bb5d251130efb47c960fa6b622a603ed4c53e91494f8ebaceefcd65899b02d6a

Analysis

max time kernel
153s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 21:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

454de28853ea54861c14acf6b2520bab.exe
Size

387KB
MD5

454de28853ea54861c14acf6b2520bab
SHA1

2a6774af921e3e3a03fd22714059cbdc33ac6e53
SHA256

bb5d251130efb47c960fa6b622a603ed4c53e91494f8ebaceefcd65899b02d6a
SHA512

f147a4f9332d59a5472ac0a32d16cda5f8d00128b7b56bbdf25b67fc3cc4ac0189deb6fba56a255b50bcab9b0764ab3809867de2788bc1f0523da7f040087efc
SSDEEP

6144:L8dNXSEm8t107G59ZLNokDCW4KwNLl4fn6wRPFDdL6qnoz1+vv8UoGfaD2H:gmU107GVWWCNPLl3Muq++HFomaD2H

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	454de28853ea54861c14acf6b2520bab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	LuckyWheel.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	LuckyWheel.exe

Executes dropped EXE 2 IoCs

pid	Process
5060	LuckyWheel.exe
4932	WindowsServices.exe

Loads dropped DLL 7 IoCs

pid	Process
2264	454de28853ea54861c14acf6b2520bab.exe
2264	454de28853ea54861c14acf6b2520bab.exe
2264	454de28853ea54861c14acf6b2520bab.exe
2264	454de28853ea54861c14acf6b2520bab.exe
2264	454de28853ea54861c14acf6b2520bab.exe
2264	454de28853ea54861c14acf6b2520bab.exe
2264	454de28853ea54861c14acf6b2520bab.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	454de28853ea54861c14acf6b2520bab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LuckyWheel = "C:\\Program Files (x86)\\LuckyWheel\\LuckyWheel.exe"	454de28853ea54861c14acf6b2520bab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsServices = "C:\\Program Files (x86)\\LuckyWheel\\WindowsServices.exe"	454de28853ea54861c14acf6b2520bab.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	454de28853ea54861c14acf6b2520bab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LuckyWheel = "C:\\Program Files (x86)\\LuckyWheel\\LuckyWheel.exe"	454de28853ea54861c14acf6b2520bab.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	454de28853ea54861c14acf6b2520bab.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LuckyWheel\LuckyWheel.exe	454de28853ea54861c14acf6b2520bab.exe
File created	C:\Program Files (x86)\LuckyWheel\WindowsServices.exe	454de28853ea54861c14acf6b2520bab.exe
File created	C:\Program Files (x86)\LuckyWheel\kill.bat	454de28853ea54861c14acf6b2520bab.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\9cf81f40-48aa-4ecc-8ea1-5c3f01a4d079.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230506230014.pma	setup.exe
File created	C:\Program Files (x86)\LuckyWheel\ADSSTrayPopup.dll	454de28853ea54861c14acf6b2520bab.exe
File created	C:\Program Files (x86)\LuckyWheel\Newtonsoft.Json.dll	454de28853ea54861c14acf6b2520bab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2264	454de28853ea54861c14acf6b2520bab.exe
2264	454de28853ea54861c14acf6b2520bab.exe
2264	454de28853ea54861c14acf6b2520bab.exe
2264	454de28853ea54861c14acf6b2520bab.exe
3564	msedge.exe
3564	msedge.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
3628	msedge.exe
3628	msedge.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe
5060	LuckyWheel.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5060	LuckyWheel.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3628	msedge.exe
3628	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5060	LuckyWheel.exe
5060	LuckyWheel.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 5060	2264	454de28853ea54861c14acf6b2520bab.exe	86
PID 2264 wrote to memory of 5060	2264	454de28853ea54861c14acf6b2520bab.exe	86
PID 2264 wrote to memory of 4932	2264	454de28853ea54861c14acf6b2520bab.exe	88
PID 2264 wrote to memory of 4932	2264	454de28853ea54861c14acf6b2520bab.exe	88
PID 2264 wrote to memory of 3628	2264	454de28853ea54861c14acf6b2520bab.exe	89
PID 2264 wrote to memory of 3628	2264	454de28853ea54861c14acf6b2520bab.exe	89
PID 3628 wrote to memory of 4412	3628	msedge.exe	91
PID 3628 wrote to memory of 4412	3628	msedge.exe	91
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 2988	3628	msedge.exe	93
PID 3628 wrote to memory of 3564	3628	msedge.exe	92
PID 3628 wrote to memory of 3564	3628	msedge.exe	92
PID 3628 wrote to memory of 2472	3628	msedge.exe	94
PID 3628 wrote to memory of 2472	3628	msedge.exe	94
PID 3628 wrote to memory of 2472	3628	msedge.exe	94
PID 3628 wrote to memory of 2472	3628	msedge.exe	94
PID 3628 wrote to memory of 2472	3628	msedge.exe	94
PID 3628 wrote to memory of 2472	3628	msedge.exe	94
PID 3628 wrote to memory of 2472	3628	msedge.exe	94
PID 3628 wrote to memory of 2472	3628	msedge.exe	94
PID 3628 wrote to memory of 2472	3628	msedge.exe	94
PID 3628 wrote to memory of 2472	3628	msedge.exe	94
PID 3628 wrote to memory of 2472	3628	msedge.exe	94
PID 3628 wrote to memory of 2472	3628	msedge.exe	94
PID 3628 wrote to memory of 2472	3628	msedge.exe	94
PID 3628 wrote to memory of 2472	3628	msedge.exe	94

