privateloader | ab479d019576efd4dd391e0bf3fc1bedb10367e1ece7157d609a283873a43645

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2022 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AB479D019576EFD4DD391E0BF3FC1BEDB10367E1ECE71.exe
Size

2.6MB
MD5

b81a72714c586f9b634b059b73da8a3a
SHA1

2aad87da256f1b26c40e1243f4ec7ea15c2f4690
SHA256

ab479d019576efd4dd391e0bf3fc1bedb10367e1ece7157d609a283873a43645
SHA512

07f076ccf6b4174a4c9848795dcd86b59d4f2a6b7ab2827d25ac8b2808dad47c2ca20bf6d712c1b8c6fa17427fbf0648c5e24f13fc066d22c8e3f5752125c56c

Score

10^/10

privateloader vidar 933 aspackv2 loader stealer

Malware Config

Extracted

Family

vidar

Version

39.7

Botnet

933

https://shpak125.tumblr.com/

Attributes

profile_id
933

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1244 3136 rUNdlL32.eXe
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	3136	rUNdlL32.eXe

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2020-217-0x0000000004730000-0x00000000047CD000-memory.dmp	family_vidar
behavioral2/memory/2020-218-0x0000000000400000-0x0000000002BD7000-memory.dmp	family_vidar

ASPack v2.12-2.42 9 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\libcurl.dll	aspack_v212_v242

Executes dropped EXE 10 IoCs

Processes:

setup_installer.exesetup_install.exesahiba_1.exesahiba_4.exesahiba_3.exesahiba_2.exesahiba_5.exesahiba_6.exesahiba_7.exesahiba_1.exe

pid	process
944	setup_installer.exe
3348	setup_install.exe
3288	sahiba_1.exe
1836	sahiba_4.exe
2020	sahiba_3.exe
4212	sahiba_2.exe
396	sahiba_5.exe
1888	sahiba_6.exe
2060	sahiba_7.exe
4544	sahiba_1.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sahiba_1.exeAB479D019576EFD4DD391E0BF3FC1BEDB10367E1ECE71.exesetup_installer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	sahiba_1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	AB479D019576EFD4DD391E0BF3FC1BEDB10367E1ECE71.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	setup_installer.exe

Loads dropped DLL 9 IoCs

Processes:

setup_install.exesahiba_2.exerundll32.exe

pid	process
3348	setup_install.exe
3348	setup_install.exe
3348	setup_install.exe
3348	setup_install.exe
3348	setup_install.exe
3348	setup_install.exe
3348	setup_install.exe
4212	sahiba_2.exe
2380	rundll32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ipinfo.io
4 ipinfo.io

flow	ioc
2	ipinfo.io
4	ipinfo.io

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{898D2EF9-745D-425C-9276-FD9B5EB0D951}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{71151BD8-70BB-4DFB-83EC-0227CC31C118}.catalogItem	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4536 3348 WerFault.exe setup_install.exe
204 2380 WerFault.exe rundll32.exe

pid	pid_target	process	target process
4536	3348	WerFault.exe	setup_install.exe
204	2380	WerFault.exe	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dwm.exesahiba_2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sahiba_2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dwm.exedwm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies data under HKEY_USERS 36 IoCs

Processes:

dwm.exedwm.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sahiba_2.exe

pid	process
4212	sahiba_2.exe
4212	sahiba_2.exe
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

