bitrat | hxxps://github[.]com/xXprogtXx1/discord-token-generator-v2[.]0

Analysis

max time kernel
96s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2024 23:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/xXprogtXx1/discord-token-generator-v2.0

Score

10^/10

bitrat persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

0.tcp.in.ngrok.io:12265

Attributes

communication_password
3636638817772e42b59d74cff571fbb3
install_dir
Install path
install_file
uwuw
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Downloads MZ/PE file

Executes dropped EXE 16 IoCs

Processes:

token gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exe

pid	process
4092	token gen.exe
316	token gen.exe
3772	token gen.exe
1172	token gen.exe
4628	token gen.exe
4564	token gen.exe
2640	token gen.exe
2976	token gen.exe
1572	token gen.exe
4676	token gen.exe
2124	token gen.exe
2296	token gen.exe
2420	token gen.exe
5044	token gen.exe
4296	token gen.exe
436	token gen.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

token gen.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwuw = "C:\\Users\\Admin\\AppData\\Local\\Install path\\uwuw\u3000"	token gen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uwuw = "C:\\Users\\Admin\\AppData\\Local\\Install path\\uwuw"	token gen.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

58 0.tcp.in.ngrok.io
86 0.tcp.in.ngrok.io
51 raw.githubusercontent.com
52 raw.githubusercontent.com

flow	ioc
58	0.tcp.in.ngrok.io
86	0.tcp.in.ngrok.io
51	raw.githubusercontent.com
52	raw.githubusercontent.com

Suspicious use of NtSetInformationThreadHideFromDebugger 18 IoCs

Processes:

token gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exe

pid	process
4092	token gen.exe
4092	token gen.exe
4092	token gen.exe
4092	token gen.exe
316	token gen.exe
3772	token gen.exe
1172	token gen.exe
4628	token gen.exe
4564	token gen.exe
2640	token gen.exe
2976	token gen.exe
1572	token gen.exe
4676	token gen.exe
2124	token gen.exe
2296	token gen.exe
2420	token gen.exe
5044	token gen.exe
4296	token gen.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

NTFS ADS 2 IoCs

Processes:

msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 58946.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 732132.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
4336	msedge.exe
4336	msedge.exe
4520	msedge.exe
4520	msedge.exe
1952	identity_helper.exe
1952	identity_helper.exe
868	msedge.exe
868	msedge.exe
3188	msedge.exe
3188	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

4520 msedge.exe
4520 msedge.exe
4520 msedge.exe
4520 msedge.exe
4520 msedge.exe
4520 msedge.exe
4520 msedge.exe
4520 msedge.exe
4520 msedge.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

token gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exetoken gen.exe

description	pid	process
Token: SeShutdownPrivilege	4092	token gen.exe
Token: SeShutdownPrivilege	316	token gen.exe
Token: SeShutdownPrivilege	3772	token gen.exe
Token: SeShutdownPrivilege	1172	token gen.exe
Token: SeShutdownPrivilege	4628	token gen.exe
Token: SeShutdownPrivilege	4564	token gen.exe
Token: SeShutdownPrivilege	2640	token gen.exe
Token: SeShutdownPrivilege	2976	token gen.exe
Token: SeShutdownPrivilege	1572	token gen.exe
Token: SeShutdownPrivilege	4676	token gen.exe
Token: SeShutdownPrivilege	2124	token gen.exe
Token: SeShutdownPrivilege	2296	token gen.exe
Token: SeShutdownPrivilege	2420	token gen.exe
Token: SeShutdownPrivilege	5044	token gen.exe
Token: SeShutdownPrivilege	4296	token gen.exe