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	454de28853ea54861c14acf6b2520bab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	454de28853ea54861c14acf6b2520bab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	LuckyWheel.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	LuckyWheel.exe

C:\Users\Admin\AppData\Local\Temp\454de28853ea54861c14acf6b2520bab.exe
"C:\Users\Admin\AppData\Local\Temp\454de28853ea54861c14acf6b2520bab.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2264
- C:\Program Files (x86)\LuckyWheel\LuckyWheel.exe
  "C:\Program Files (x86)\LuckyWheel\LuckyWheel.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:5060
- C:\Program Files (x86)\LuckyWheel\WindowsServices.exe
  "C:\Program Files (x86)\LuckyWheel\WindowsServices.exe"
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://zwoops.com/TrMax/
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0xfc,0x100,0xd4,0x104,0x7ffc484c46f8,0x7ffc484c4708,0x7ffc484c4718
    3⤵
    PID:4412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,12397974272946756976,7103939895350351940,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,12397974272946756976,7103939895350351940,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
    3⤵
    PID:2988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,12397974272946756976,7103939895350351940,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:8
    3⤵
    PID:2472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12397974272946756976,7103939895350351940,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:1
    3⤵
    PID:4484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12397974272946756976,7103939895350351940,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:1
    3⤵
    PID:4480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12397974272946756976,7103939895350351940,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
    3⤵
    PID:3920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12397974272946756976,7103939895350351940,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
    3⤵
    PID:3872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12397974272946756976,7103939895350351940,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
    3⤵
    PID:4352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12397974272946756976,7103939895350351940,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
    3⤵
    PID:1312
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,12397974272946756976,7103939895350351940,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6244 /prefetch:8
    3⤵
    PID:4480
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:4028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7dc855460,0x7ff7dc855470,0x7ff7dc855480
      4⤵
      PID:1420
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,12397974272946756976,7103939895350351940,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6244 /prefetch:8
    3⤵
    PID:676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,12397974272946756976,7103939895350351940,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3488 /prefetch:2
    3⤵
    PID:5512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LuckyWheel\ADSSTrayPopup.dll

Filesize
55KB

MD5
8c92e0740a0d72ee81f113ef625c984e

SHA1
ecf277620678359023e2a6f6842a117b666e4321

SHA256
091a8c575b8a3f6e88b682c9f9aa1388ff8ff0d03c15eb97bdb043901e1f639e

SHA512
35f978185ceb341beb79d36e50152fcc1e97f39eecacb7afdebf72f1838009cfb514dba3894493ab3ca01afa3408fb8d9b8779c9e279596faf2db7148ea37ac1

