xworm | 13d986aa31c6fc9a511ac47758ef1d0af04337ba6f9a040db11044df63c4d275

Analysis

max time kernel
444s
max time network
438s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootstrapperNew.exe
Size

3.0MB
MD5

3b348b19ea1e626dfe9cecbc3ef467d9
SHA1

526f475b3beafc6b9d198b66b41a1d6c3376cf93
SHA256

13d986aa31c6fc9a511ac47758ef1d0af04337ba6f9a040db11044df63c4d275
SHA512

ac308b05fa50a0738c18b9158c104348a4bb7fed16bf19d77b8fc6d15da29ff436c6943b6f8f3b53403febb64ecb18d0930b549d90631e04ec514b3ffd7e0ee0
SSDEEP

49152:8BgUnSOVPhshhMmky484rg+oDGLa0eu4IKwqZhczodAk7B:b6SOAhheDDry6a0euNnqvdA

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:36623

fax-scenarios.gl.at.ply.gg:36623

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000c000000023c06-6.dat	family_xworm
behavioral1/memory/4308-14-0x00000000008C0000-0x00000000008DA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe

Executes dropped EXE 64 IoCs

pid	Process
4308	Solara.exe
4412	Solara.exe
4812	Solara.exe
3864	Solara.exe
4060	Solara.exe
4968	Solara.exe
4796	Solara.exe
3588	Solara.exe
3808	Solara.exe
4892	Solara.exe
972	Solara.exe
3944	Solara.exe
3272	Solara.exe
784	Solara.exe
5040	Solara.exe
400	Solara.exe
2648	Solara.exe
1864	Solara.exe
3376	Solara.exe
876	Solara.exe
3160	Solara.exe
4876	Solara.exe
4452	Solara.exe
1012	Solara.exe
3784	Solara.exe
4628	Solara.exe
3832	Solara.exe
1108	Solara.exe
1832	Solara.exe
4984	Solara.exe
928	Solara.exe
2156	Solara.exe
1244	Solara.exe
4396	Solara.exe
4092	Solara.exe
2488	Solara.exe
1520	Solara.exe
4700	Solara.exe
4588	Solara.exe
1324	Solara.exe
4560	Solara.exe
1320	Solara.exe
1688	Solara.exe
3608	Solara.exe
4448	Solara.exe
1900	Solara.exe
4660	Solara.exe
2352	Solara.exe
3068	Solara.exe
4840	Solara.exe
556	Solara.exe
4252	Solara.exe
116	Solara.exe
1984	Solara.exe
1172	Solara.exe
4544	Solara.exe
2632	Solara.exe
5080	Solara.exe
3284	Solara.exe
5016	Solara.exe
3152	Solara.exe
3908	Solara.exe
4968	Solara.exe
4400	Solara.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4308	Solara.exe
Token: SeDebugPrivilege	4412	Solara.exe
Token: SeDebugPrivilege	4812	Solara.exe
Token: SeDebugPrivilege	3864	Solara.exe
Token: SeDebugPrivilege	4060	Solara.exe
Token: SeDebugPrivilege	4968	Solara.exe
Token: SeDebugPrivilege	4796	Solara.exe
Token: SeDebugPrivilege	3588	Solara.exe
Token: SeDebugPrivilege	3808	Solara.exe
Token: SeDebugPrivilege	4892	Solara.exe
Token: SeDebugPrivilege	972	Solara.exe
Token: SeDebugPrivilege	3944	Solara.exe
Token: SeDebugPrivilege	3272	Solara.exe
Token: SeDebugPrivilege	784	Solara.exe
Token: SeDebugPrivilege	5040	Solara.exe
Token: SeDebugPrivilege	400	Solara.exe
Token: SeDebugPrivilege	2648	Solara.exe
Token: SeDebugPrivilege	1864	Solara.exe
Token: SeDebugPrivilege	3376	Solara.exe
Token: SeDebugPrivilege	876	Solara.exe
Token: SeDebugPrivilege	3160	Solara.exe
Token: SeDebugPrivilege	4876	Solara.exe
Token: SeDebugPrivilege	4452	Solara.exe
Token: SeDebugPrivilege	1012	Solara.exe
Token: SeDebugPrivilege	3784	Solara.exe
Token: SeDebugPrivilege	4628	Solara.exe
Token: SeDebugPrivilege	3832	Solara.exe
Token: SeDebugPrivilege	1108	Solara.exe
Token: SeDebugPrivilege	1832	Solara.exe
Token: SeDebugPrivilege	4984	Solara.exe
Token: SeDebugPrivilege	928	Solara.exe
Token: SeDebugPrivilege	2156	Solara.exe
Token: SeDebugPrivilege	1244	Solara.exe
Token: SeDebugPrivilege	4396	Solara.exe
Token: SeDebugPrivilege	4092	Solara.exe
Token: SeDebugPrivilege	2488	Solara.exe
Token: SeDebugPrivilege	1520	Solara.exe
Token: SeDebugPrivilege	4700	Solara.exe
Token: SeDebugPrivilege	4588	Solara.exe
Token: SeDebugPrivilege	1324	Solara.exe
Token: SeDebugPrivilege	4560	Solara.exe
Token: SeDebugPrivilege	1320	Solara.exe
Token: SeDebugPrivilege	1688	Solara.exe
Token: SeDebugPrivilege	3608	Solara.exe
Token: SeDebugPrivilege	4448	Solara.exe
Token: SeDebugPrivilege	1900	Solara.exe
Token: SeDebugPrivilege	4660	Solara.exe
Token: SeDebugPrivilege	2352	Solara.exe
Token: SeDebugPrivilege	3068	Solara.exe
Token: SeDebugPrivilege	4840	Solara.exe
Token: SeDebugPrivilege	556	Solara.exe
Token: SeDebugPrivilege	4252	Solara.exe
Token: SeDebugPrivilege	116	Solara.exe
Token: SeDebugPrivilege	1984	Solara.exe
Token: SeDebugPrivilege	1172	Solara.exe
Token: SeDebugPrivilege	4544	Solara.exe
Token: SeDebugPrivilege	2632	Solara.exe