sahiba_2.exe

pid process

4212 sahiba_2.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

sahiba_4.exesahiba_5.exedwm.exedwm.exe

description	pid	process
Token: SeDebugPrivilege	1836	sahiba_4.exe
Token: SeDebugPrivilege	396	sahiba_5.exe
Token: SeShutdownPrivilege	768
Token: SeCreatePagefilePrivilege	768
Token: SeCreateGlobalPrivilege	1192	dwm.exe
Token: SeChangeNotifyPrivilege	1192	dwm.exe
Token: 33	1192	dwm.exe
Token: SeIncBasePriorityPrivilege	1192	dwm.exe
Token: SeShutdownPrivilege	768
Token: SeCreatePagefilePrivilege	768
Token: SeShutdownPrivilege	768
Token: SeCreatePagefilePrivilege	768
Token: SeShutdownPrivilege	768
Token: SeCreatePagefilePrivilege	768
Token: SeShutdownPrivilege	768
Token: SeCreatePagefilePrivilege	768
Token: SeCreateGlobalPrivilege	1016	dwm.exe
Token: SeChangeNotifyPrivilege	1016	dwm.exe
Token: 33	1016	dwm.exe
Token: SeIncBasePriorityPrivilege	1016	dwm.exe
Token: SeShutdownPrivilege	768
Token: SeCreatePagefilePrivilege	768
Token: SeShutdownPrivilege	768
Token: SeCreatePagefilePrivilege	768
Token: SeShutdownPrivilege	768
Token: SeCreatePagefilePrivilege	768
Token: SeShutdownPrivilege	768
Token: SeCreatePagefilePrivilege	768
Token: SeShutdownPrivilege	768
Token: SeCreatePagefilePrivilege	768
Token: SeShutdownPrivilege	768
Token: SeCreatePagefilePrivilege	768
Token: SeShutdownPrivilege	768
Token: SeCreatePagefilePrivilege	768

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

pid	process
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768

Suspicious use of SendNotifyMessage 21 IoCs

Processes:

pid process

768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

AB479D019576EFD4DD391E0BF3FC1BEDB10367E1ECE71.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exesahiba_1.exerUNdlL32.eXe

description	pid	process	target process
PID 3108 wrote to memory of 944	3108	AB479D019576EFD4DD391E0BF3FC1BEDB10367E1ECE71.exe	setup_installer.exe
PID 3108 wrote to memory of 944	3108	AB479D019576EFD4DD391E0BF3FC1BEDB10367E1ECE71.exe	setup_installer.exe
PID 3108 wrote to memory of 944	3108	AB479D019576EFD4DD391E0BF3FC1BEDB10367E1ECE71.exe	setup_installer.exe
PID 944 wrote to memory of 3348	944	setup_installer.exe	setup_install.exe
PID 944 wrote to memory of 3348	944	setup_installer.exe	setup_install.exe
PID 944 wrote to memory of 3348	944	setup_installer.exe	setup_install.exe
PID 3348 wrote to memory of 3156	3348	setup_install.exe	cmd.exe
PID 3348 wrote to memory of 3156	3348	setup_install.exe	cmd.exe
PID 3348 wrote to memory of 3156	3348	setup_install.exe	cmd.exe
PID 3348 wrote to memory of 5000	3348	setup_install.exe	cmd.exe
PID 3348 wrote to memory of 5000	3348	setup_install.exe	cmd.exe
PID 3348 wrote to memory of 5000	3348	setup_install.exe	cmd.exe
PID 3348 wrote to memory of 4984	3348	setup_install.exe	cmd.exe
PID 3348 wrote to memory of 4984	3348	setup_install.exe	cmd.exe
PID 3348 wrote to memory of 4984	3348	setup_install.exe	cmd.exe
PID 3348 wrote to memory of 816	3348	setup_install.exe	cmd.exe
PID 3348 wrote to memory of 816	3348	setup_install.exe	cmd.exe
PID 3348 wrote to memory of 816	3348	setup_install.exe	cmd.exe
PID 3348 wrote to memory of 3516	3348	setup_install.exe	cmd.exe
PID 3348 wrote to memory of 3516	3348	setup_install.exe	cmd.exe
PID 3348 wrote to memory of 3516	3348	setup_install.exe	cmd.exe
PID 3348 wrote to memory of 3676	3348	setup_install.exe	cmd.exe
PID 3348 wrote to memory of 3676	3348	setup_install.exe	cmd.exe
PID 3348 wrote to memory of 3676	3348	setup_install.exe	cmd.exe
PID 3348 wrote to memory of 904	3348	setup_install.exe	cmd.exe
PID 3348 wrote to memory of 904	3348	setup_install.exe	cmd.exe
PID 3348 wrote to memory of 904	3348	setup_install.exe	cmd.exe
PID 3156 wrote to memory of 3288	3156	cmd.exe	sahiba_1.exe
PID 3156 wrote to memory of 3288	3156	cmd.exe	sahiba_1.exe
PID 3156 wrote to memory of 3288	3156	cmd.exe	sahiba_1.exe
PID 816 wrote to memory of 1836	816	cmd.exe	sahiba_4.exe
PID 816 wrote to memory of 1836	816	cmd.exe	sahiba_4.exe
PID 4984 wrote to memory of 2020	4984	cmd.exe	sahiba_3.exe
PID 4984 wrote to memory of 2020	4984	cmd.exe	sahiba_3.exe
PID 4984 wrote to memory of 2020	4984	cmd.exe	sahiba_3.exe
PID 5000 wrote to memory of 4212	5000	cmd.exe	sahiba_2.exe
PID 5000 wrote to memory of 4212	5000	cmd.exe	sahiba_2.exe
PID 5000 wrote to memory of 4212	5000	cmd.exe	sahiba_2.exe
PID 3516 wrote to memory of 396	3516	cmd.exe	sahiba_5.exe
PID 3516 wrote to memory of 396	3516	cmd.exe	sahiba_5.exe
PID 3676 wrote to memory of 1888	3676	cmd.exe	sahiba_6.exe
PID 3676 wrote to memory of 1888	3676	cmd.exe	sahiba_6.exe
PID 3676 wrote to memory of 1888	3676	cmd.exe	sahiba_6.exe
PID 904 wrote to memory of 2060	904	cmd.exe	sahiba_7.exe
PID 904 wrote to memory of 2060	904	cmd.exe	sahiba_7.exe
PID 3288 wrote to memory of 4544	3288	sahiba_1.exe	sahiba_1.exe
PID 3288 wrote to memory of 4544	3288	sahiba_1.exe	sahiba_1.exe
PID 3288 wrote to memory of 4544	3288	sahiba_1.exe	sahiba_1.exe
PID 1244 wrote to memory of 2380	1244	rUNdlL32.eXe	rundll32.exe
PID 1244 wrote to memory of 2380	1244	rUNdlL32.eXe	rundll32.exe
PID 1244 wrote to memory of 2380	1244	rUNdlL32.eXe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\AB479D019576EFD4DD391E0BF3FC1BEDB10367E1ECE71.exe
"C:\Users\Admin\AppData\Local\Temp\AB479D019576EFD4DD391E0BF3FC1BEDB10367E1ECE71.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3108

