139c41c5638d344cf6a0f8fb38c61b3f657544b01dd95daff62d0e4b8ff908a1

Analysis

max time kernel
19s
max time network
37s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solara.exe
Size

21.2MB
MD5

a6bf6970741f337bcb700166165c1f30
SHA1

f90ace8f03e2b76e243d539c8570d157f658d025
SHA256

139c41c5638d344cf6a0f8fb38c61b3f657544b01dd95daff62d0e4b8ff908a1
SHA512

c5ef34314bfbd5db99d8d02981e4ce5b46776bdae87e4768963fa902319a4d9712afe7bca302688a424eb9e7dffb9aa5da8444ea2877a48e3f9dd67622477521
SSDEEP

393216:fOQxoHOKgCanLd/l/NmA6MierK6sl0Ibft5/TqcJb45EGle:2hOKgj/4MTrKV9ft5bqR5EGle

Score

8^/10

defense_evasion discovery evasion execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4400	powershell.exe
3684	powershell.exe
1820	powershell.exe
3232	powershell.exe
2728	powershell.exe
4060	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Solara Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	kx new.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Solara.exe

Executes dropped EXE 9 IoCs

pid	Process
4436	eth.exe
1732	xmr.exe
4520	Solara Bootstrapper.exe
3548	kx new.exe
1068	SolaraBootstrapper.exe
5024	Kawpow new.exe
1736	xmr new.exe
3508	lrgkmixyjzta.exe
4748	eejhedztifcv.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 3 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Setup.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
11	raw.githubusercontent.com
10	raw.githubusercontent.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Power Settings 1 TTPs 12 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4368	powercfg.exe
544	powercfg.exe
2328	powercfg.exe
2796	powercfg.exe
4628	powercfg.exe
1468	powercfg.exe
900	powercfg.exe
1540	powercfg.exe
4172	powercfg.exe
3024	powercfg.exe
3464	powercfg.exe
4408	powercfg.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	eth.exe
File opened for modification	C:\Windows\system32\MRT.exe	xmr.exe
File opened for modification	C:\Windows\system32\MRT.exe	Kawpow new.exe
File opened for modification	C:\Windows\system32\MRT.exe	xmr new.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	lrgkmixyjzta.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 4436 set thread context of 1508	4436	eth.exe	126
PID 1732 set thread context of 4004	1732	xmr.exe	139
PID 5024 set thread context of 3020	5024	Kawpow new.exe	181
PID 1736 set thread context of 4796	1736	xmr new.exe	192
PID 3508 set thread context of 3992	3508	lrgkmixyjzta.exe	227
PID 3508 set thread context of 4888	3508	lrgkmixyjzta.exe	228
PID 3508 set thread context of 3368	3508	lrgkmixyjzta.exe	229