Suspicious use of FindShellTrayWindow 46 IoCs

Processes:

msedge.exe

pid	process
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

token gen.exe

pid process

4092 token gen.exe
4092 token gen.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4520 wrote to memory of 1624	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 1624	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 2168	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 4336	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 4336	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 4388	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 4388	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 4388	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 4388	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 4388	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 4388	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 4388	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 4388	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 4388	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 4388	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 4388	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 4388	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 4388	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 4388	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 4388	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 4388	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 4388	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 4388	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 4388	4520	msedge.exe	msedge.exe
PID 4520 wrote to memory of 4388	4520	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/xXprogtXx1/discord-token-generator-v2.0
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb1cd046f8,0x7ffb1cd04708,0x7ffb1cd04718
2⤵
PID:1624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,2305798982158178587,15939046875952592674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,2305798982158178587,15939046875952592674,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
2⤵
PID:4388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,2305798982158178587,15939046875952592674,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
2⤵
PID:2168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2305798982158178587,15939046875952592674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
2⤵
PID:1244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2305798982158178587,15939046875952592674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
2⤵
PID:2640

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,2305798982158178587,15939046875952592674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
2⤵
PID:2076

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,2305798982158178587,15939046875952592674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2305798982158178587,15939046875952592674,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
2⤵
PID:1284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2305798982158178587,15939046875952592674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
2⤵
PID:4872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2305798982158178587,15939046875952592674,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
2⤵
PID:2276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2305798982158178587,15939046875952592674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
2⤵
PID:3488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2305798982158178587,15939046875952592674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
2⤵
PID:4796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,2305798982158178587,15939046875952592674,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5612 /prefetch:8
2⤵
PID:3336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,2305798982158178587,15939046875952592674,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6296 /prefetch:8
2⤵
PID:4916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2305798982158178587,15939046875952592674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
2⤵
PID:2320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,2305798982158178587,15939046875952592674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6064 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:868

C:\Users\Admin\Downloads\token gen.exe
"C:\Users\Admin\Downloads\token gen.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2305798982158178587,15939046875952592674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
2⤵
PID:4656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,2305798982158178587,15939046875952592674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6628 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3188

C:\Users\Admin\Downloads\token gen.exe
"C:\Users\Admin\Downloads\token gen.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Users\Admin\Downloads\token gen.exe
"C:\Users\Admin\Downloads\token gen.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Users\Admin\Downloads\token gen.exe
"C:\Users\Admin\Downloads\token gen.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Users\Admin\Downloads\token gen.exe
"C:\Users\Admin\Downloads\token gen.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4628

C:\Users\Admin\Downloads\token gen.exe
"C:\Users\Admin\Downloads\token gen.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Users\Admin\Downloads\token gen.exe
"C:\Users\Admin\Downloads\token gen.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Users\Admin\Downloads\token gen.exe
"C:\Users\Admin\Downloads\token gen.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Users\Admin\Downloads\token gen.exe
"C:\Users\Admin\Downloads\token gen.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Users\Admin\Downloads\token gen.exe
"C:\Users\Admin\Downloads\token gen.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4676

C:\Users\Admin\Downloads\token gen.exe
"C:\Users\Admin\Downloads\token gen.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Users\Admin\Downloads\token gen.exe
"C:\Users\Admin\Downloads\token gen.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Users\Admin\Downloads\token gen.exe
"C:\Users\Admin\Downloads\token gen.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Users\Admin\Downloads\token gen.exe
"C:\Users\Admin\Downloads\token gen.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Users\Admin\Downloads\token gen.exe
"C:\Users\Admin\Downloads\token gen.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Users\Admin\Downloads\token gen.exe
"C:\Users\Admin\Downloads\token gen.exe"
2⤵
- Executes dropped EXE
PID:436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4968

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1386433ecc349475d39fb1e4f9e149a0

SHA1
f04f71ac77cb30f1d04fd16d42852322a8b2680f

SHA256
a7c79320a37d3516823f533e0ca73ed54fc4cdade9999b9827d06ea9f8916bbc

SHA512
fcd5449c58ead25955d01739929c42ffc89b9007bc2c8779c05271f2d053be66e05414c410738c35572ef31811aff908e7fe3dd7a9cef33c27acb308a420280e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
65d7a432e535871604ae885089a03b9e

SHA1
a0ea01ed463b68ac2b95edeb2e1c1739984d7d90

SHA256
3d669b9df02d8a25ec2fe83ada1519a22c945c0e0510a0352e32c221b137ebc1

SHA512
1cea308ad5d28cbdf36c1baef241a880d56641776e1e4e261b5e4e29a2471ab2058ad6ed8130f2c3ab4fc743793330c491bc3b0d012748e8128d129a36ce9a05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
579B