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:944

C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_1.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3156

C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\sahiba_1.exe
sahiba_1.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3288

C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\sahiba_1.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\sahiba_1.exe" -a
6⤵
- Executes dropped EXE
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_2.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:5000

C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\sahiba_2.exe
sahiba_2.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_3.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4984

C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\sahiba_3.exe
sahiba_3.exe
5⤵
- Executes dropped EXE
PID:2020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_4.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:816

C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\sahiba_4.exe
sahiba_4.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_5.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3516

C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\sahiba_5.exe
sahiba_5.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_6.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3676

C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\sahiba_6.exe
sahiba_6.exe
5⤵
- Executes dropped EXE
PID:1888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_7.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:904

C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\sahiba_7.exe
sahiba_7.exe
5⤵
- Executes dropped EXE
PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 560
4⤵
- Program crash
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3348 -ip 3348
1⤵
PID:2796

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 600
3⤵
- Program crash
PID:204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2380 -ip 2380
1⤵
PID:1704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:3688

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\libcurl.dll
Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\libcurlpp.dll
Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\libcurlpp.dll
Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\libgcc_s_dw2-1.dll
Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\libgcc_s_dw2-1.dll
Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\libgcc_s_dw2-1.dll
Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\libstdc++-6.dll
Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\libstdc++-6.dll
Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\libwinpthread-1.dll
Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\libwinpthread-1.dll
Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\sahiba_1.exe
Filesize
712KB

MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\sahiba_1.exe
Filesize
712KB

MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\sahiba_1.txt
Filesize
712KB

MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\sahiba_2.exe
Filesize
222KB