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	Process not Found

Launches sc.exe 44 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4344	sc.exe
4504	sc.exe
2716	sc.exe
4744	sc.exe
1536	sc.exe
740	sc.exe
3584	sc.exe
3440	sc.exe
2256	sc.exe
3336	sc.exe
1204	sc.exe
964	sc.exe
4712	sc.exe
3512	sc.exe
2316	sc.exe
4484	sc.exe
5036	sc.exe
1672	sc.exe
4396	sc.exe
4944	sc.exe
2056	sc.exe
2828	sc.exe
2212	sc.exe
1044	sc.exe
2696	sc.exe
3568	sc.exe
3908	sc.exe
4080	sc.exe
4968	sc.exe
3048	sc.exe
4336	sc.exe
2680	sc.exe
2872	sc.exe
1732	sc.exe
3472	sc.exe
5072	sc.exe
1172	sc.exe
3020	sc.exe
2420	sc.exe
1672	sc.exe
2444	sc.exe
2036	sc.exe
3544	sc.exe
3452	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kx new.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SolaraBootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara Bootstrapper.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2104	powershell.exe
3344	powershell.exe
2104	powershell.exe
1068	SolaraBootstrapper.exe
1068	SolaraBootstrapper.exe
3344	powershell.exe
2764	powershell.exe
2764	powershell.exe
4436	eth.exe
4400	powershell.exe
4400	powershell.exe
1732	xmr.exe
3684	powershell.exe
3684	powershell.exe
4436	eth.exe
4436	eth.exe
4436	eth.exe
4436	eth.exe
1732	xmr.exe
1732	xmr.exe
4436	eth.exe
1732	xmr.exe
4436	eth.exe
1732	xmr.exe
4436	eth.exe
4436	eth.exe
1508	dialer.exe
1508	dialer.exe
1732	xmr.exe
4436	eth.exe
4436	eth.exe
4436	eth.exe
1732	xmr.exe
1732	xmr.exe
1732	xmr.exe
1732	xmr.exe
4004	dialer.exe
4004	dialer.exe
3508	lrgkmixyjzta.exe
1508	dialer.exe
1508	dialer.exe
1820	powershell.exe
1820	powershell.exe
4004	dialer.exe
4004	dialer.exe
5024	Kawpow new.exe
1820	powershell.exe
4004	dialer.exe
4004	dialer.exe
3232	powershell.exe
1736	xmr new.exe
3232	powershell.exe
4004	dialer.exe
4004	dialer.exe
2728	powershell.exe
4004	dialer.exe
4004	dialer.exe
4004	dialer.exe
4004	dialer.exe
2728	powershell.exe
4004	dialer.exe
1820	powershell.exe
4004	dialer.exe
4004	dialer.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeDebugPrivilege	1068	SolaraBootstrapper.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeDebugPrivilege	1508	dialer.exe
Token: SeDebugPrivilege	4004	dialer.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	3232	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	3020	dialer.exe
Token: SeShutdownPrivilege	4368	powercfg.exe
Token: SeCreatePagefilePrivilege	4368	powercfg.exe
Token: SeShutdownPrivilege	1468	powercfg.exe
Token: SeCreatePagefilePrivilege	1468	powercfg.exe
Token: SeShutdownPrivilege	544	powercfg.exe
Token: SeCreatePagefilePrivilege	544	powercfg.exe
Token: SeShutdownPrivilege	900	powercfg.exe
Token: SeCreatePagefilePrivilege	900	powercfg.exe
Token: SeDebugPrivilege	4796	dialer.exe
Token: SeShutdownPrivilege	3464	powercfg.exe
Token: SeCreatePagefilePrivilege	3464	powercfg.exe
Token: SeShutdownPrivilege	4408	powercfg.exe
Token: SeCreatePagefilePrivilege	4408	powercfg.exe
Token: SeShutdownPrivilege	2328	powercfg.exe
Token: SeCreatePagefilePrivilege	2328	powercfg.exe
Token: SeShutdownPrivilege	1540	powercfg.exe
Token: SeCreatePagefilePrivilege	1540	powercfg.exe
Token: SeDebugPrivilege	4060	powershell.exe
Token: SeDebugPrivilege	3992	dialer.exe
Token: SeLockMemoryPrivilege	3368	dialer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 2104	3944	Solara.exe	81