MD5
c6dba56b9c097935596daed379ede4ae

SHA1
f8603b0cfcabf7ac5e9de6497d38e5ea417d3a4f

SHA256
7d2e72a397c882f5e00eee536904c318247246dda54fa3b46962020e3560bba6

SHA512
8091f48e4b161d1976d6ef19acb85d9cfd360c484dc84cb1f8ad150ddb740bfea76dd58c7763a05f7d4900e27007709bba20c1e2c61f6eed4a9e444580ca0e82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
6ce24b5f5a445e120fa2ce489c5fd32c

SHA1
6bf69132db706e9434f0da65eafbe048ec2ff53a

SHA256
a3a3d16fb0871e7f60d9432b6b82e5f9a31ee16cf3a4bdf0169203a1bb2a35f5

SHA512
1448d498aea489325d505583f1d58b38bef37566e918dc1f1860a3abb8552f478818cc036457d552ca042707b00f34403d4af48916d16395463c185079460bcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
867879dc659c85bba27703b70bcdb7fd

SHA1
2352cd234e59b72d743d1d4ac7ccea3fde2799de

SHA256
625550a02b31c17d301bce1caae728c4d1061369168a93ff8f88943d457c07a2

SHA512
989576a2e635a963f4f88b080061efd01a4fb6b2cfe3d16c21c303b1f5865b88754019b4a11ddce00d17edabe9c78d33fcfc1da099309cfcfdf084a779e9a098

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
9fe6e72bb77d79893909fb10cecb5b12

SHA1
2229e4e69452ddf93ef7cc7adcca7a700147741b

SHA256
2bcddbfb679a65c369b7980fd63dda746ba2ec1a40eb0c4c841e9d7ea0db8053

SHA512
c1a6fe6e74193138fea834752b8c8a87c6eeaaae48b53c1d941e5e5d04339910f20f28eb37a64a70fcc814f17e40dcbc431e5309326574e40e5b7f67c38bcaf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
c41d29f79ff40369a31f086a60789c63

SHA1
17ee775a2d2fcd4c5ee2c06c0b17b6eba047b483

SHA256
94ed67b5b85e992d8db6f409eabf0a034210e611b989dc55203b6c9c1f33dcbd

SHA512
7066a27667684f519f1b08606ecf908b63afdc6733b81228af2ab2894365be9722fc735a515b80021cb42125143c07cf4be5f3321b1eabf2c00137df3adf01e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
e664066e3aa135f185ed1c194b9fa1f8

SHA1
358ff3c6ad0580b8ae1e5ef2a89a4e597c2efdc5

SHA256
86e595be48dbc768a52d7ea62116036c024093e1302aced8c29dd6a2d9935617

SHA512
58710818b5f664006a5aa418da6c8cd3f709c2265bc161f81b9dfe6cdb8304fabaa4ce9deba419fe4281623feeeaa0321f481ae5855d347c6d8cf95968ee905e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
bda68e578ee3c65e73fe90eff527a9bc

SHA1
712d356435d4ada765b67e5566264d38f77d7849

SHA256
b082f3da7f4c5b94cbc8010661362c5b9f6f3cefe271e2cfd14610d3978dfbcb

SHA512
1d71ce8b175a7ce9901438a580dc6dd543090858ccdfac98a5ca41cd0db9d277593f1bb7e11c963a2adc2699a620591cf613b887bd7b884c3198bcdf4a622823

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
d5810ded813cfee47bd2a41eb3dca6d5

SHA1
ea633870e2df1c0cc0a4d2e6d729745d3277a1d7

SHA256
460de7e64468b77a08084b5676c89b8a56aa9cac577a768b95abcc08951979a3

SHA512
4a162d14f414016cc27eb3dbb3bc6710bdec41ee38dc1cae514e94b42288254a0503068a4e21f847cae95ec8920695bb8a9b56b57c2869c05e07463ac9bf05f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57948f.TMP
Filesize
1KB