Download Submit
C:\Program Files (x86)\LuckyWheel\LuckyWheel.exe

Filesize
71KB

MD5
6133f69f01608a83451e9b418348f1b0

SHA1
b2dc516d30d97a3221b8c726d5b619955305d3b5

SHA256
00a6465e2347daee6b6e00cf5d14740519a9520dfa0dafde076fdc2696414a14

SHA512
ab5d3f1af5ef71bdf5966d6bac13f0cfeea5b8e15d752daa742636db3e959a76e212f09ddca6baeda1d8954432693b3129892c43e177eb231d5042ee57d9d7fa

Download Submit
C:\Program Files (x86)\LuckyWheel\LuckyWheel.exe

Filesize
71KB

MD5
6133f69f01608a83451e9b418348f1b0

SHA1
b2dc516d30d97a3221b8c726d5b619955305d3b5

SHA256
00a6465e2347daee6b6e00cf5d14740519a9520dfa0dafde076fdc2696414a14

SHA512
ab5d3f1af5ef71bdf5966d6bac13f0cfeea5b8e15d752daa742636db3e959a76e212f09ddca6baeda1d8954432693b3129892c43e177eb231d5042ee57d9d7fa

Download Submit
C:\Program Files (x86)\LuckyWheel\Newtonsoft.Json.dll

Filesize
690KB

MD5
da5033255da26654935f7840def3c6a0

SHA1
f420e2935ec83c15fdf642c1d02e42fabe53a774

SHA256
7cbb3f382970b9b830529cb943f83ff35d817ba45f4d260b9330fe8f5095b277

SHA512
0dd5ea326d4073c5d340f8414f6fcd0a385d2a087e33a201433e36bfcb86f2321f8f805efaee8b7a3565dc5f2b8d7bed72c86db70fe545d792f70d5daca89d48

Download Submit
C:\Program Files (x86)\LuckyWheel\WindowsServices.exe

Filesize
15KB

MD5
332fe4462b3c1fe60239772e81008311

SHA1
a3f4ef8eeb31e0e5b9877754d2e7d594b0d92d48

SHA256
d3ac8d5db7a6fd808795222d0cebce7e9115344a761dca09d92bc36ff2d38b07

SHA512
967313357aa43f75593afecf4cdc45499e6f50fbbe6a54c9257239e8ce1e2faa2d8e403c1cdc62186f1dbcba67811d62097f42fe044792f41dcbe092784346b2

Download Submit
C:\Program Files (x86)\LuckyWheel\WindowsServices.exe

Filesize
15KB

MD5
332fe4462b3c1fe60239772e81008311

SHA1
a3f4ef8eeb31e0e5b9877754d2e7d594b0d92d48

SHA256
d3ac8d5db7a6fd808795222d0cebce7e9115344a761dca09d92bc36ff2d38b07

SHA512
967313357aa43f75593afecf4cdc45499e6f50fbbe6a54c9257239e8ce1e2faa2d8e403c1cdc62186f1dbcba67811d62097f42fe044792f41dcbe092784346b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
462f3c1360a4b5e319363930bc4806f6

SHA1
9ba5e43d833c284b89519423f6b6dab5a859a8d0

SHA256
fec64069c72a8d223ed89a816501b3950f5e4f5dd88f289a923c5f961d259f85

SHA512
5584ef75dfb8a1907c071a194fa78f56d10d1555948dffb8afcacaaa2645fd9d842a923437d0e94fad1d1919dcef5b25bf065863405c8d2a28216df27c87a417

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d2642245b1e4572ba7d7cd13a0675bb8

SHA1
96456510884685146d3fa2e19202fd2035d64833

SHA256
3763676934b31fe2e3078256adb25b01fdf899db6616b6b41dff3062b68e20a1

SHA512
99e35f5eefc1e654ecfcf0493ccc02475ca679d3527293f35c3adea66879e21575ab037bec77775915ec42ac53e30416c3928bc3c57910ce02f3addd880392e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
d8819c52d4945e116085b8bfef23217b

SHA1
ea987d732b0b65da33b1a699625ce094f227eb9e

SHA256
54b0beeac66cc50839e5e3f34beb772a3e1babf207829ba0bffbe704e6948b53

SHA512
71369a75aa7839feefb692abfb216b9110b646cdc118dcfa6b2332eb1a18ed3d02bc1d08e4ceb9aefec3ac573d77b6cf04cd131fd18bf2f9ae7e4caaed269a2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
960B

