xmrig | hxxps://drive[.]google[.]com/file/d/1YGNp6QDWI7kQ6zjwGyu3iaBoYHzpKDzv/view?usp=sharing

Analysis

max time kernel
112s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1YGNp6QDWI7kQ6zjwGyu3iaBoYHzpKDzv/view?usp=sharing

Score

10^/10

xmrig discovery evasion execution miner

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

description	pid	Process	procid_target
PID 2720 created 3536	2720	setup.exe	56
PID 2720 created 3536	2720	setup.exe	56
PID 2720 created 3536	2720	setup.exe	56
PID 2720 created 3536	2720	setup.exe	56
PID 2720 created 3536	2720	setup.exe	56
PID 2720 created 3536	2720	setup.exe	56
PID 2988 created 3536	2988	updater.exe	56
PID 2988 created 3536	2988	updater.exe	56
PID 2988 created 3536	2988	updater.exe	56
PID 2988 created 3536	2988	updater.exe	56
PID 2988 created 3536	2988	updater.exe	56

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/memory/2416-343-0x00007FF651270000-0x00007FF651AB0000-memory.dmp	xmrig
behavioral1/memory/2416-345-0x00007FF651270000-0x00007FF651AB0000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2420	powershell.exe
3288	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 3 IoCs

pid	Process
2720	setup.exe
3544	setup.exe
2988	updater.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
12	drive.google.com
13	drive.google.com
3	drive.google.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2988 set thread context of 3692	2988	updater.exe	141
PID 2988 set thread context of 2416	2988	updater.exe	142