PID 3944 wrote to memory of 2104	3944	Solara.exe	81
PID 3944 wrote to memory of 2104	3944	Solara.exe	81
PID 3944 wrote to memory of 4436	3944	Solara.exe	83
PID 3944 wrote to memory of 4436	3944	Solara.exe	83
PID 3944 wrote to memory of 1732	3944	Solara.exe	84
PID 3944 wrote to memory of 1732	3944	Solara.exe	84
PID 3944 wrote to memory of 4520	3944	Solara.exe	85
PID 3944 wrote to memory of 4520	3944	Solara.exe	85
PID 3944 wrote to memory of 4520	3944	Solara.exe	85
PID 4520 wrote to memory of 3344	4520	Solara Bootstrapper.exe	86
PID 4520 wrote to memory of 3344	4520	Solara Bootstrapper.exe	86
PID 4520 wrote to memory of 3344	4520	Solara Bootstrapper.exe	86
PID 4520 wrote to memory of 3548	4520	Solara Bootstrapper.exe	88
PID 4520 wrote to memory of 3548	4520	Solara Bootstrapper.exe	88
PID 4520 wrote to memory of 3548	4520	Solara Bootstrapper.exe	88
PID 4520 wrote to memory of 1068	4520	Solara Bootstrapper.exe	89
PID 4520 wrote to memory of 1068	4520	Solara Bootstrapper.exe	89
PID 4520 wrote to memory of 1068	4520	Solara Bootstrapper.exe	89
PID 3548 wrote to memory of 2764	3548	kx new.exe	91
PID 3548 wrote to memory of 2764	3548	kx new.exe	91
PID 3548 wrote to memory of 2764	3548	kx new.exe	91
PID 3548 wrote to memory of 5024	3548	kx new.exe	93
PID 3548 wrote to memory of 5024	3548	kx new.exe	93
PID 3548 wrote to memory of 1736	3548	kx new.exe	94
PID 3548 wrote to memory of 1736	3548	kx new.exe	94
PID 3512 wrote to memory of 3944	3512	cmd.exe	108
PID 3512 wrote to memory of 3944	3512	cmd.exe	108
PID 5072 wrote to memory of 2748	5072	cmd.exe	123
PID 5072 wrote to memory of 2748	5072	cmd.exe	123
PID 4436 wrote to memory of 1508	4436	eth.exe	126
PID 4436 wrote to memory of 1508	4436	eth.exe	126
PID 4436 wrote to memory of 1508	4436	eth.exe	126
PID 4436 wrote to memory of 1508	4436	eth.exe	126
PID 4436 wrote to memory of 1508	4436	eth.exe	126
PID 4436 wrote to memory of 1508	4436	eth.exe	126
PID 4436 wrote to memory of 1508	4436	eth.exe	126
PID 1732 wrote to memory of 4004	1732	xmr.exe	139
PID 1732 wrote to memory of 4004	1732	xmr.exe	139
PID 1732 wrote to memory of 4004	1732	xmr.exe	139
PID 1732 wrote to memory of 4004	1732	xmr.exe	139
PID 1732 wrote to memory of 4004	1732	xmr.exe	139
PID 1732 wrote to memory of 4004	1732	xmr.exe	139
PID 1732 wrote to memory of 4004	1732	xmr.exe	139
PID 1508 wrote to memory of 616	1508	dialer.exe	5
PID 1508 wrote to memory of 676	1508	dialer.exe	7
PID 1508 wrote to memory of 952	1508	dialer.exe	12
PID 1508 wrote to memory of 384	1508	dialer.exe	13
PID 1508 wrote to memory of 536	1508	dialer.exe	14
PID 1508 wrote to memory of 924	1508	dialer.exe	15
PID 1508 wrote to memory of 1084	1508	dialer.exe	17
PID 1508 wrote to memory of 1100	1508	dialer.exe	18
PID 1508 wrote to memory of 1116	1508	dialer.exe	19
PID 1508 wrote to memory of 1164	1508	dialer.exe	20
PID 1508 wrote to memory of 1188	1508	dialer.exe	21
PID 1508 wrote to memory of 1328	1508	dialer.exe	22
PID 1508 wrote to memory of 1352	1508	dialer.exe	23
PID 1508 wrote to memory of 1416	1508	dialer.exe	24
PID 1508 wrote to memory of 1520	1508	dialer.exe	25
PID 1508 wrote to memory of 1572	1508	dialer.exe	26
PID 1508 wrote to memory of 1584	1508	dialer.exe	27
PID 1508 wrote to memory of 1692	1508	dialer.exe	28
PID 1508 wrote to memory of 1712	1508	dialer.exe	29
PID 1508 wrote to memory of 1748	1508	dialer.exe	30