Token: SeDebugPrivilege	5080	Solara.exe
Token: SeDebugPrivilege	3284	Solara.exe
Token: SeDebugPrivilege	5016	Solara.exe
Token: SeDebugPrivilege	3152	Solara.exe
Token: SeDebugPrivilege	3908	Solara.exe
Token: SeDebugPrivilege	4968	Solara.exe
Token: SeDebugPrivilege	4400	Solara.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3272 wrote to memory of 1452	3272	BootstrapperNew.exe	85
PID 3272 wrote to memory of 1452	3272	BootstrapperNew.exe	85
PID 3272 wrote to memory of 4308	3272	BootstrapperNew.exe	86
PID 3272 wrote to memory of 4308	3272	BootstrapperNew.exe	86
PID 1452 wrote to memory of 428	1452	BootstrapperNew.exe	87
PID 1452 wrote to memory of 428	1452	BootstrapperNew.exe	87
PID 1452 wrote to memory of 4412	1452	BootstrapperNew.exe	88
PID 1452 wrote to memory of 4412	1452	BootstrapperNew.exe	88
PID 428 wrote to memory of 4360	428	BootstrapperNew.exe	92
PID 428 wrote to memory of 4360	428	BootstrapperNew.exe	92
PID 428 wrote to memory of 4812	428	BootstrapperNew.exe	93
PID 428 wrote to memory of 4812	428	BootstrapperNew.exe	93
PID 4360 wrote to memory of 2340	4360	BootstrapperNew.exe	94
PID 4360 wrote to memory of 2340	4360	BootstrapperNew.exe	94
PID 4360 wrote to memory of 3864	4360	BootstrapperNew.exe	95
PID 4360 wrote to memory of 3864	4360	BootstrapperNew.exe	95
PID 2340 wrote to memory of 2772	2340	BootstrapperNew.exe	96
PID 2340 wrote to memory of 2772	2340	BootstrapperNew.exe	96
PID 2340 wrote to memory of 4060	2340	BootstrapperNew.exe	97
PID 2340 wrote to memory of 4060	2340	BootstrapperNew.exe	97
PID 2772 wrote to memory of 4332	2772	BootstrapperNew.exe	98
PID 2772 wrote to memory of 4332	2772	BootstrapperNew.exe	98
PID 2772 wrote to memory of 4968	2772	BootstrapperNew.exe	99
PID 2772 wrote to memory of 4968	2772	BootstrapperNew.exe	99
PID 4332 wrote to memory of 3632	4332	BootstrapperNew.exe	100
PID 4332 wrote to memory of 3632	4332	BootstrapperNew.exe	100
PID 4332 wrote to memory of 4796	4332	BootstrapperNew.exe	101
PID 4332 wrote to memory of 4796	4332	BootstrapperNew.exe	101
PID 3632 wrote to memory of 4856	3632	BootstrapperNew.exe	149
PID 3632 wrote to memory of 4856	3632	BootstrapperNew.exe	149
PID 3632 wrote to memory of 3588	3632	BootstrapperNew.exe	103
PID 3632 wrote to memory of 3588	3632	BootstrapperNew.exe	103
PID 4856 wrote to memory of 4696	4856	BootstrapperNew.exe	104
PID 4856 wrote to memory of 4696	4856	BootstrapperNew.exe	104
PID 4856 wrote to memory of 3808	4856	BootstrapperNew.exe	105
PID 4856 wrote to memory of 3808	4856	BootstrapperNew.exe	105
PID 4696 wrote to memory of 3628	4696	BootstrapperNew.exe	106
PID 4696 wrote to memory of 3628	4696	BootstrapperNew.exe	106
PID 4696 wrote to memory of 4892	4696	BootstrapperNew.exe	107
PID 4696 wrote to memory of 4892	4696	BootstrapperNew.exe	107
PID 3628 wrote to memory of 1688	3628	BootstrapperNew.exe	191
PID 3628 wrote to memory of 1688	3628	BootstrapperNew.exe	191
PID 3628 wrote to memory of 972	3628	BootstrapperNew.exe	109
PID 3628 wrote to memory of 972	3628	BootstrapperNew.exe	109
PID 1688 wrote to memory of 4404	1688	BootstrapperNew.exe	111
PID 1688 wrote to memory of 4404	1688	BootstrapperNew.exe	111
PID 1688 wrote to memory of 3944	1688	BootstrapperNew.exe	112
PID 1688 wrote to memory of 3944	1688	BootstrapperNew.exe	112
PID 4404 wrote to memory of 3284	4404	BootstrapperNew.exe	230
PID 4404 wrote to memory of 3284	4404	BootstrapperNew.exe	230
PID 4404 wrote to memory of 3272	4404	BootstrapperNew.exe	115
PID 4404 wrote to memory of 3272	4404	BootstrapperNew.exe	115
PID 3284 wrote to memory of 3952	3284	BootstrapperNew.exe	116
PID 3284 wrote to memory of 3952	3284	BootstrapperNew.exe	116
PID 3284 wrote to memory of 784	3284	BootstrapperNew.exe	117
PID 3284 wrote to memory of 784	3284	BootstrapperNew.exe	117
PID 3952 wrote to memory of 2804	3952	BootstrapperNew.exe	118
PID 3952 wrote to memory of 2804	3952	BootstrapperNew.exe	118
PID 3952 wrote to memory of 5040	3952	BootstrapperNew.exe	196
PID 3952 wrote to memory of 5040	3952	BootstrapperNew.exe	196
PID 2804 wrote to memory of 3380	2804	BootstrapperNew.exe	122
PID 2804 wrote to memory of 3380	2804	BootstrapperNew.exe	122
PID 2804 wrote to memory of 400	2804	BootstrapperNew.exe	123
PID 2804 wrote to memory of 400	2804	BootstrapperNew.exe	123

