darkcomet | hxxps://temp[.]sh/MfOiO/games_installer[.]exe

Analysis

max time kernel
149s
max time network
155s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
05-07-2024 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://temp.sh/MfOiO/games_installer.exe

Score

10^/10

darkcomet guest16_min rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

income-saying.gl.at.ply.gg:51714

Mutex

DCMIN_MUTEX-NWUL1LY

Attributes

gencode
ZKlfG4mdFQsH
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 1 IoCs

Processes:

games_installer.exe

pid process

2364 games_installer.exe

pid	process
2364	games_installer.exe

Drops file in Windows directory 7 IoCs

Processes:

taskmgr.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	taskmgr.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

browser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exebrowser_broker.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 9be53db4e8ceda01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 60c55ac9e8ceda01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{5B326956-E5BC-48E3-B1B5-9D7DC2A62B2	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System	browser_broker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{5B326956-E5BC-48E3-B1B5-9D7DC2A62B2 = a378c4bde8ceda01	browser_broker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 010000005c9518a3ae4e9d5eae2e4299a16aea54e4229d8522b632955bc858dbb12d625ca4294388d5b158bb30a5de72644063f1e4d7567cb1a636ed51ad	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable	browser_broker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{5B326956-E5BC-48E3-B1B5-9D7DC2A62B2 = "0"	browser_broker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = 30ca27ed69f5da01	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0b5441bde8ceda01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\NextUpdateDate = "426979552"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{5B326956-E5BC-48E3-B1B5-9D7DC2A62B2 = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000004dce92bbe8ceda014dce92bbe8ceda0161c8c4bbe8ceda0100480a000000000001000000000000000000000000000000ef0114001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000078003100000000008458fb611100557365727300640009000400efbe724a0b5d8458fb612e000000320500000000010000000000000000003a000000000060b0ff0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d00320031003800310033000000140050003100000000008458876b100041646d696e003c0009000400efbe8458fb618458876b2e0000008d510100000001000000000000000000000000000000aeef9500410064006d0069006e00000014008400310000000000e55891741100444f574e4c4f7e3100006c0009000400efbe8458fb61e55891742e000000955101000000010000000000000000004200000000009ffc110044006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018007400320000480a00e5589174200047414d45535f7e312e4558450000580009000400efbee5589174e55891742e000000ffab01000000080000000000000000000000000000009ffc1100670061006d00650073005f0069006e007300740061006c006c00650072002e0065007800650000001c000000620000001c000000010000001c0000003400000000000000610000001800000003000000159177c51000000057696e646f777300433a5c55736572735c41646d696e5c446f776e6c6f6164735c67616d65735f696e7374616c6c65722e657865000010000000050000a0ffffffff790100001c0000000b0000a090e24d373f126545916439c4925e467b7901000060000000030000a058000000000000006b7a6f7779736e690000000000000000149e36f4af5c7e4694f2ab08c7f23add64d2fa6586f2ee11a993d68c0a96ca30149e36f4af5c7e4694f2ab08c7f23add64d2fa6586f2ee11a993d68c0a96ca30ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003800370033003500360030003600390039002d0031003000370034003800300033003300300032002d0032003300320036003000370034003400320035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000008626fc38000000000000d01200000000000000000000000000000000	browser_broker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 36d3dbcee8ceda01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\MrtCache	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 304258c9e8ceda01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ed32e4b5e8ceda01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 94275dc9e8ceda01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root	MicrosoftEdge.exe

NTFS ADS 1 IoCs

Processes:

browser_broker.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\games_installer.exe.tf3a6n3.partial:Zone.Identifier browser_broker.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\games_installer.exe.tf3a6n3.partial:Zone.Identifier	browser_broker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exe

pid	process
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

420 MicrosoftEdgeCP.exe
420 MicrosoftEdgeCP.exe
420 MicrosoftEdgeCP.exe

pid	process
420	MicrosoftEdgeCP.exe
420	MicrosoftEdgeCP.exe
420	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

MicrosoftEdgeCP.exegames_installer.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	1252	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1252	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1252	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1252	MicrosoftEdgeCP.exe
Token: SeIncreaseQuotaPrivilege	2364	games_installer.exe
Token: SeSecurityPrivilege	2364	games_installer.exe
Token: SeTakeOwnershipPrivilege	2364	games_installer.exe
Token: SeLoadDriverPrivilege	2364	games_installer.exe
Token: SeSystemProfilePrivilege	2364	games_installer.exe
Token: SeSystemtimePrivilege	2364	games_installer.exe
Token: SeProfSingleProcessPrivilege	2364	games_installer.exe
Token: SeIncBasePriorityPrivilege	2364	games_installer.exe
Token: SeCreatePagefilePrivilege	2364	games_installer.exe
Token: SeBackupPrivilege	2364	games_installer.exe
Token: SeRestorePrivilege	2364	games_installer.exe
Token: SeShutdownPrivilege	2364	games_installer.exe
Token: SeDebugPrivilege	2364	games_installer.exe
Token: SeSystemEnvironmentPrivilege	2364	games_installer.exe
Token: SeChangeNotifyPrivilege	2364	games_installer.exe
Token: SeRemoteShutdownPrivilege	2364	games_installer.exe
Token: SeUndockPrivilege	2364	games_installer.exe
Token: SeManageVolumePrivilege	2364	games_installer.exe
Token: SeImpersonatePrivilege	2364	games_installer.exe
Token: SeCreateGlobalPrivilege	2364	games_installer.exe
Token: 33	2364	games_installer.exe
Token: 34	2364	games_installer.exe
Token: 35	2364	games_installer.exe
Token: 36	2364	games_installer.exe
Token: SeDebugPrivilege	4436	taskmgr.exe
Token: SeSystemProfilePrivilege	4436	taskmgr.exe
Token: SeCreateGlobalPrivilege	4436	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe
4436	taskmgr.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exegames_installer.exe