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:384

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1084
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1352
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1584

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1896

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1904

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2012

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2340

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2544

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2600

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3328

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3376
- C:\Users\Admin\AppData\Local\Temp\Solara.exe
  "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAeABuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAeQBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAYQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAZQBwACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2104
- - C:\Users\Admin\AppData\Local\Temp\eth.exe
    "C:\Users\Admin\AppData\Local\Temp\eth.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4436
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3512
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:3944
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:4344
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:1204
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:2212
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:2036
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:4336
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1508
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "ARIBLEUL"
      4⤵
      Launches sc.exe
      PID:2696
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "ARIBLEUL" binpath= "C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:4484
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:1172
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "ARIBLEUL"
      4⤵
      Launches sc.exe
      PID:3584
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2440
- - C:\Users\Admin\AppData\Local\Temp\xmr.exe
    "C:\Users\Admin\AppData\Local\Temp\xmr.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3684
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5072
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:2748
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:4504
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:3048
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:1044
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:740
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:5036
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4004
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:1672
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "ARIBLEUL"
      4⤵
      Launches sc.exe
      PID:3020
- - C:\Users\Admin\AppData\Local\Temp\Solara Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara Bootstrapper.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdQBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAcQB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAbQB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAZgBpACMAPgA="
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3344
  - - C:\Users\Admin\AppData\Local\Temp\kx new.exe
      "C:\Users\Admin\AppData\Local\Temp\kx new.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3548
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcAB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAcAB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AagBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbgBxACMAPgA="
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
    - - C:\Users\Admin\AppData\Local\Temp\Kawpow new.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Kawpow new.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:5024
      - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4980
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:3728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4284
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        
        PID:1836
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:3544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:3948
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:2256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5100
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:2420
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        6⤵
        Launches sc.exe
        
        PID:3336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5036
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        6⤵
        Launches sc.exe
        
        PID:4744
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2920
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4764
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1948
      - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "CKTJZLMO"
        6⤵
        Launches sc.exe
        
        PID:2872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2668
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto"
        6⤵
        Launches sc.exe
        
        PID:2444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:3344
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        6⤵
        Launches sc.exe
        
        PID:3472
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "CKTJZLMO"
        6⤵
        Launches sc.exe
        
        PID:3908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2400
    - - C:\Users\Admin\AppData\Local\Temp\xmr new.exe
        
        "C:\Users\Admin\AppData\Local\Temp\xmr new.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1736
      - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:744
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:3908
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        
        PID:4528
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:3440
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:2680
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:3568
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        6⤵
        Launches sc.exe
        
        PID:2716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:3316
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        6⤵
        Launches sc.exe
        
        PID:1672
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2840
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:316
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3464
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
      - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4796
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "CKTJZLMO"
        6⤵
        Launches sc.exe
        
        PID:1732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2772
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto"
        6⤵
        Launches sc.exe
        
        PID:3452
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        6⤵
        Launches sc.exe
        
        PID:964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4728
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "CKTJZLMO"
        6⤵
        Launches sc.exe
        
        PID:4080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:700
  - - C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3552

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3740

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3896

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3416

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4508

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4240

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:1128

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:3116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2092

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3008

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 04b786a6c7c257ef3b996c8ae2a09694 pmFl9aSacEamNqmG0eAeaQ.0.1.0.0.0
1⤵
PID:2628
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1648

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2368

C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe
C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3508
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1820
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:3236
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3580
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3956
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4712
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4396
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2708
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:3512
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2888
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:4944
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:5072
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1516
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3992
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:4888
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3368

C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe
C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe
1⤵
- Executes dropped EXE
PID:4748
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4060
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:3548
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3452
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1536
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2056
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4968
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2316
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2828
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:3024
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:4172
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:4628
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2176
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:2796
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:1600
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:2560
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  PID:428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
310953a269f4c350696f2ddd87c2d1b5

SHA1
25fcfd949543d828dbde23079df12ed477cd1858

SHA256
42fc902f9db83d536e276fb74f9b40faff8df6e5a52ff4f8cc1e91bcf646e776

SHA512
a719ec356a8e986253a7eee9e62fefd8fd5ce8487278dd4e6afdfd3fb4ccca30d1fb069beb1ea0a5de6d06037963a5fc13322a5aa5b86ba277797cb2299e23b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kawpow new.exe

