xehook | hxxps://www[.]mediafire[.]com/file/nim0ut2caef821k/Rz_Laun_v_6[.]3[.]5[.]rar/file

Analysis

max time kernel
378s
max time network
307s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
14-09-2024 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/nim0ut2caef821k/Rz_Laun_v_6.3.5.rar/file

Score

10^/10

xehook credential_access discovery execution stealer

Malware Config

Extracted

Family

xehook

Version

2.1.5 Stable

https://t.me/+w897k5UK_jIyNDgy

Attributes

id
185
token
xehook185936398232728

Signatures

Xehook stealer
Xehook is an infostealer written in C#.
stealer xehook
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

Powershell.exePowershell.exePowershell.exePowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1716	Powershell.exe
4328	Powershell.exe
424	Powershell.exe
3972	Powershell.exe
3548	powershell.exe
4124	powershell.exe
4328	Powershell.exe
3000	powershell.exe
3972	Powershell.exe
2148	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

Processes:

Rzlauncher Setup.exejavaw.exeRzlauncher Setup.exejavaw.exeOTAwMDU5ZjQwZmZlMzM0ZjQ5YzQxMzJjYjhiNjU4ZjQ.exeZjhmM2RiN2I4NDU3MjdmMjIyMjA3YWM4ZTJhZDQxZmI.exe

pid	Process
3948	Rzlauncher Setup.exe
1220	javaw.exe
3968	Rzlauncher Setup.exe
1120	javaw.exe
1036	OTAwMDU5ZjQwZmZlMzM0ZjQ5YzQxMzJjYjhiNjU4ZjQ.exe
3480	ZjhmM2RiN2I4NDU3MjdmMjIyMjA3YWM4ZTJhZDQxZmI.exe

Loads dropped DLL 32 IoCs

Processes:

javaw.exejavaw.exeOTAwMDU5ZjQwZmZlMzM0ZjQ5YzQxMzJjYjhiNjU4ZjQ.exeZjhmM2RiN2I4NDU3MjdmMjIyMjA3YWM4ZTJhZDQxZmI.exe

pid	Process
1220	javaw.exe
1220	javaw.exe
1220	javaw.exe
1220	javaw.exe
1220	javaw.exe
1220	javaw.exe
1220	javaw.exe
1220	javaw.exe
1220	javaw.exe
1220	javaw.exe
1220	javaw.exe
1220	javaw.exe
1220	javaw.exe
1120	javaw.exe
1120	javaw.exe
1120	javaw.exe
1120	javaw.exe
1120	javaw.exe
1120	javaw.exe
1120	javaw.exe
1120	javaw.exe
1120	javaw.exe
1120	javaw.exe
1120	javaw.exe
1120	javaw.exe
1120	javaw.exe
1220	javaw.exe
1220	javaw.exe
1036	OTAwMDU5ZjQwZmZlMzM0ZjQ5YzQxMzJjYjhiNjU4ZjQ.exe
1120	javaw.exe
1120	javaw.exe
3480	ZjhmM2RiN2I4NDU3MjdmMjIyMjA3YWM4ZTJhZDQxZmI.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
227	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

OTAwMDU5ZjQwZmZlMzM0ZjQ5YzQxMzJjYjhiNjU4ZjQ.exeZjhmM2RiN2I4NDU3MjdmMjIyMjA3YWM4ZTJhZDQxZmI.exe

description	pid	Process	procid_target
PID 1036 set thread context of 2688	1036	OTAwMDU5ZjQwZmZlMzM0ZjQ5YzQxMzJjYjhiNjU4ZjQ.exe	144
PID 3480 set thread context of 1108	3480	ZjhmM2RiN2I4NDU3MjdmMjIyMjA3YWM4ZTJhZDQxZmI.exe	153

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
3288	2688	WerFault.exe	144
4076	1108	WerFault.exe	153