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	setup.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4780	sc.exe
1052	sc.exe
3124	sc.exe
1148	sc.exe
2224	sc.exe
1380	sc.exe
4640	sc.exe
3036	sc.exe
3388	sc.exe
4612	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1772	schtasks.exe
4168	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3320	msedge.exe
3320	msedge.exe
2516	msedge.exe
2516	msedge.exe
4112	identity_helper.exe
4112	identity_helper.exe
4364	msedge.exe
4364	msedge.exe
2720	setup.exe
2720	setup.exe
2420	powershell.exe
2420	powershell.exe
2420	powershell.exe
2720	setup.exe
2720	setup.exe
2720	setup.exe
2720	setup.exe
2720	setup.exe
2720	setup.exe
2720	setup.exe
2720	setup.exe
2720	setup.exe
2720	setup.exe
2988	updater.exe
2988	updater.exe
3288	powershell.exe
3288	powershell.exe
2988	updater.exe
2988	updater.exe
2988	updater.exe
2988	updater.exe
2988	updater.exe
2988	updater.exe
2988	updater.exe
2988	updater.exe
2416	explorer.exe
2416	explorer.exe
2416	explorer.exe
2416	explorer.exe
2416	explorer.exe
2416	explorer.exe
2416	explorer.exe
2416	explorer.exe
2416	explorer.exe
2416	explorer.exe
2416	explorer.exe
2416	explorer.exe
2416	explorer.exe
2416	explorer.exe
2416	explorer.exe
2416	explorer.exe
2416	explorer.exe
2416	explorer.exe
2416	explorer.exe
2416	explorer.exe
2416	explorer.exe
2416	explorer.exe
2416	explorer.exe
2416	explorer.exe
2416	explorer.exe
2416	explorer.exe
2416	explorer.exe
2416	explorer.exe
2416	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	4360	7zG.exe
Token: 35	4360	7zG.exe
Token: SeSecurityPrivilege	4360	7zG.exe
Token: SeSecurityPrivilege	4360	7zG.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	3288	powershell.exe
Token: SeLockMemoryPrivilege	2416	explorer.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
4360	7zG.exe
2516	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 5080	2516	msedge.exe	81
PID 2516 wrote to memory of 5080	2516	msedge.exe	81
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3704	2516	msedge.exe	83
PID 2516 wrote to memory of 3320	2516	msedge.exe	84
PID 2516 wrote to memory of 3320	2516	msedge.exe	84
PID 2516 wrote to memory of 3092	2516	msedge.exe	85
PID 2516 wrote to memory of 3092	2516	msedge.exe	85
PID 2516 wrote to memory of 3092	2516	msedge.exe	85
PID 2516 wrote to memory of 3092	2516	msedge.exe	85
PID 2516 wrote to memory of 3092	2516	msedge.exe	85
PID 2516 wrote to memory of 3092	2516	msedge.exe	85
PID 2516 wrote to memory of 3092	2516	msedge.exe	85
PID 2516 wrote to memory of 3092	2516	msedge.exe	85
PID 2516 wrote to memory of 3092	2516	msedge.exe	85
PID 2516 wrote to memory of 3092	2516	msedge.exe	85
PID 2516 wrote to memory of 3092	2516	msedge.exe	85
PID 2516 wrote to memory of 3092	2516	msedge.exe	85
PID 2516 wrote to memory of 3092	2516	msedge.exe	85
PID 2516 wrote to memory of 3092	2516	msedge.exe	85
PID 2516 wrote to memory of 3092	2516	msedge.exe	85
PID 2516 wrote to memory of 3092	2516	msedge.exe	85
PID 2516 wrote to memory of 3092	2516	msedge.exe	85
PID 2516 wrote to memory of 3092	2516	msedge.exe	85
PID 2516 wrote to memory of 3092	2516	msedge.exe	85
PID 2516 wrote to memory of 3092	2516	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1YGNp6QDWI7kQ6zjwGyu3iaBoYHzpKDzv/view?usp=sharing
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdd39046f8,0x7ffdd3904708,0x7ffdd3904718
    3⤵
    PID:5080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,9397358431530605611,6930401795584957357,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
    3⤵
    PID:3704
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,9397358431530605611,6930401795584957357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3320
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,9397358431530605611,6930401795584957357,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2572 /prefetch:8
    3⤵
    PID:3092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9397358431530605611,6930401795584957357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
    3⤵
    PID:3180
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9397358431530605611,6930401795584957357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
    3⤵
    PID:2108
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,9397358431530605611,6930401795584957357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
    3⤵
    PID:4324
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,9397358431530605611,6930401795584957357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9397358431530605611,6930401795584957357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
    3⤵
    PID:4044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9397358431530605611,6930401795584957357,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
    3⤵
    PID:3260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9397358431530605611,6930401795584957357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
    3⤵
    PID:3208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9397358431530605611,6930401795584957357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
    3⤵
    PID:1912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9397358431530605611,6930401795584957357,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
    3⤵
    PID:932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,9397358431530605611,6930401795584957357,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4692 /prefetch:8
    3⤵
    PID:5008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9397358431530605611,6930401795584957357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:1
    3⤵
    PID:3020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,9397358431530605611,6930401795584957357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5732 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4364
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Solara V3.1\" -ad -an -ai#7zMap27195:84:7zEvent29681
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4360
- C:\Users\Admin\Downloads\Solara V3.1\setup.exe
  "C:\Users\Admin\Downloads\Solara V3.1\setup.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2720
- C:\Users\Admin\Downloads\Solara V3.1\setup.exe
  "C:\Users\Admin\Downloads\Solara V3.1\setup.exe"
  2⤵
  - Executes dropped EXE
  PID:3544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:536
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2224
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1380
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4640
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3036
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4780
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:3956
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xccwfcqyrwss.xml"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1772
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:2768
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Downloads\Solara V3.1\setup.exe"
  2⤵
  PID:3608
- - C:\Windows\System32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:3208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3288
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:4744
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1052
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3388
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3124
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1148
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4612
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xccwfcqyrwss.xml"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4168
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:3692
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:932

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4480

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1376

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\594d0004-ca0c-4ead-b3f9-909e6511cfcb.tmp