Filesize
5.2MB

MD5
fb6a3b436e9f9402937d95f755b62f91

SHA1
aea3a8a311c2b8b6fc7d9d263b952f95a30b180e

SHA256
4c9d878e35e7fd497c633a770d3359fb37447985450dc19f45db0925972c39e0

SHA512
7a3e2e42fe965db1cebc539235fec88e277669c9a62be2450ea4efaf5dd93f1de11740197ff26e697e9e9acc499cba2c30b64cfa5e5b35b28b9e0b93087ee2f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara Bootstrapper.exe

Filesize
10.5MB

MD5
00a1864355a5ea47902e5757c0d87fd9

SHA1
4be5647308e0925fb00fae068cb4a89a8a449afc

SHA256
4289002fd7528974ae7a9bf4d855bfd3812d248a46dbd7f94e7336f260ae7a39

SHA512
7f86e42676cfd77aafd7a030656ad88d041ba54edc6eab41193528b03e79850f89e7d79679e6a14fff8e69d7011e36e03d09c73a46e8fc722dc126c3da4be718

Download Submit
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

Filesize
13KB

MD5
6557bd5240397f026e675afb78544a26

SHA1
839e683bf68703d373b6eac246f19386bb181713

SHA256
a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239

SHA512
f2399d34898a4c0c201372d2dd084ee66a66a1c3eae949e568421fe7edada697468ef81f4fcab2afd61eaf97bcb98d6ade2d97295e2f674e93116d142e892e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kgsjc2mq.0o3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\eth.exe

Filesize
5.2MB

MD5
87c3dd67bfa3009d89f7b45b01d705b8

SHA1
7eb74405565dd5971298b2a2c8de9116d08db2d5

SHA256
92722d28951672263b79cd30eb975d770cfd5bd5ff53344fd329546fb950f155

SHA512
c79f10712bb505d3645c9fdf8ef11bd787ab327fc2f176302de71b5d4a886026e46e40338a5db964e4b42bd152f3279fda8f2f842f99876bee1b0783d2f74e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kx new.exe

Filesize
10.4MB

MD5
d9d13fa25e880665fb471a4be57c494c

SHA1
7a4c1b09a9d37ff55872544a39a2cc5f0eec9523

SHA256
632e973ab369d51e21b499e440bdd9c4b2ffaac9e435485a648de8724e1b19f7

SHA512
cf20f3c108865614a27d498ee74198ee151027423b518024155b1dff553b33877aed81e7d5394094625d1ee7da5de82fa4ed119420009a3f3fc51019add3522e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmr new.exe

Filesize
5.2MB

MD5
7d6398ebfb82a24748617189bf4ad691

SHA1
6c96d0e343e1e84bf58670f1249c1694a2012f04

SHA256
d7cd81563e5b98b9a329286557de71186d3f8f364a46691aca253ca00e4c3ef2

SHA512
9aeb3da479b23880de94e0b283a562ce19a79c2b27cb819ddf8e149eca5673a42c659fff10ea2ea9036aedda6fef37b97ecbf37236dd22baf20eba1e6dda4b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmr.exe

Filesize
5.2MB

MD5
154202154e41175e801a698ca940eb0c

SHA1
6ce074d67c91cb00016cb1095319b00afab396a8

SHA256
0612bfb5a51b0b413ba960f7d52bc647bd4cf7530fd760c0d6006aa829e806e2

SHA512
7d0a7474c28b87972fb02a48ee56a2549765a584a53abbd123631e142a655b17f3508b7d3c2b90f3174d118940143af12728355900472f27fe8280aa11a8f540

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
memory/384-204-0x000002CEC8EE0000-0x000002CEC8F0B000-memory.dmp