MD5
bab311e39c6dc75106c93e7d9571d7f1

SHA1
d6fb876a06eb79281c21df7894fd957747c7c83b

SHA256
e27c4b45b60d39cc2c66ca3e5fe2c095e8fc6bc6fcdeac26758f3cbb5f604821

SHA512
f8076fc400d0c9f91e63041c3e7aaad0b19c29643f6201acae8998fcca2579df6e494f5212273eea16c13685cf774e69dda06fad78fd5210563df6a0d6b18ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\sahiba_2.txt
Filesize
222KB

MD5
bab311e39c6dc75106c93e7d9571d7f1

SHA1
d6fb876a06eb79281c21df7894fd957747c7c83b

SHA256
e27c4b45b60d39cc2c66ca3e5fe2c095e8fc6bc6fcdeac26758f3cbb5f604821

SHA512
f8076fc400d0c9f91e63041c3e7aaad0b19c29643f6201acae8998fcca2579df6e494f5212273eea16c13685cf774e69dda06fad78fd5210563df6a0d6b18ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\sahiba_3.exe
Filesize
588KB

MD5
6535e592ad1f85965569a8a19a45d842

SHA1
45fec86cc8bf1b64425d8ad4c1d12f16e8306bfd

SHA256
17353e7514997fb0dd0e5f93aa34950ba17c26f650b38cbaf0c83cc093de941a

SHA512
76d83e203c9b3ae865ce5125de98c85c27472b3c96baa8c84a9c573bcc8d4254ee1d4aaab175b6c11b5c869f7b97496b2ac8cbe244310bec6d304b78e354567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\sahiba_3.txt
Filesize
588KB

MD5
6535e592ad1f85965569a8a19a45d842

SHA1
45fec86cc8bf1b64425d8ad4c1d12f16e8306bfd

SHA256
17353e7514997fb0dd0e5f93aa34950ba17c26f650b38cbaf0c83cc093de941a

SHA512
76d83e203c9b3ae865ce5125de98c85c27472b3c96baa8c84a9c573bcc8d4254ee1d4aaab175b6c11b5c869f7b97496b2ac8cbe244310bec6d304b78e354567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\sahiba_4.exe
Filesize
8KB

MD5
aa76e329fd4fc560c0f8f6b2f224d3da

SHA1
bbbd3c4843bed7d90d7d3c5ce62c6e47639f8a14

SHA256
dd5ac4469562c4d32e10983c14285e3c33849267cbf4c198d0427b21c56c49b2

SHA512
d79753c703dc0bc34c56e1d9afcf47c5bbaad37527339b95c7e9d7f7ab17ee67320f254575049b622bc4a8ef572d526b13f01a8a707d4c57da3599c548c83934

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\sahiba_4.txt
Filesize
8KB

MD5
aa76e329fd4fc560c0f8f6b2f224d3da

SHA1
bbbd3c4843bed7d90d7d3c5ce62c6e47639f8a14

SHA256
dd5ac4469562c4d32e10983c14285e3c33849267cbf4c198d0427b21c56c49b2

SHA512
d79753c703dc0bc34c56e1d9afcf47c5bbaad37527339b95c7e9d7f7ab17ee67320f254575049b622bc4a8ef572d526b13f01a8a707d4c57da3599c548c83934

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\sahiba_5.exe
Filesize
213KB

MD5
1cc35bf07b551ce45921ae41602ec87d

SHA1
5eca79da173ad9912d669d85133561501976c12c

SHA256
1371046b187faec8708e3732fc760515a7b96236c62094598340b1dc6331ac05

SHA512
852134d0f6e4bbb2930225655068a468d49c7b980f604ef31ce308abc4534c3fed4086adf93e8df9287de6ec9f3734c7468ef5c6f436f08cc7112a30e816afc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\sahiba_5.txt
Filesize
213KB

MD5
1cc35bf07b551ce45921ae41602ec87d

SHA1
5eca79da173ad9912d669d85133561501976c12c

SHA256
1371046b187faec8708e3732fc760515a7b96236c62094598340b1dc6331ac05

SHA512
852134d0f6e4bbb2930225655068a468d49c7b980f604ef31ce308abc4534c3fed4086adf93e8df9287de6ec9f3734c7468ef5c6f436f08cc7112a30e816afc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\sahiba_6.exe
Filesize
1.0MB