Filesize
11KB

MD5
0b2fa5d13d04d59facec8b80d2937d8a

SHA1
ac954942a9a65106951cdfbab42bc666ad5cf8d7

SHA256
19e438eab578d3dd591328836004ec831fd0397aba70965598cbf4ce1c6bc36b

SHA512
9dce3e8e587c31321990b855e61d4bf7cdb7822a18ab2c2673054552e378ff5767fb12b89c1439d205775f0819bd0ffc4bca133548f0170b2f27860f747959cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
1c947722e75c0cf6b72a93aef5db131d

SHA1
14186786682a1fa0308d11cc65b1afae8bbd9bf9

SHA256
a0706481b999662d215f51dda13e8618e4cc5b8d2255db58068a2f0e070ef3b8

SHA512
6afa314eb8b0e7617222f2fce1f4ebed157023b99cc1a503e4a56e4fe62f7f3a793a75486e56ae85e59075bbb878956ca2b9b847f56e0cbb9f3870fd6c8e53db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
59ec409312920a5a65364a362b0b1140

SHA1
506687a447777dc47b05920b9472873d0bd211b8

SHA256
235f899a12068b7bef1a13a44f728ea32ab47a5d87149270f105328c7b72a0c5

SHA512
e79e8bb0647529f5dadffde1e1e4b083b66927d11577e70bbe943ba5391915ce2ce9d3eb5edb74e8c5b65227087e38f397892274e300ece91f15bca6295e49fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3be44c136db7606c6fcb7e265422920d

SHA1
fb6c496c4106dbda926b0ed8b19748a97eaf927f

SHA256
19dc3967c05ea484b092872eaf0940d721b08144f15d65b362a7303c7cf7e2f7

SHA512
5ef4ba2310bb1497d81a00e619213ffbd14d7027bb8dc96e8ee59498b9116fad96e143149b15729188ca05751a7183fac58e8df8e5b3145488da2f9ccefb4c50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7f1703293b2d279390c2c580a6746d5b

SHA1
b42f1747edaf6c1ccb563e59d5f7ea86040e2976

SHA256
b0dddf92ef9e937db0fff0eb79f04ec1ffdb241e68786c9f2dbe603998037c35

SHA512
7af2fffee81ec931e5c6e874010385dd004a18598f1570261269c6cc6fef08d8293c90a5740d0adbf3d657b730c0150a996dab8b6173efd08219ec8270d7cb33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
876a6573e2e4729116b3cb2670a9fb23

SHA1
606b0a4a5e8514c9f6a51b79f952b42ca752e51e

SHA256
3f2793dedfe8c26c683fc64596ca66b6c69ce460c55dd7b8ae0d47fe99ed3850

SHA512
8b757da83841d4855f160ffff1d1a287f3c1b92e0b5342b9c85923a2f9d01b6b2eecf91b371265d8d9f25caee02da47497ecc1772b05165f6e1cb6e18124a544

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
758e0b96c312382200651399b0901516

SHA1
82bd85d83d6f7c5a3b6f7e4dc355a0a20ab898bf

SHA256
732a08dc349bea53c19d8fa64aa88988265d862ea5b47637eaec56abf122c503

SHA512
61d91c030919625e047a3d987d2e59e1ef99258666871080f6a1acac7133d88ddb1bbc2c5586faa811884c5eca99d2e4ee0972202f2005be87ec7acf189527a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d72b119b618da50010218a577e87bea7

SHA1
2a6d3c28b6cc6cebec3a178197d3abf6f6f9d3ba

SHA256
65067e1755baffafb7a2a1b6337c8930816add998dfc025f1a53bbab01803fd5

SHA512
d557831604e57563fdf000ec5bcf5b59e29cc7ffb2e499a1a0ba6701205ab74935cb25344f3e2033a98d1f8e94c118a253d32299d914499df1d12371004a9db1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6d0dee0f48353f817549395b933bad68

SHA1
08ac93dab1d91bf4c34cdbc2e024ff8f1e22701d

SHA256
8e66d1cfd47170b3cdbb0fbc907a3cadf800d50ee50c2ff90dc3662f86d5ef94

SHA512
a9b137a4ceba4a3c69bab145089b9eeb7bff58ec738350da5d2e1ba1cff602816a5e1587c74542d94df4a31b022ce4f8e4c762d8ffb43f81561c0448e50a95d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bbdv1lvm.ywf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xccwfcqyrwss.xml