Filesize
172KB

Download
memory/384-205-0x00007FF9DCB10000-0x00007FF9DCB20000-memory.dmp

Filesize
64KB

Download
memory/536-214-0x000001CB0A9A0000-0x000001CB0A9CB000-memory.dmp

Filesize
172KB

Download
memory/536-215-0x00007FF9DCB10000-0x00007FF9DCB20000-memory.dmp

Filesize
64KB

Download
memory/616-208-0x00007FF9DCB10000-0x00007FF9DCB20000-memory.dmp

Filesize
64KB

Download
memory/616-197-0x000001CA4EE00000-0x000001CA4EE24000-memory.dmp

Filesize
144KB

Download
memory/616-207-0x000001CA4EEA0000-0x000001CA4EECB000-memory.dmp

Filesize
172KB

Download
memory/676-199-0x00000139109D0000-0x00000139109FB000-memory.dmp

Filesize
172KB

Download
memory/676-200-0x00007FF9DCB10000-0x00007FF9DCB20000-memory.dmp

Filesize
64KB

Download
memory/924-221-0x000001B064060000-0x000001B06408B000-memory.dmp

Filesize
172KB

Download
memory/924-222-0x00007FF9DCB10000-0x00007FF9DCB20000-memory.dmp

Filesize
64KB

Download
memory/952-211-0x00000193A61B0000-0x00000193A61DB000-memory.dmp

Filesize
172KB

Download
memory/952-212-0x00007FF9DCB10000-0x00007FF9DCB20000-memory.dmp

Filesize
64KB

Download
memory/1068-89-0x00000000050B0000-0x00000000050BA000-memory.dmp

Filesize
40KB

Download
memory/1068-88-0x0000000000830000-0x000000000083A000-memory.dmp

Filesize
40KB

Download
memory/1084-225-0x00007FF9DCB10000-0x00007FF9DCB20000-memory.dmp

Filesize
64KB

Download
memory/1084-224-0x000002A7ACC60000-0x000002A7ACC8B000-memory.dmp

Filesize
172KB

Download
memory/1100-228-0x00007FF9DCB10000-0x00007FF9DCB20000-memory.dmp

Filesize
64KB

Download
memory/1100-227-0x0000020B3EF60000-0x0000020B3EF8B000-memory.dmp

Filesize
172KB

Download
memory/1116-230-0x000001D3B7960000-0x000001D3B798B000-memory.dmp

Filesize
172KB

Download
memory/1116-231-0x00007FF9DCB10000-0x00007FF9DCB20000-memory.dmp

Filesize
64KB

Download
memory/1164-247-0x00007FF9DCB10000-0x00007FF9DCB20000-memory.dmp

Filesize
64KB

Download
memory/1164-246-0x000002E357160000-0x000002E35718B000-memory.dmp

Filesize
172KB

Download
memory/1188-250-0x00007FF9DCB10000-0x00007FF9DCB20000-memory.dmp

Filesize
64KB

Download
memory/1188-249-0x0000014540FA0000-0x0000014540FCB000-memory.dmp

Filesize
172KB

Download
memory/1508-180-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1508-176-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1508-178-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1508-177-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1508-194-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1508-181-0x00007FFA1CA90000-0x00007FFA1CC85000-memory.dmp

Filesize
2.0MB

Download
memory/1508-182-0x00007FFA1C390000-0x00007FFA1C44E000-memory.dmp

Filesize
760KB

Download
memory/1508-175-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1820-708-0x0000018D1DB40000-0x0000018D1DB46000-memory.dmp