MD5
c44c6c4c0e843ecc18264cde0d31b290

SHA1
1fe00a39e456baa5f89d8352e0fd049fb59a1af9

SHA256
c7e269bc93a88dbdd5438dd9b249f8b8e40cfb239cc79a6352e4c023e6aeb5c1

SHA512
51a9460a0a178cd519f2a2a819fa92a1622fed6471aa3392ea703c7a712cf398ceff35f9d5a9cd18b1376e541a759082ddbb5aa2b4a93f62f89fa41e9281cd7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
67d065ad3a7067a56f6486fbda410f3f

SHA1
19e3102e881c4d0ecc9374da0ab0cb4c35190691

SHA256
6e69c681fa94fcba43785d6f428b93a5663efb69a700fdd42c70362dca09b9bb

SHA512
9847945d06c617048d6ee01df2e5f185244c40402bca8f2defc95cb9333ff8f7b0b6f837a2a9b21d6151e6deb36a76893e54dfa9951378b92465841981dda3fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
ed022d36d4049075a99aba082cb3d077

SHA1
6868054a031070523d74bb26d6b30023b5a553cf

SHA256
66967f45a932a72918f1b6b60860e5746e6967518082410acbbf1dde686d485a

SHA512
4e44a1836237f03d8ec8e512ce8ca5b65b17dd6089dc7e680f5f5155d9ab3ec8e1bcf4474c41a73d65f00b08a69e0e16e927640e33ce65a74d7745ceee1054aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
d1eb7bee7893f37ecaf8945736f23cfb

SHA1
0c6c5ba978e6770274b9ecfd67548d56523bf83e

SHA256
94ab4498e1a7d1cc875eb406cce0bbbf72e3025c798b08f298aaee582c115603

SHA512
3bcafdea18a31e9cdc54aae578fd493fabdac09ce9d36c5796465767c8dd01af25e628a202fed7f625efff9cbc709c12ad8883c09070ae8885e6840463d1fb1a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 58946.crdownload
Filesize
3.8MB

MD5
3f916edae0ee5e73aeb994483ef239a5

SHA1
726d90e7471d9269010598281e9bc219b08e823c

SHA256
ec049b543e24593625e91c0f434b369e85376151cb060bb4a7137c8586180d84

SHA512
4fc079a765a7c2f89887624d5ff9abb10d38fc3637ac14437c550aacc61c771180f0b17377efacdc84032b5cc6ee75fd913775bda7ce604699aef9270241b433

Download Submit
C:\Users\Admin\Downloads\token gen.exe
Filesize
2.2MB

MD5
28bf69603d84c875509442026cbe135d

SHA1
2d50ef5e3da3f94b951b3c9176a9565c71ea56ef

SHA256
a459e9cf61783a8c380299795b0c3175066c644ee638f416f3ffadd4027ac702

SHA512
bc5a79ebc1de48974015b447cb6e6759e68156c3aeb8e747f8c2a1ea9e438423b61f5556addf5ae9388875670be24017f6cbcdc46a887a67c0f8a0a080e0b0ea

Download Submit
C:\Users\Admin\Downloads\token gen.exe
Filesize
1.4MB

MD5
474604582b6c2435ed186c0e3869f64f

SHA1
fc0883a4d8bcae4625284aa52275679fd8211f1c

SHA256
e1382962b349680701e50c7351c3747aba3443aae44dd1732610e2299bec0547

SHA512
17d994684bb3a969946e487b67974c672a7661453d112a44f8bec9a8386a6a983bdb6e9bdb641668c185869aa435158bc06d265933565771b903f2e85e7b4c3d

Download Submit
C:\Users\Admin\Downloads\token gen.exe
Filesize
1.7MB

MD5
b222ce24fd3d773f15b9052a802f1ef1

SHA1
4069251f4367c3d62c5636101b9a601d33f05ad1

SHA256
588a270a076ec287183191b2eab2a6dda2819c501c9ca99904d9a7940a7a1f50

SHA512
1df5c907cc95948ef47578edf5e5b65ac01d072053f105336fc42af1aa18e34552af94aabb9fd445b3aa233241e1d5b2ac4e398e5cdc4ae6f52d15d7d0430561