Filesize
1KB

MD5
546d67a48ff2bf7682cea9fac07b942e

SHA1
a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90

SHA256
eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a

SHA512
10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

Download Submit
C:\Users\Admin\Downloads\Solara V3.1\setup.exe

Filesize
44.2MB

MD5
76c02cf8be9c38964646e9aaa28faed3

SHA1
88b65a740c91343ca4e764c5c917a46aa3dac158

SHA256
84c2c2b81e51fff7171714ccbd4548cf5d913148b74cab9c509a3890d20de7ac

SHA512
95cef08c0d1c0294ff5c1d18992c10707506edcf0d26798e249d5ca8c7f4e53b12c37cae4bd0c2cf06285b65460d45671a943321373ff18310bcf82c79d14bf8

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 909978.crdownload

Filesize
16.3MB

MD5
60016c43a66ffbf1fcb4b025f0a4dc3d

SHA1
22a6adb05ee62fee64035da204a5d6b67f484d9c

SHA256
28939e5900783b095f2c717d7c4e8be2c9d8f5091492704ce31e356a01b20ef7

SHA512
d5b1baa369e70daa16c1b909af8cec5009f88424d8a71d2560484c640d24fc1b3597cca9c21c5080942cf5e0b894369f0258e53bbc4bfa14625d1107e144f619

Download Submit
memory/2416-341-0x0000000001050000-0x0000000001070000-memory.dmp

Filesize
128KB

Download
memory/2416-345-0x00007FF651270000-0x00007FF651AB0000-memory.dmp

Filesize
8.2MB

Download
memory/2416-343-0x00007FF651270000-0x00007FF651AB0000-memory.dmp

Filesize
8.2MB

Download
memory/2420-293-0x0000024FFE250000-0x0000024FFE272000-memory.dmp

Filesize
136KB

Download
memory/2720-302-0x00007FF7F1E50000-0x00007FF7F4A93000-memory.dmp

Filesize
44.3MB

Download
memory/2720-168-0x00007FF7F1E50000-0x00007FF7F4A93000-memory.dmp

Filesize
44.3MB

Download
memory/2988-304-0x00007FF665920000-0x00007FF668563000-memory.dmp

Filesize
44.3MB

Download
memory/2988-340-0x00007FF665920000-0x00007FF668563000-memory.dmp

Filesize
44.3MB

Download
memory/3288-325-0x00000209A4A60000-0x00000209A4A6A000-memory.dmp

Filesize
40KB

Download
memory/3288-326-0x00000209A4BD0000-0x00000209A4BEC000-memory.dmp

Filesize
112KB

Download
memory/3288-327-0x00000209A4BB0000-0x00000209A4BBA000-memory.dmp

Filesize
40KB

Download
memory/3288-328-0x00000209A4C10000-0x00000209A4C2A000-memory.dmp

Filesize
104KB

Download
memory/3288-329-0x00000209A4BC0000-0x00000209A4BC8000-memory.dmp

Filesize
32KB

Download
memory/3288-330-0x00000209A4BF0000-0x00000209A4BF6000-memory.dmp

Filesize
24KB

Download
memory/3288-331-0x00000209A4C00000-0x00000209A4C0A000-memory.dmp

Filesize
40KB

Download
memory/3288-324-0x00000209A49A0000-0x00000209A4A55000-memory.dmp

Filesize
724KB

Download
memory/3288-323-0x00000209A4980000-0x00000209A499C000-memory.dmp

Filesize
112KB

Download
memory/3544-160-0x00007FF7F1E50000-0x00007FF7F4A93000-memory.dmp

Filesize
44.3MB

Download
memory/3692-342-0x00007FF6CACB0000-0x00007FF6CACC3000-memory.dmp

Filesize
76KB

Download