Filesize
24KB

Download
memory/1820-710-0x0000018D1DB50000-0x0000018D1DB5A000-memory.dmp

Filesize
40KB

Download
memory/1820-706-0x0000018D1DB10000-0x0000018D1DB18000-memory.dmp

Filesize
32KB

Download
memory/1820-701-0x0000018D1DB60000-0x0000018D1DB7A000-memory.dmp

Filesize
104KB

Download
memory/1820-675-0x0000018D1DB00000-0x0000018D1DB0A000-memory.dmp

Filesize
40KB

Download
memory/1820-662-0x0000018D1DB20000-0x0000018D1DB3C000-memory.dmp

Filesize
112KB

Download
memory/1820-653-0x0000018D1D9B0000-0x0000018D1D9BA000-memory.dmp

Filesize
40KB

Download
memory/1820-634-0x0000018D1D8F0000-0x0000018D1D9A5000-memory.dmp

Filesize
724KB

Download
memory/1820-633-0x0000018D1D8D0000-0x0000018D1D8EC000-memory.dmp

Filesize
112KB

Download
memory/2104-25-0x0000000073780000-0x0000000073F30000-memory.dmp

Filesize
7.7MB

Download
memory/2104-78-0x0000000006BE0000-0x0000000006C2C000-memory.dmp

Filesize
304KB

Download
memory/2104-113-0x0000000007A40000-0x0000000007A5A000-memory.dmp

Filesize
104KB

Download
memory/2104-9-0x000000007378E000-0x000000007378F000-memory.dmp

Filesize
4KB

Download
memory/2104-112-0x00000000080A0000-0x000000000871A000-memory.dmp

Filesize
6.5MB

Download
memory/2104-99-0x00000000076F0000-0x0000000007722000-memory.dmp

Filesize
200KB

Download
memory/2104-111-0x0000000007930000-0x00000000079D3000-memory.dmp

Filesize
652KB

Download
memory/2104-110-0x0000000006CD0000-0x0000000006CEE000-memory.dmp

Filesize
120KB

Download
memory/2104-100-0x00000000740D0000-0x000000007411C000-memory.dmp

Filesize
304KB

Download
memory/2104-22-0x0000000005810000-0x0000000005E38000-memory.dmp

Filesize
6.2MB

Download
memory/2104-75-0x00000000066D0000-0x00000000066EE000-memory.dmp

Filesize
120KB

Download
memory/2104-29-0x0000000005720000-0x0000000005742000-memory.dmp

Filesize
136KB

Download
memory/2104-46-0x0000000006170000-0x00000000064C4000-memory.dmp

Filesize
3.3MB

Download
memory/2104-30-0x0000000006020000-0x0000000006086000-memory.dmp

Filesize
408KB

Download
memory/2104-31-0x0000000006100000-0x0000000006166000-memory.dmp

Filesize
408KB

Download
memory/2104-124-0x0000000007AB0000-0x0000000007ABA000-memory.dmp

Filesize
40KB

Download
memory/2104-21-0x0000000073780000-0x0000000073F30000-memory.dmp

Filesize
7.7MB

Download
memory/2104-17-0x0000000003110000-0x0000000003146000-memory.dmp

Filesize
216KB

Download
memory/2104-149-0x0000000073780000-0x0000000073F30000-memory.dmp

Filesize
7.7MB

Download
memory/2764-125-0x00000000740D0000-0x000000007411C000-memory.dmp

Filesize
304KB

Download
memory/3344-138-0x0000000007D50000-0x0000000007D5E000-memory.dmp

Filesize
56KB

Download
memory/3344-139-0x0000000007D60000-0x0000000007D74000-memory.dmp

Filesize
80KB

Download
memory/3344-140-0x0000000007E50000-0x0000000007E6A000-memory.dmp

Filesize
104KB

Download
memory/3344-137-0x0000000007D10000-0x0000000007D21000-memory.dmp

Filesize
68KB

Download
memory/3344-141-0x0000000007E30000-0x0000000007E38000-memory.dmp

Filesize
32KB

Download
memory/3344-135-0x0000000007D90000-0x0000000007E26000-memory.dmp

Filesize
600KB

Download
memory/3344-114-0x00000000740D0000-0x000000007411C000-memory.dmp

Filesize
304KB

Download
memory/4004-190-0x00007FFA1CA90000-0x00007FFA1CC85000-memory.dmp

Filesize
2.0MB

Download
memory/4004-191-0x00007FFA1C390000-0x00007FFA1C44E000-memory.dmp

Filesize
760KB

Download
memory/4060-1244-0x00000174F74E0000-0x00000174F7595000-memory.dmp

Filesize
724KB

Download
memory/4400-150-0x000001A521CF0000-0x000001A521D12000-memory.dmp

Filesize
136KB

Download