cheetahkeylogger | 094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a

Analysis

max time kernel
143s
max time network
154s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
28-12-2022 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe
Size

333KB
MD5

ae7312cc7678c08eb133f384eb1a5a47
SHA1

2039eab4bf1c35d168472fc60cec42060ad2c36a
SHA256

094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a
SHA512

7ed8d6d56da079b1af2d0d76d39e8b6ffce3115664b13e869f117c99346e2bd95cc450ab0c47a8575a4642bb5c254db9f33a37991ba005ea034e34b89f593424
SSDEEP

3072:0AaUPmw8yjebV7Nr6JD6u8w/CpLmLyPs/H9I7D+hQI1WgnOgSguVvVvtsRQ2EqrP:ZaUPSy6VEJD6LpFPs/H2+F1l3+J2Ck6

Score

10^/10

cheetahkeylogger agilenet collection keylogger spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.tshwanemuslimschool.co.za
Port:
587
Username:
[email protected]
Password:
Mia@1805

Signatures

Cheetah Keylogger
Cheetah is a keylogger and info stealer first seen in March 2020.
stealer keylogger cheetahkeylogger

Cheetah Keylogger payload 1 IoCs

resource	yara_rule
behavioral1/memory/556-76-0x0000000000430000-0x0000000000466000-memory.dmp	family_cheetahkeylogger

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
556	InstallUtil.exe
1748	kavremvr.exe
2956	{BB6572DB-D335-4E41-B645-A6091657C93E}.exe
2984	kavremover.exe

Loads dropped DLL 4 IoCs

pid	Process
1064	094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe
1748	kavremvr.exe
2984	kavremover.exe
2984	kavremover.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/1064-55-0x0000000000440000-0x0000000000454000-memory.dmp	agile_net

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
36	ifconfig.me

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\%tmp%\dbghelp.dll	kavremover.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1064 set thread context of 556	1064	094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1064	094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
1064	094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe
1064	094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
2032	chrome.exe
888	taskmgr.exe
888	taskmgr.exe
1488	chrome.exe
1488	chrome.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
556	InstallUtil.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
888	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1064	094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe
Token: SeDebugPrivilege	888	taskmgr.exe
Token: SeDebugPrivilege	556	InstallUtil.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
888	taskmgr.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
888	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2956	{BB6572DB-D335-4E41-B645-A6091657C93E}.exe
2956	{BB6572DB-D335-4E41-B645-A6091657C93E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 556	1064	094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe	28
PID 1064 wrote to memory of 556	1064	094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe	28
PID 1064 wrote to memory of 556	1064	094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe	28
PID 1064 wrote to memory of 556	1064	094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe	28
PID 1064 wrote to memory of 556	1064	094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe	28
PID 1064 wrote to memory of 556	1064	094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe	28
PID 1064 wrote to memory of 556	1064	094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe	28
PID 1064 wrote to memory of 556	1064	094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe	28
PID 1064 wrote to memory of 556	1064	094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe	28
PID 1064 wrote to memory of 556	1064	094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe	28
PID 1488 wrote to memory of 1672	1488	chrome.exe	30
PID 1488 wrote to memory of 1672	1488	chrome.exe	30
PID 1488 wrote to memory of 1672	1488	chrome.exe	30
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 1060	1488	chrome.exe	31
PID 1488 wrote to memory of 2032	1488	chrome.exe	32
PID 1488 wrote to memory of 2032	1488	chrome.exe	32
PID 1488 wrote to memory of 2032	1488	chrome.exe	32
PID 1488 wrote to memory of 1808	1488	chrome.exe	33
PID 1488 wrote to memory of 1808	1488	chrome.exe	33
PID 1488 wrote to memory of 1808	1488	chrome.exe	33
PID 1488 wrote to memory of 1808	1488	chrome.exe	33
PID 1488 wrote to memory of 1808	1488	chrome.exe	33
PID 1488 wrote to memory of 1808	1488	chrome.exe	33
PID 1488 wrote to memory of 1808	1488	chrome.exe	33

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe
"C:\Users\Admin\AppData\Local\Temp\094da8932234ce56d6869ed089cc8fa6ca6b15d1c4abdf481ccc5cf72ad1f41a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:556