C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3272
- C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
    "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:428
  - - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
      "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4360
    - - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2340
      - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        7⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        8⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        9⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        10⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        11⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        13⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        14⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        15⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        17⤵
        Checks computer location settings
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        18⤵
        Checks computer location settings
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        19⤵
        Checks computer location settings
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        20⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        21⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        22⤵
        Checks computer location settings
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        23⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        24⤵
        Checks computer location settings
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        25⤵
        Checks computer location settings
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        26⤵
        Checks computer location settings
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        27⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        28⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        29⤵
        Checks computer location settings
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        30⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        31⤵
        Checks computer location settings
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        32⤵
        Checks computer location settings
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        33⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        34⤵
        Checks computer location settings
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        35⤵
        Checks computer location settings
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        36⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        37⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        38⤵
        Checks computer location settings
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        39⤵
        Checks computer location settings
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        40⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        41⤵
        Checks computer location settings
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        42⤵
        Checks computer location settings
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        43⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        44⤵
        Checks computer location settings
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        45⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        46⤵
        Checks computer location settings
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        47⤵
        Checks computer location settings
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        48⤵
        Checks computer location settings
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        49⤵
        Checks computer location settings
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        50⤵
        Checks computer location settings
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        51⤵
        Checks computer location settings
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        52⤵
        Checks computer location settings
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        53⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        54⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        55⤵
        Checks computer location settings
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        56⤵
        Checks computer location settings
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        57⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        58⤵
        Checks computer location settings
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        59⤵
        Checks computer location settings
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        60⤵
        Checks computer location settings
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        61⤵
        Checks computer location settings
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        62⤵
        Checks computer location settings
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        63⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        64⤵
        Checks computer location settings
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        65⤵
        Checks computer location settings
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        66⤵
        Checks computer location settings
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        67⤵
        Checks computer location settings
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        68⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        69⤵
        Checks computer location settings
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        70⤵
        Checks computer location settings
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        71⤵
        Checks computer location settings
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        72⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        73⤵
        Checks computer location settings
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        74⤵
        Checks computer location settings
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        75⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        76⤵
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        77⤵
        Checks computer location settings
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        78⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        79⤵
        Checks computer location settings
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        80⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        81⤵
        Checks computer location settings
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        82⤵
        Checks computer location settings
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        83⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        84⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        85⤵
        Checks computer location settings
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        86⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        87⤵
        Checks computer location settings
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        88⤵
        Checks computer location settings
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        89⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        90⤵
        Checks computer location settings
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        91⤵
        Checks computer location settings
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        92⤵
        Checks computer location settings
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        93⤵
        Checks computer location settings
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        94⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        95⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        95⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        94⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        93⤵
        