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

explorer.exePowershell.exePowershell.exeOTAwMDU5ZjQwZmZlMzM0ZjQ5YzQxMzJjYjhiNjU4ZjQ.exeMSBuild.exejavaw.exeexplorer.exeZjhmM2RiN2I4NDU3MjdmMjIyMjA3YWM4ZTJhZDQxZmI.exejavaw.exeRzlauncher Setup.exepowershell.exepowershell.exePowershell.exeMSBuild.exeRzlauncher Setup.exePowershell.exepowershell.exepowershell.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OTAwMDU5ZjQwZmZlMzM0ZjQ5YzQxMzJjYjhiNjU4ZjQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZjhmM2RiN2I4NDU3MjdmMjIyMjA3YWM4ZTJhZDQxZmI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rzlauncher Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rzlauncher Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

Processes:

msedge.exeOpenWith.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Rz_Laun_v_6.3.5.rar:Zone.Identifier	msedge.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid	Process
3096	NOTEPAD.EXE
3484	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exePowershell.exePowershell.exepowershell.exepowershell.exetaskmgr.exePowershell.exePowershell.exepowershell.exepowershell.exe

pid	Process
580	msedge.exe
580	msedge.exe
2076	msedge.exe
2076	msedge.exe
4392	msedge.exe
4392	msedge.exe
4112	identity_helper.exe
4112	identity_helper.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
5016	msedge.exe
5016	msedge.exe
424	Powershell.exe
4328	Powershell.exe
424	Powershell.exe
4328	Powershell.exe
3000	powershell.exe
3548	powershell.exe
3000	powershell.exe
3548	powershell.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3972	Powershell.exe
1716	Powershell.exe
1716	Powershell.exe
3972	Powershell.exe
3992	taskmgr.exe
3992	taskmgr.exe
2148	powershell.exe
4124	powershell.exe
3992	taskmgr.exe
2148	powershell.exe
4124	powershell.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

7zFM.exetaskmgr.exe

pid	Process
5076	7zFM.exe
3992	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

Processes:

msedge.exe

pid	Process
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

7zFM.exe7zG.exe7zG.exePowershell.exePowershell.exepowershell.exepowershell.exetaskmgr.exePowershell.exePowershell.exepowershell.exepowershell.exeMSBuild.exeMSBuild.exe

description	pid	Process
Token: SeRestorePrivilege	5076	7zFM.exe
Token: 35	5076	7zFM.exe
Token: SeSecurityPrivilege	5076	7zFM.exe
Token: SeRestorePrivilege	3904	7zG.exe
Token: 35	3904	7zG.exe
Token: SeSecurityPrivilege	3904	7zG.exe
Token: SeSecurityPrivilege	3904	7zG.exe
Token: SeRestorePrivilege	3992	7zG.exe
Token: 35	3992	7zG.exe
Token: SeSecurityPrivilege	3992	7zG.exe
Token: SeSecurityPrivilege	3992	7zG.exe
Token: SeDebugPrivilege	424	Powershell.exe
Token: SeDebugPrivilege	4328	Powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	3548	powershell.exe
Token: SeDebugPrivilege	3992	taskmgr.exe
Token: SeSystemProfilePrivilege	3992	taskmgr.exe
Token: SeCreateGlobalPrivilege	3992	taskmgr.exe
Token: SeDebugPrivilege	3972	Powershell.exe
Token: SeDebugPrivilege	1716	Powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	4124	powershell.exe
Token: SeSecurityPrivilege	3992	taskmgr.exe
Token: SeTakeOwnershipPrivilege	3992	taskmgr.exe
Token: SeDebugPrivilege	2688	MSBuild.exe
Token: SeDebugPrivilege	1108	MSBuild.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	Process
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	Process
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