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefb1b4f50,0x7fefb1b4f60,0x7fefb1b4f70
  2⤵
  PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1120 /prefetch:2
  2⤵
  PID:1060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1260 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1804 /prefetch:8
  2⤵
  PID:1808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2020 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2124 /prefetch:1
  2⤵
  PID:1588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3300 /prefetch:2
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:2116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3508 /prefetch:8
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3628 /prefetch:8
  2⤵
  PID:2228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3536 /prefetch:8
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3720 /prefetch:8
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1116 /prefetch:8
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4088 /prefetch:8
  2⤵
  PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4036 /prefetch:8
  2⤵
  PID:2512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4024 /prefetch:8
  2⤵
  PID:2504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4012 /prefetch:8
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1020 /prefetch:8
  2⤵
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3948 /prefetch:8
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4456 /prefetch:8
  2⤵
  PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3932 /prefetch:8
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4460 /prefetch:8
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4424 /prefetch:8
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4516 /prefetch:8
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1964 /prefetch:8
  2⤵
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3136 /prefetch:8
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4656 /prefetch:8
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3964 /prefetch:8
  2⤵
  PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4528 /prefetch:8
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1408 /prefetch:8
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2168 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:1036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:2492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5292 /prefetch:8
  2⤵
  PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 /prefetch:8
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  PID:2908
- C:\Users\Admin\Downloads\kavremvr.exe
  "C:\Users\Admin\Downloads\kavremvr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1748
- - C:\Users\Admin\AppData\Local\Temp\{A406986B-5473-45AE-B5CB-1070CA962F8C}\{BB6572DB-D335-4E41-B645-A6091657C93E}.exe
    "C:\Users\Admin\AppData\Local\Temp\{A406986B-5473-45AE-B5CB-1070CA962F8C}\{BB6572DB-D335-4E41-B645-A6091657C93E}.exe" ?C:\Users\Admin\Downloads?
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3140 /prefetch:8
  2⤵
  PID:1160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1064,15119443218239412804,4599887632589261214,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3860 /prefetch:8
  2⤵
  PID:1912

C:\Users\Admin\AppData\Local\Temp\{A406986B-5473-45AE-B5CB-1070CA962F8C}\kavremover.exe
C:\Users\Admin\AppData\Local\Temp\{A406986B-5473-45AE-B5CB-1070CA962F8C}\kavremover.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

Filesize
40KB

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

Filesize
40KB

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A406986B-5473-45AE-B5CB-1070CA962F8C}\kavremover.exe

Filesize
9.5MB

MD5
2bc9f78e0273bc92ec3205d22b8f25f4

SHA1
0118a193d27aedb2ac2aa0afa7b91a4cde2a0f3f

SHA256
6d8ea3b0ac5899d9a92c788a481b909239a241a5206cc30afce7f68ac93d761c

SHA512
6c00d7aa37c870531bba57aff1c6b4e667bdc3f155be58af6c73439c87b8bf711c75ef6c85c5e45d45824ff44130eee50ec870a9dc31e6e3803ff90325df22a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A406986B-5473-45AE-B5CB-1070CA962F8C}\kavremover.exe

Filesize
9.5MB

MD5
2bc9f78e0273bc92ec3205d22b8f25f4

SHA1
0118a193d27aedb2ac2aa0afa7b91a4cde2a0f3f

SHA256
6d8ea3b0ac5899d9a92c788a481b909239a241a5206cc30afce7f68ac93d761c

SHA512
6c00d7aa37c870531bba57aff1c6b4e667bdc3f155be58af6c73439c87b8bf711c75ef6c85c5e45d45824ff44130eee50ec870a9dc31e6e3803ff90325df22a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A406986B-5473-45AE-B5CB-1070CA962F8C}\{BB6572DB-D335-4E41-B645-A6091657C93E}.exe

Filesize
13.1MB

MD5
dd766fe4a4a2c7f9a42df2ff4f351125

SHA1
757ce357ced79e84c11f10d3dafc6be1388ce65a

SHA256
3d0bcfb65adbca6980dc84b579c163a48c1c8faed31590224d3132b3559b1ef4

SHA512
c980bb2716e314bc84c924d8e637849d9fbc99f468905e519c6d2c26a9fffafceea801bbe0fb9e72691cb491c5e996b67ec81938c648978598ef8d0b731aa545

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A406986B-5473-45AE-B5CB-1070CA962F8C}\{BB6572DB-D335-4E41-B645-A6091657C93E}.exe

Filesize
13.1MB

MD5
dd766fe4a4a2c7f9a42df2ff4f351125

SHA1
757ce357ced79e84c11f10d3dafc6be1388ce65a

SHA256
3d0bcfb65adbca6980dc84b579c163a48c1c8faed31590224d3132b3559b1ef4

SHA512
c980bb2716e314bc84c924d8e637849d9fbc99f468905e519c6d2c26a9fffafceea801bbe0fb9e72691cb491c5e996b67ec81938c648978598ef8d0b731aa545

