb9f251c076317ee53120

SHA512
d42fa579f93b98d1446daf3d0734c19838fa310ef27cd05344e25d9f86ba37a5fa1752236e5de4df7c9f414236538bd7431bffda126fb9c74fd112539de0e713

Download Submit
\Users\Admin\AppData\Local\Temp\nsdBD29.tmp\System.dll

Filesize
10KB

MD5
4c0c6163b636f627e0d505deda672c90

SHA1
2eae4e6f00673a03ae2434f1b22dc9218e4761a8

SHA256
bea71368433f91e32c597db990089ecb7599879f76a64f7f3446489578b2d5fb

SHA512
e817ad35f0e89ecce9d73add641d9eab95de6c6c30153e594673c8e0243e738a31dfb872cc76a8d51bc513775fc1dabc9adb65019298048539d6c3aa7d33e2ef

Download Submit
\Users\Admin\AppData\Local\Temp\rkverify.exe

Filesize
268KB

MD5
020ce95075f8c93e6cc957953d7f4589

SHA1
e192a200e36974b8e0637230a8cb5905090f7555

SHA256
df9d068202c060a898cd441d5c170686cd9c2774a37cfda3ea10abc428e20ad3

SHA512
fb74170ed9b5ee078a176540c198513ed3a8c2e587fbcbf6d2384f840f0b6a2637fd20b6a01b2caf6e92e5f592d517b4733d34fdb349fd770eb04e1eac769170

Download Submit
memory/1244-209-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/1244-208-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1856-150-0x0000000001D30000-0x0000000001D58000-memory.dmp

Filesize
160KB

Download
memory/1856-207-0x0000000001D60000-0x0000000001D66000-memory.dmp

Filesize
24KB

Download
memory/2112-0-0x000007FEF582E000-0x000007FEF582F000-memory.dmp

Filesize
4KB

Download
memory/2112-50-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

Filesize
9.6MB

Download
memory/2112-3-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

Filesize
9.6MB

Download
memory/2112-2-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

Filesize
9.6MB

Download
memory/2112-1-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

Filesize
9.6MB

Download