Download Submit
C:\Users\Admin\Downloads\token gen.exe
Filesize
834KB

MD5
cb49b2864c52067d4a36b00d4cc09171

SHA1
119b49eedd8b1ab6ddf16c1de3cec37d53d3bc5d

SHA256
7662b78a722efc49d78df65eca9506ecf509c2a79fd0825d29d15ecdfabbced0

SHA512
f3ffaec4bbbc4eed5b05f9841937284e43cc4b2ea5ce9f366dcd4149ccfaeb41f7418620bfef261242c1e035334c1fe7a90d86b13d4fa0b5768923fe6321f2ed

Download Submit
C:\Users\Admin\Downloads\token gen.exe
Filesize
900KB

MD5
f454a74bbb10f53f0d0edf180560f8b4

SHA1
77cc422aa9fbb078f7e63d3d12f1dc85a7b43509

SHA256
c017188c897b417fa38780524ac03798a0cb314780e9894157c6e8c9e3b26df6

SHA512
d1c4925f2d3ee0ccf0d9ac62edb5a31106b964c7b94ffe6d4b9143f1be85fb1d4f45884b0a4364920cdb8568b04f870283633cee3ad5455d3b07aaff44994caf

Download Submit
C:\Users\Admin\Downloads\token gen.exe
Filesize
570KB

MD5
0b321799540aabff3239429c0fd531b7

SHA1
4d07e49ffc6103169857de74cee80f023c4df2a6

SHA256
644668e60093fc616f873919882d256485c26116d141e90f057693cad977db72

SHA512
7b50363cd1c77c1a68691b8a268f713e0c8783d31b5724894caefd8219693b0b6e4b0859fccbf046c47c2f1c2cdbcdf45f61af4e0bbc347ff420695c96b3aa52

Download Submit
C:\Users\Admin\Downloads\token gen.exe
Filesize
404KB

MD5
30358703391bfa249281d44743834d9a

SHA1
1e1d00b810b3e6c8b5d2787b461ac0e141df9d89

SHA256
a762dc3df24de53c09551695c18bd6caedd081d4bbcfc59ac3198b7219c14e2e

SHA512
5aa97753641ba43830bfe461bc6a78891b6b80ffb89819fd104a017e2b0c5cc315e9e2af82631ac6c54dbafc33aee6efc28bfa9f984912b7662894e9432bef7d

Download Submit
C:\Users\Admin\Downloads\token gen.exe
Filesize
244KB

MD5
d298d81d436c590af4fd162eb0fb7707

SHA1
981c202e1f8de45e89fa4a99117bfbd257e09157

SHA256
210dae7be876dd058e18b2dc2ce8e74f11fd40f36233aa07d2ea7cccec8d4129

SHA512
d31b173611f4b70d61e39702c25b1743f83467b2bb7453fe68fb1b07f6bbe663743b713d69ef1c15f04ea7eccc9d5d1ae14bd57beaa7685555225ed68bfaed62

Download Submit
C:\Users\Admin\Downloads\token gen.exe
Filesize
1.5MB

MD5
996c4cf979bf9144cf2f0b039b89b7eb

SHA1
3df2cacb57de6ea5041ff86c57d877023c8aee19

SHA256
6fe0656840b9ae8a872de304bad08d24e0e2a9edcf5c10e3fc97572a96af2e24

SHA512
1785970533b7c49271a562a70e9fa3ce2e1defc5d0ede2f220fe69c92c76058372d9f60c7079b70a41fa9846d24dd0de9878db1b52b933139fb7317b01608327

Download Submit
C:\Users\Admin\Downloads\token gen.exe
Filesize
207KB

MD5
43441c307eef5b9de5e5c73cc71e215e

SHA1
760c74dc5610edeeda3d00c3dae827bf83d14948

SHA256
3d38ef7845c790a26991df4e1b14fb4bd1ed52fe7a2a755a9ee925d226541510

SHA512
5449adf398af04566b60358bf118f11e9fc2073e169fa88a4fb747fd324f11646c437831ab7df7493a31a93dd1d64950900d182f090c973a2a5c42cac3a897aa