MD5
644a8dc13db1935d49d40b8697203ebc

SHA1
741311168de075da0815455c3efa11588e108653

SHA256
f64e3c33e4f30dec511c9c638cc737ca9cc9276dfa0c7bedf553f2fc6f2d7429

SHA512
2c9deb79d0b7eb1eb2c0c9ce47051445dc36327e4c877c9e1bf384459b0ebe62501993efca7a0ac2c4a16fa1360467fa06a71ff9ab5c378bdeab6d5210ede6c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
7ca1e2e65b4fc83fb05810bf1fb6abd1

SHA1
322952b6cb6df219227f2616a60a088e94227bf9

SHA256
61c9be5045a95e52bf216f8e57953eaf6c26b54a0fce17c46e0c061c0ceab979

SHA512
2749e6e496a983708d395090425d708ec2987dacfcf79301f0b94613f69f834327dd907903af44bf38c89f854a586ab17d620faac935375b183eb2caccfe775c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
a2d9ca8fda055899f9693775892283e4

SHA1
fe2648235a0632e2b05393da603321f5338fc144

SHA256
78f879a31bf57922c463687522af283172a6e3aeae9fdfb3f3dbe9fb33428287

SHA512
fccb58862a1b125f51c5a8d4efde80f6a073474a0ff7c0158f75ada983de502b1622afbdfbec09b369035894bd9677626113eb3ce9b4ec4c61aa9272087f018f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
43ea929d0bf84769e8e985468de4e7a4

SHA1
f5e27ee81f883b87a2a1efc861f6a915cb8fd336

SHA256
4e5c96105302be5df662b44d1582e296a34ae8f958ffd926311764f5423f1a05

SHA512
480135e47ac37f585f8966a033cb330b39845cd47ec708eb9dc5812a9a3b05a9917e2794a9f2c6edb1fb52df809bc1dbd8c8e968135280f4ed05aec2b8ea9dca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
534f9b4284671d2da8d7f467604b1f28

SHA1
35bc1eae286185cdf01b9acdd32de2aef03926bd

SHA256
7c2fc3d746c33beabf66e1ca68ff7e5c5dc0a6792be094f10dd3b6defe6307d5

SHA512
d3792345dafe71997f5d28e220b1994e7130b192188f0a2f89bd361bcd9d84e07d058135f5180974dcfff1de57e7b153c50662c02fbeca2a381b90215d4da4dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a3b0c285b5c219470991cf14afe71f29

SHA1
ae728e2be5ec759bed4cff660759b97efff05a24

SHA256
d6f7580adb96ba45501d3031fd9c490907673d5c2651b96a34f5eed933b66714

SHA512
e6b8b12a4746c5cb80f88cf5234809e4f84e99f16c951be2a9c13b1895d7f006136475af94a7cf879f79db30fd9855c4476433c70eec00da33b89f0cf27d6771

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
69b72d0a4a2f9cbec95b3201ca02ae2f

SHA1
fcc44ae63c9b0280a10408551a41843f8de72b21

SHA256
996c85ab362c1d17a2a6992e03fdc8a0c0372f81f8fad93970823519973c7b9c

SHA512
08d70d28f1e8d9e539a2c0fbac667a8447ea85ea7b08679139abbbbb1b6250d944468b128ed6b386782f41ca03020e3a82491acb1fe101b09635d606b1a298be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
130644a5f79b27202a13879460f2c31a

SHA1
29e213847a017531e849139c7449bce6b39cb2fa

SHA256
1306a93179e1eaf354d9daa6043ae8ffb37b76a1d1396e7b8df671485582bcd1

SHA512
fbc8606bf988cf0a6dea28c16d4394c9b1e47f6b68256132b5c85caf1ec7b516c0e3d33034db275adf267d5a84af2854f50bd38a9ed5e86eb392144c63252e01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
57b3dfa5fb0262911186587ed12281b7