Download Submit
C:\Users\Admin\Downloads\kavremvr.exe

Filesize
13.5MB

MD5
ad6493be2aab2633a27399c9f671150e

SHA1
5b3f4644c68cc0169076c82c4c14ee5ce5c0b3d3

SHA256
a72044f5ca07bdae448d680f9b6b55efe0ff95aca5c29b172dadf810455274d1

SHA512
9e9164730434c6a52581ccafa00b2c0c0d44e336a739cedcecb9e9011553b748c110125893c2a586e1b2072a551cac2083a31a2cf4b14f11b2f4a31d65802045

Download Submit
C:\Users\Admin\Downloads\kavremvr.exe

Filesize
13.5MB

MD5
ad6493be2aab2633a27399c9f671150e

SHA1
5b3f4644c68cc0169076c82c4c14ee5ce5c0b3d3

SHA256
a72044f5ca07bdae448d680f9b6b55efe0ff95aca5c29b172dadf810455274d1

SHA512
9e9164730434c6a52581ccafa00b2c0c0d44e336a739cedcecb9e9011553b748c110125893c2a586e1b2072a551cac2083a31a2cf4b14f11b2f4a31d65802045

Download Submit
\Users\Admin\AppData\Local\Temp\InstallUtil.exe

Filesize
40KB

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
\Users\Admin\AppData\Local\Temp\{A406986B-5473-45AE-B5CB-1070CA962F8C}\jkbasuy1\inidata.dll

Filesize
3.2MB

MD5
96b55ef08b994117fca3f633f9dd27ec

SHA1
1b30f03ecc0640f86444b0ce5d37dbecc90ca031

SHA256
758008c3d1390e924107e6b79dda800f5d83fe1888d0c54e47570c078696bdfe

SHA512
536f89089c8801a80f32d4f692c7c017fd07e98670f1d2669017e0737678b5379dc423ca2d45958d4dfe5b86bc5422a0aeffeb90e9931bba8428ce5353a2d1e6

Download Submit
\Users\Admin\AppData\Local\Temp\{A406986B-5473-45AE-B5CB-1070CA962F8C}\jkbasuy1\inidata.dll

Filesize
3.2MB

MD5
96b55ef08b994117fca3f633f9dd27ec

SHA1
1b30f03ecc0640f86444b0ce5d37dbecc90ca031

SHA256
758008c3d1390e924107e6b79dda800f5d83fe1888d0c54e47570c078696bdfe

SHA512
536f89089c8801a80f32d4f692c7c017fd07e98670f1d2669017e0737678b5379dc423ca2d45958d4dfe5b86bc5422a0aeffeb90e9931bba8428ce5353a2d1e6

Download Submit
\Users\Admin\AppData\Local\Temp\{A406986B-5473-45AE-B5CB-1070CA962F8C}\{BB6572DB-D335-4E41-B645-A6091657C93E}.exe

Filesize
13.1MB

MD5
dd766fe4a4a2c7f9a42df2ff4f351125

SHA1
757ce357ced79e84c11f10d3dafc6be1388ce65a

SHA256
3d0bcfb65adbca6980dc84b579c163a48c1c8faed31590224d3132b3559b1ef4

SHA512
c980bb2716e314bc84c924d8e637849d9fbc99f468905e519c6d2c26a9fffafceea801bbe0fb9e72691cb491c5e996b67ec81938c648978598ef8d0b731aa545

Download Submit
memory/556-69-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/556-64-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/556-67-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/556-73-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/556-75-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/556-76-0x0000000000430000-0x0000000000466000-memory.dmp

Filesize
216KB

Download
memory/556-65-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/888-61-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/888-60-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmp

Filesize
8KB

Download
memory/1064-54-0x0000000000EE0000-0x0000000000F3A000-memory.dmp

Filesize
360KB

Download
memory/1064-59-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1064-58-0x0000000000630000-0x0000000000638000-memory.dmp

Filesize
32KB

Download
memory/1064-57-0x0000000000620000-0x0000000000628000-memory.dmp

Filesize
32KB

Download
memory/1064-56-0x0000000000600000-0x0000000000608000-memory.dmp

Filesize
32KB

Download
memory/1064-55-0x0000000000440000-0x0000000000454000-memory.dmp

Filesize
80KB

Download