Download Submit
C:\Users\Admin\Downloads\token gen.exe
Filesize
1.6MB

MD5
a5e1430faf2c76d3857899a04d4812c5

SHA1
941a749691efb552f998d267fd929774eb3b9a92

SHA256
5d716fa055f9245b95cee5673b878f4aab8449a4f8c97a4bed53af151d93cae3

SHA512
e3380f3e1e4ad587ea7a64018f64bddf249bc24dc9b061ba1612dc8eec15b636210babf7b5679832ce64e90810ff4b0add71b6237c0fb2794f5a05f5a1083326

Download Submit
C:\Users\Admin\Downloads\token gen.exe
Filesize
3.1MB

MD5
dd84e2100ea243fca4c47859d7cf928f

SHA1
3a037cc80ce0113a7dda2cd766cc44c5f12f23e4

SHA256
9294b9a9776410ea67ba1b36e30d14a97cad899b46aab8b939d5cc77548ac02d

SHA512
4a0822ef901466f9eb42dc656693daffc1ddc97457b5a4e5b9cb927b776723909b1b75a7be8a1d240af67ed3af8ea54e550193d3718925a7f60ca0570ea631e1

Download Submit
C:\Users\Admin\Downloads\token gen.exe
Filesize
339KB

MD5
03eccbbd5e188f6b0ed4d4606e2a98b1

SHA1
fde72441275311791d5cf4f922a249ceab340a27

SHA256
9f26545f980620fb183151bca5ebf6de9b1642280d4ecdba8f94ea3d550f0e7d

SHA512
153b4e43fd6524008bddb074aa142cd5cc169813a604f14edfcabeb212a39cf8cc9c497937da37bea53e2389d46c787e778da4747a2ef2ae60f55d91ed085b52

Download Submit
\??\pipe\LOCAL\crashpad_4520_NDJHPPHRAAJKNAQX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/316-382-0x00000000743F0000-0x0000000074429000-memory.dmp

Filesize
228KB

Download
memory/316-336-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/436-500-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1172-352-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1172-384-0x00000000743F0000-0x0000000074429000-memory.dmp

Filesize
228KB

Download
memory/1572-421-0x00000000743F0000-0x0000000074429000-memory.dmp

Filesize
228KB

Download
memory/1572-410-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2124-454-0x00000000743F0000-0x0000000074429000-memory.dmp

Filesize
228KB

Download
memory/2124-429-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2296-464-0x00000000743F0000-0x0000000074429000-memory.dmp

Filesize
228KB

Download
memory/2296-453-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2420-490-0x00000000743F0000-0x0000000074429000-memory.dmp

Filesize
228KB

Download
memory/2420-472-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2640-411-0x00000000743F0000-0x0000000074429000-memory.dmp

Filesize
228KB

Download
memory/2640-393-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2976-402-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2976-412-0x00000000743F0000-0x0000000074429000-memory.dmp

Filesize
228KB

Download
memory/3772-344-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3772-383-0x00000000743F0000-0x0000000074429000-memory.dmp

Filesize
228KB

Download
memory/4092-473-0x00000000743F0000-0x0000000074429000-memory.dmp

Filesize
228KB

Download
memory/4092-266-0x00000000743F0000-0x0000000074429000-memory.dmp

Filesize
228KB

Download
memory/4092-288-0x00000000743F0000-0x0000000074429000-memory.dmp

Filesize
228KB

Download
memory/4092-445-0x00000000743F0000-0x0000000074429000-memory.dmp

Filesize
228KB

Download
memory/4092-319-0x00000000743F0000-0x0000000074429000-memory.dmp

Filesize
228KB

Download
memory/4092-259-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4092-265-0x00000000744C0000-0x00000000744F9000-memory.dmp

Filesize
228KB

Download
memory/4296-492-0x00000000743F0000-0x0000000074429000-memory.dmp

Filesize
228KB

Download
memory/4296-489-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4564-394-0x00000000743F0000-0x0000000074429000-memory.dmp

Filesize
228KB

Download
memory/4564-372-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4628-385-0x00000000743F0000-0x0000000074429000-memory.dmp

Filesize
228KB

Download
memory/4628-360-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4676-430-0x00000000743F0000-0x0000000074429000-memory.dmp

Filesize
228KB

Download
memory/4676-420-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/5044-481-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/5044-491-0x00000000743F0000-0x0000000074429000-memory.dmp

Filesize
228KB

Download