MD5
e44b6cb9e7111de178fbabf3ac1cba76

SHA1
b15d8d52864a548c42a331a574828824a65763ff

SHA256
c74894fe98864ade516c9e54f2258a23ed451feadfa2de53a7c626385b549b22

SHA512
24129e1de024d61bcc23654450f416307be3e7911de2baced47476e02cd7df737ce012f379eb0ea5d84367113619f53d6a80971ccc652a569d6b494150bbb6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\sahiba_6.txt
Filesize
1.0MB

MD5
e44b6cb9e7111de178fbabf3ac1cba76

SHA1
b15d8d52864a548c42a331a574828824a65763ff

SHA256
c74894fe98864ade516c9e54f2258a23ed451feadfa2de53a7c626385b549b22

SHA512
24129e1de024d61bcc23654450f416307be3e7911de2baced47476e02cd7df737ce012f379eb0ea5d84367113619f53d6a80971ccc652a569d6b494150bbb6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\sahiba_7.exe
Filesize
244KB

MD5
0bc56e17cb974ddd06782939dcee2606

SHA1
459f61b929c5925327eaa8495bf401cac9e2814f

SHA256
76ef9d99c7e37d132f6803ec46f8e2663b1cc282a5d2022946f1598965673fa1

SHA512
d260597ac09d2e6109fdbf7e5ca5817b73f3ed690529da067d2dbcde8d35959018837beb3ea7183f6f4ce52b911996d07f0b9712274021cc20bfbcc2c5e7fc1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\sahiba_7.txt
Filesize
244KB

MD5
0bc56e17cb974ddd06782939dcee2606

SHA1
459f61b929c5925327eaa8495bf401cac9e2814f

SHA256
76ef9d99c7e37d132f6803ec46f8e2663b1cc282a5d2022946f1598965673fa1

SHA512
d260597ac09d2e6109fdbf7e5ca5817b73f3ed690529da067d2dbcde8d35959018837beb3ea7183f6f4ce52b911996d07f0b9712274021cc20bfbcc2c5e7fc1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\setup_install.exe
Filesize
287KB

MD5
b9165f937e3873eb97693ab2c201ffbd

SHA1
beb46f3fd71a24a74d9f29647ce2cdacf74060e7

SHA256
8c926f7a08b94ddae207573185c512685c2a0c84ec2ee8a086baa51a508a9c74

SHA512
7564293a6e609d8ac2c1782790b45441ce5da52260762ae2d5c794836c20aa521facae87f61b50bc98290b177bfed0567b97a83e9519806017a9ee575a2c216b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B3B0CB6\setup_install.exe
Filesize
287KB

MD5
b9165f937e3873eb97693ab2c201ffbd

SHA1
beb46f3fd71a24a74d9f29647ce2cdacf74060e7

SHA256
8c926f7a08b94ddae207573185c512685c2a0c84ec2ee8a086baa51a508a9c74

SHA512
7564293a6e609d8ac2c1782790b45441ce5da52260762ae2d5c794836c20aa521facae87f61b50bc98290b177bfed0567b97a83e9519806017a9ee575a2c216b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC4F.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
Filesize
552KB

MD5
99ab358c6f267b09d7a596548654a6ba

SHA1
d5a643074b69be2281a168983e3f6bef7322f676

SHA256
586339f93c9c0eed8a42829ab307f2c5381a636edbcf80df3770c27555034380

SHA512
952040785a3c1dcaea613d2e0d46745d5b631785d26de018fd9f85f8485161d056bf67b19c96ae618d35de5d5991a0dd549d749949faea7a2e0f9991a1aa2b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
Filesize
73KB

MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
Filesize
73KB

MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
Filesize
2.6MB

MD5
04e682e306c4a8720a7aba6ff54a991a

SHA1
30d43db52ea51648e37b736bcdf3f46099650b6d

SHA256
a46ea98ad0ea5abc3bf267a93c0af04c785ffe3811154b1670b9661e264d8aa2

SHA512
4def0bd15ddee8f1dc91e0fb3a76928325f29ed51711bec672d2dc1ada396b3c848cdc3b24bcdf620edf8dc8474b744c12362091425d70d0521ba934aaf69aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
Filesize
2.6MB