pid process

2924 MicrosoftEdge.exe
420 MicrosoftEdgeCP.exe
1252 MicrosoftEdgeCP.exe
420 MicrosoftEdgeCP.exe
2364 games_installer.exe

pid	process
2924	MicrosoftEdge.exe
420	MicrosoftEdgeCP.exe
1252	MicrosoftEdgeCP.exe
420	MicrosoftEdgeCP.exe
2364	games_installer.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

MicrosoftEdgeCP.exebrowser_broker.exe

description	pid	process	target process
PID 420 wrote to memory of 1220	420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 420 wrote to memory of 1220	420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 420 wrote to memory of 1220	420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 420 wrote to memory of 1220	420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 420 wrote to memory of 1220	420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 420 wrote to memory of 1220	420	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1364 wrote to memory of 2364	1364	browser_broker.exe	games_installer.exe
PID 1364 wrote to memory of 2364	1364	browser_broker.exe	games_installer.exe
PID 1364 wrote to memory of 2364	1364	browser_broker.exe	games_installer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "https://temp.sh/MfOiO/games_installer.exe"
1⤵
PID:2424

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2924

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\Downloads\games_installer.exe
"C:\Users\Admin\Downloads\games_installer.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2364

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:420

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1252

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1220

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4052

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4436

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
4KB

MD5
1bfe591a4fe3d91b03cdf26eaacd8f89

SHA1
719c37c320f518ac168c86723724891950911cea

SHA256
9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

SHA512
02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\L5P12AEX\edgecompatviewlist[1].xml
Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\W7KJ4SZ8\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\9ZJEAVZ9\games_installer[1].exe
Filesize
175KB

MD5
0626eec819111246e6dc483f8afccba6

SHA1
0e812f3f8e937ca1598e09aecde1258615944c89

SHA256
0bcfbb96fa6032d7907055ce79e6828b4839953c11ade9e8c8e0825f8e04c973

SHA512
e950528290e9533c6cd2cb5fd8009e1dccf08321003dd32a205dd3341357decbf70154f225812d512acd059a61e6de8910774dd1d6d1d45a8d7b082b321cf312

Download Submit
C:\Users\Admin\Downloads\games_installer.exe.tf3a6n3.partial
Filesize
658KB

MD5
12af453bbf1dfe573ac71879fb1b36c8

SHA1
2eb9f00d2dd7cf000edc2414be0f66611035c3fd

SHA256
8a1970ca792a8e2bfc4ae792d52dd267d2347aa5e5072db254d12cb781248aaa

SHA512
bd314eb59cbcead9b434d1f9670ff48f5a7652dc76c1c494fd6736ff673422d7525f9d6f57bc5269ad6d0bfbd2deaee2f447f14f477ba451026225b2079c3570

Download Submit
C:\Users\Admin\Downloads\games_installer.exe:Zone.Identifier
Filesize
159B

MD5
353cbd9ace9ea44ceaa25d6610717be2

SHA1
7f15b4ff0b9ee963a9fa01287aa5ee65f3471e40

SHA256
48966448d114795d6b1e29125f7c904aad0e1e0f4ab1c05abd71c9c062f9a367

SHA512
c42390a4feccc7c360ab1f9034b44c5d1852794f63072b5beab02be2a39d4d7f91fe9ccbabddfe8d5e128e91bd89a68901f942719dde65065deb582b511e0dee

Download Submit
memory/1220-73-0x00000259BB1F0000-0x00000259BB1F2000-memory.dmp

Filesize
8KB

Download
memory/1220-65-0x00000259BAFD0000-0x00000259BAFD2000-memory.dmp

Filesize
8KB

Download
memory/1220-62-0x00000259BAFA0000-0x00000259BAFA2000-memory.dmp

Filesize
8KB

Download
memory/1220-69-0x00000259BB110000-0x00000259BB112000-memory.dmp

Filesize
8KB

Download
memory/1220-71-0x00000259BB1D0000-0x00000259BB1D2000-memory.dmp

Filesize
8KB

Download
memory/1220-67-0x00000259BAFF0000-0x00000259BAFF2000-memory.dmp

Filesize
8KB

Download
memory/1220-60-0x00000259AAA80000-0x00000259AAB80000-memory.dmp

Filesize
1024KB

Download
memory/1252-45-0x000002129B780000-0x000002129B880000-memory.dmp

Filesize
1024KB

Download
memory/2364-162-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2364-107-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2364-164-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2364-123-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2364-130-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2924-16-0x000001C57C920000-0x000001C57C930000-memory.dmp

Filesize
64KB

Download
memory/2924-136-0x000001C505A20000-0x000001C505A21000-memory.dmp

Filesize
4KB

Download
memory/2924-0-0x000001C57C820000-0x000001C57C830000-memory.dmp

Filesize
64KB

Download
memory/2924-135-0x000001C505A10000-0x000001C505A11000-memory.dmp

Filesize
4KB

Download
memory/2924-35-0x000001C57BA10000-0x000001C57BA12000-memory.dmp

Filesize
8KB

Download