SHA1
5caee04e1ec68458e5c342b3e6f271af3836c94d

SHA256
274f1613c4b6ad3db1b989638ea18ee5c2322cd6d5f1d48f4903af0759369604

SHA512
4c0ab113a903725b63d72422fbda2fecb7a8ee1872516d6d71a7fde1af52e04d521314710706550e11db9d23f341124bd570bd207254ec3ac6804904b99b0325

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
49a6532304757b9becf79bc217da942b

SHA1
a77d9cfd6aee28e4738698c9fb6073d0b5d5d542

SHA256
4c6afc1772648014a63ac014a756a28c9311f944ff2f2205d1f0d796e371f63b

SHA512
5efbcc8b519fc822b7e9384700bf966d50cb67e0eff3c3c6189fb888cec6b2632d993bf5ef2d2aee358cd192a7f71f9ebb0703e444eeeb00397513a79790078b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4VT6R2QM\headerBanner[5].htm

Filesize
15B

MD5
cf9752d163e399497aeab80ae3446246

SHA1
ea3b026dba8552e366b26fd78ee0b76465552d84

SHA256
3c2962d235bbc4f4e302c81eb7a2177d8dff2cdbe91b9494270d3ba83161d8f4

SHA512
513433cd330665d652649449ad8a75435721bde3919dcc2b6f8ce96b98cb692cea5bac5b6f1478b251dc59f883aa737a5152dc3458fe8722ae285fec9298bb59

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshCC20.tmp\KillProcDLL.dll

Filesize
4KB

MD5
99f345cf51b6c3c317d20a81acb11012

SHA1
b3d0355f527c536ea14a8ff51741c8739d66f727

SHA256
c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93

SHA512
937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshCC20.tmp\KillProcDLL.dll

Filesize
4KB

MD5
99f345cf51b6c3c317d20a81acb11012

SHA1
b3d0355f527c536ea14a8ff51741c8739d66f727

SHA256
c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93

SHA512
937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshCC20.tmp\KillProcDLL.dll

Filesize
4KB

MD5
99f345cf51b6c3c317d20a81acb11012

SHA1
b3d0355f527c536ea14a8ff51741c8739d66f727

SHA256
c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93

SHA512
937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshCC20.tmp\KillProcDLL.dll

Filesize
4KB

MD5
99f345cf51b6c3c317d20a81acb11012

SHA1
b3d0355f527c536ea14a8ff51741c8739d66f727

SHA256
c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93

SHA512
937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshCC20.tmp\KillProcDLL.dll

Filesize
4KB

MD5
99f345cf51b6c3c317d20a81acb11012

SHA1
b3d0355f527c536ea14a8ff51741c8739d66f727

SHA256
c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93

SHA512
937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshCC20.tmp\System.dll

Filesize
11KB

MD5
cf85183b87314359488b850f9e97a698

SHA1
6b6c790037eec7ebea4d05590359cb4473f19aea

SHA256
3b6a5cb2a3c091814fce297c04fb677f72732fb21615102c62a195fdc2e7dfac

SHA512
fe484b3fc89aeed3a6b71b90b90ea11a787697e56be3077154b6ddc2646850f6c38589ed422ff792e391638a80a778d33f22e891e76b5d65896c6fb4696a2c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshCC20.tmp\UserInfo.dll

Filesize
4KB

MD5
d41cf0e4d88c60408f3d5b97f49d40c0

SHA1
1aa117b1ef998993f495833a08dd8cb12356be0f

SHA256
2dbdb3abd5652302254466aefa0f40048832f2a39fbb8a63c97fda8116021ff9

SHA512
35bf8f92d502a007838576c25aa25d1d7cc01a639df624cfb166085b51f1ba9cd4791c854f879e7b138492a3492365d88c0c5d7accfe5ac1e0e73685117f9209

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshCC20.tmp\UserInfo.dll

Filesize
4KB

MD5
d41cf0e4d88c60408f3d5b97f49d40c0

SHA1
1aa117b1ef998993f495833a08dd8cb12356be0f

SHA256
2dbdb3abd5652302254466aefa0f40048832f2a39fbb8a63c97fda8116021ff9

SHA512
35bf8f92d502a007838576c25aa25d1d7cc01a639df624cfb166085b51f1ba9cd4791c854f879e7b138492a3492365d88c0c5d7accfe5ac1e0e73685117f9209