MD5
04e682e306c4a8720a7aba6ff54a991a

SHA1
30d43db52ea51648e37b736bcdf3f46099650b6d

SHA256
a46ea98ad0ea5abc3bf267a93c0af04c785ffe3811154b1670b9661e264d8aa2

SHA512
4def0bd15ddee8f1dc91e0fb3a76928325f29ed51711bec672d2dc1ada396b3c848cdc3b24bcdf620edf8dc8474b744c12362091425d70d0521ba934aaf69aae

Download Submit
memory/396-198-0x0000000000160000-0x000000000019E000-memory.dmp

Filesize
248KB

Download
memory/396-221-0x00007FF84D730000-0x00007FF84E1F1000-memory.dmp

Filesize
10.8MB

Download
memory/396-192-0x0000000000000000-mapping.dmp

Download
memory/396-200-0x00007FF84D730000-0x00007FF84E1F1000-memory.dmp

Filesize
10.8MB

Download
memory/816-179-0x0000000000000000-mapping.dmp

Download
memory/904-182-0x0000000000000000-mapping.dmp

Download
memory/944-130-0x0000000000000000-mapping.dmp

Download
memory/1836-220-0x00007FF84D730000-0x00007FF84E1F1000-memory.dmp

Filesize
10.8MB

Download
memory/1836-199-0x00007FF84D730000-0x00007FF84E1F1000-memory.dmp

Filesize
10.8MB

Download
memory/1836-185-0x0000000000000000-mapping.dmp

Download
memory/1836-190-0x0000000000940000-0x0000000000948000-memory.dmp

Filesize
32KB

Download
memory/1888-193-0x0000000000000000-mapping.dmp

Download
memory/2020-218-0x0000000000400000-0x0000000002BD7000-memory.dmp

Filesize
39.8MB

Download
memory/2020-186-0x0000000000000000-mapping.dmp

Download
memory/2020-222-0x0000000002EAD000-0x0000000002F11000-memory.dmp

Filesize
400KB

Download
memory/2020-217-0x0000000004730000-0x00000000047CD000-memory.dmp

Filesize
628KB

Download
memory/2020-216-0x0000000002EAD000-0x0000000002F11000-memory.dmp

Filesize
400KB

Download
memory/2060-195-0x0000000000000000-mapping.dmp

Download
memory/2380-210-0x0000000000000000-mapping.dmp

Download
memory/3156-176-0x0000000000000000-mapping.dmp

Download
memory/3288-183-0x0000000000000000-mapping.dmp

Download
memory/3348-154-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3348-205-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3348-133-0x0000000000000000-mapping.dmp

Download
memory/3348-148-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3348-149-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3348-168-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3348-167-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3348-152-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3348-156-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3348-150-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3348-158-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3348-161-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3348-163-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3348-166-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3348-165-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3348-164-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3348-151-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3348-203-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3348-204-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3348-153-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3348-207-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3348-206-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3348-162-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3348-160-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3348-159-0x00000000007A0000-0x000000000082F000-memory.dmp

Filesize
572KB

Download
memory/3348-157-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3348-155-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3516-180-0x0000000000000000-mapping.dmp

Download
memory/3676-181-0x0000000000000000-mapping.dmp

Download
memory/4212-214-0x0000000002BF0000-0x0000000002BF9000-memory.dmp

Filesize
36KB

Download
memory/4212-213-0x0000000002D3D000-0x0000000002D46000-memory.dmp

Filesize
36KB

Download
memory/4212-215-0x0000000000400000-0x0000000002B7B000-memory.dmp

Filesize
39.5MB

Download
memory/4212-187-0x0000000000000000-mapping.dmp

Download
memory/4212-219-0x0000000000400000-0x0000000002B7B000-memory.dmp

Filesize
39.5MB

Download
memory/4544-201-0x0000000000000000-mapping.dmp

Download
memory/4984-178-0x0000000000000000-mapping.dmp

Download
memory/5000-177-0x0000000000000000-mapping.dmp

Download

pid	process
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768

pid	process
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768

pid	process
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768

pid	process
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768

pid	process
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768

pid	process
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768
768