        PID:1700
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1700 -s 892
        94⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        92⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        91⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        90⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        89⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        88⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        87⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        86⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        85⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        84⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        83⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        82⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        81⤵
        
        PID:2692
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2692 -s 1592
        82⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        80⤵
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        79⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        78⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        77⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        76⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        75⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        74⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        73⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        72⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        71⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        70⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        69⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        68⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        67⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        66⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        65⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        64⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        62⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        60⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        58⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        56⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        54⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        52⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        50⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        48⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4660
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4660 -s 1608
        49⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        46⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        44⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1688 -s 1540
        45⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        42⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1012
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1012 -s 1672
        26⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4968
      - C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4060
    - - C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3864
  - - C:\Users\Admin\AppData\Local\Temp\Solara.exe
      "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4812
- - C:\Users\Admin\AppData\Local\Temp\Solara.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4412
- C:\Users\Admin\AppData\Local\Temp\Solara.exe
  "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4856

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 484 -p 1012 -ip 1012
1⤵
PID:5040

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 1244 -ip 1244
1⤵
PID:4884

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 4700 -ip 4700
1⤵
PID:4092

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 4560 -ip 4560
1⤵
PID:4396

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 3020 -ip 3020
1⤵
PID:2488

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3876

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:928

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv LxcEzTG6v0C/KqVzTi7QDA.0.2
1⤵
PID:4360

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2692

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3220

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3020

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BootstrapperNew.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.exe

Filesize
80KB

MD5
119281d4682ff27548624a0a52c3deea

SHA1
99f0f4f8f602a900b4a568e703803b82b1829705

SHA256
fbe9ac9f7809ef4310d148d7b734a48290489de566001cdcb178be16cce8ac20

SHA512
77ab87c953729b8e5a026b0b614e874527c42b38a2c990bd0302b984565f6dccd0a09cb941141b0bf8ec3621583ce235decf1c03296d7cdda1aca7b58c742b7a

Download Submit
memory/1452-15-0x00007FFD89230000-0x00007FFD89CF1000-memory.dmp

Filesize
10.8MB

Download
memory/1452-19-0x00007FFD89230000-0x00007FFD89CF1000-memory.dmp

Filesize
10.8MB

Download
memory/3272-0-0x00007FFD89233000-0x00007FFD89235000-memory.dmp

Filesize
8KB

Download
memory/3272-1-0x0000000000230000-0x000000000052C000-memory.dmp

Filesize
3.0MB

Download
memory/4308-14-0x00000000008C0000-0x00000000008DA000-memory.dmp

Filesize
104KB

Download
memory/4308-16-0x00007FFD89230000-0x00007FFD89CF1000-memory.dmp

Filesize
10.8MB

Download
memory/4308-30-0x00007FFD89230000-0x00007FFD89CF1000-memory.dmp

Filesize
10.8MB

Download
memory/4308-40-0x000000001BB90000-0x000000001BC92000-memory.dmp

Filesize
1.0MB

Download
memory/4308-41-0x00007FFD89230000-0x00007FFD89CF1000-memory.dmp

Filesize
10.8MB

Download