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshCC20.tmp\UserInfo.dll

Filesize
4KB

MD5
d41cf0e4d88c60408f3d5b97f49d40c0

SHA1
1aa117b1ef998993f495833a08dd8cb12356be0f

SHA256
2dbdb3abd5652302254466aefa0f40048832f2a39fbb8a63c97fda8116021ff9

SHA512
35bf8f92d502a007838576c25aa25d1d7cc01a639df624cfb166085b51f1ba9cd4791c854f879e7b138492a3492365d88c0c5d7accfe5ac1e0e73685117f9209

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
c801fc0ed606520841e70521b63604a1

SHA1
5e0bbb3661b8eef419d1ea0c9f1910ae4dd504d5

SHA256
d4e1340b9fe203fde78857dff87c753ec8100f1a759587cbef8b95094664377c

SHA512
cfe591f2f4433ece91aa672e747637481ed2ae2442d5e29295858f84796c8dd8b3a68506fddbe06a9495a6e4b1e3477fbaae5d6955dbb5a6d6c550540e780469

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
361facf71367771ac5af9510b636257e

SHA1
76aea5f7b333a0d7878ede244a86e42fdf114cf2

SHA256
b637fb4877d9c9f42841004822d8e5bd71ec3e9a2532b7f39059863bd821c4bb

SHA512
da483240b7e2a1f5b05dbad371cb0c30465616bf22e10a5a0153ff328b1bf7c719d05dac15d1ece6ddfca4c85a5e09dd3708e06abb36699ab9926b315243b08a

Download Submit
memory/2264-160-0x0000000002290000-0x0000000002293000-memory.dmp

Filesize
12KB

Download
memory/2264-152-0x0000000002290000-0x0000000002293000-memory.dmp

Filesize
12KB

Download
memory/2264-161-0x0000000002290000-0x0000000002293000-memory.dmp

Filesize
12KB

Download
memory/2264-153-0x0000000002290000-0x0000000002293000-memory.dmp

Filesize
12KB

Download
memory/4932-305-0x0000025A697A0000-0x0000025A697B0000-memory.dmp

Filesize
64KB

Download
memory/4932-180-0x0000025A697A0000-0x0000025A697B0000-memory.dmp

Filesize
64KB

Download
memory/4932-179-0x0000025A4F170000-0x0000025A4F178000-memory.dmp

Filesize
32KB

Download
memory/5060-307-0x00000293B4D70000-0x00000293B4D80000-memory.dmp

Filesize
64KB

Download
memory/5060-174-0x000002939A0B0000-0x000002939A0BE000-memory.dmp

Filesize
56KB

Download
memory/5060-379-0x00000293B4D70000-0x00000293B4D80000-memory.dmp

Filesize
64KB

Download
memory/5060-172-0x00000293B40E0000-0x00000293B4192000-memory.dmp

Filesize
712KB

Download
memory/5060-311-0x00000293B4D70000-0x00000293B4D80000-memory.dmp

Filesize
64KB

Download
memory/5060-181-0x00000293B4D70000-0x00000293B4D80000-memory.dmp

Filesize
64KB

Download
memory/5060-175-0x00000293B4D70000-0x00000293B4D80000-memory.dmp

Filesize
64KB

Download
memory/5060-170-0x0000029399BB0000-0x0000029399BC2000-memory.dmp

Filesize
72KB

Download
memory/5060-306-0x00000293B4D70000-0x00000293B4D80000-memory.dmp

Filesize
64KB

Download
memory/5060-217-0x00000293B4D70000-0x00000293B4D80000-memory.dmp

Filesize
64KB

Download
memory/5060-213-0x00000293B58F0000-0x00000293B5912000-memory.dmp

Filesize
136KB

Download
memory/5060-185-0x00000293B4D70000-0x00000293B4D80000-memory.dmp

Filesize
64KB

Download
memory/5060-300-0x00000293B4D70000-0x00000293B4D80000-memory.dmp

Filesize
64KB

Download