OpenWith.exejavaw.exejavaw.exe

pid	Process
2992	OpenWith.exe
1220	javaw.exe
1120	javaw.exe
1220	javaw.exe
1120	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 2076 wrote to memory of 224	2076	msedge.exe	79
PID 2076 wrote to memory of 224	2076	msedge.exe	79
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 3392	2076	msedge.exe	80
PID 2076 wrote to memory of 580	2076	msedge.exe	81
PID 2076 wrote to memory of 580	2076	msedge.exe	81
PID 2076 wrote to memory of 620	2076	msedge.exe	82
PID 2076 wrote to memory of 620	2076	msedge.exe	82
PID 2076 wrote to memory of 620	2076	msedge.exe	82
PID 2076 wrote to memory of 620	2076	msedge.exe	82
PID 2076 wrote to memory of 620	2076	msedge.exe	82
PID 2076 wrote to memory of 620	2076	msedge.exe	82
PID 2076 wrote to memory of 620	2076	msedge.exe	82
PID 2076 wrote to memory of 620	2076	msedge.exe	82
PID 2076 wrote to memory of 620	2076	msedge.exe	82
PID 2076 wrote to memory of 620	2076	msedge.exe	82
PID 2076 wrote to memory of 620	2076	msedge.exe	82
PID 2076 wrote to memory of 620	2076	msedge.exe	82
PID 2076 wrote to memory of 620	2076	msedge.exe	82
PID 2076 wrote to memory of 620	2076	msedge.exe	82
PID 2076 wrote to memory of 620	2076	msedge.exe	82
PID 2076 wrote to memory of 620	2076	msedge.exe	82
PID 2076 wrote to memory of 620	2076	msedge.exe	82
PID 2076 wrote to memory of 620	2076	msedge.exe	82
PID 2076 wrote to memory of 620	2076	msedge.exe	82
PID 2076 wrote to memory of 620	2076	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/nim0ut2caef821k/Rz_Laun_v_6.3.5.rar/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xb8,0x10c,0x7ff8f3573cb8,0x7ff8f3573cc8,0x7ff8f3573cd8
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,2446748612628047998,4995461508394213069,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,2446748612628047998,4995461508394213069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,2446748612628047998,4995461508394213069,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2446748612628047998,4995461508394213069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2446748612628047998,4995461508394213069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2446748612628047998,4995461508394213069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2446748612628047998,4995461508394213069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2446748612628047998,4995461508394213069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,2446748612628047998,4995461508394213069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2446748612628047998,4995461508394213069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2446748612628047998,4995461508394213069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
  2⤵
  PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2446748612628047998,4995461508394213069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:1
  2⤵
  PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,2446748612628047998,4995461508394213069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7264 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2446748612628047998,4995461508394213069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2446748612628047998,4995461508394213069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:1
  2⤵
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2446748612628047998,4995461508394213069,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:1416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2446748612628047998,4995461508394213069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
  2⤵
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2446748612628047998,4995461508394213069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2446748612628047998,4995461508394213069,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2446748612628047998,4995461508394213069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
  2⤵
  PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,2446748612628047998,4995461508394213069,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5024 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,2446748612628047998,4995461508394213069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6512 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4944

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2992

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2008

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\" -spe -an -ai#7zMap1439:88:7zEvent25253
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\P.S.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3096

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\" -an -ai#7zMap14929:126:7zEvent1558
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\P.S.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3484

C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\Rzlauncher Setup.exe
"C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\Rzlauncher Setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3948
- C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\jre\bin\javaw.exe
  "C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\activation.jar;lib\asm-all.jar;lib\commons-email.jar;lib\cs2 skin.mp4;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\gson.jar;lib\jfoenix.jar;lib\jkeymaster.jar;lib\jna.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-desktop-hotkey-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-gui-jfoenix-ext.jar;lib\jphp-json-ext.jar;lib\jphp-jsoup-ext.jar;lib\jphp-mail-ext.jar;lib\jphp-runtime.jar;lib\jphp-systemtray-ext.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\jsoup.jar;lib\mail.jar;lib\slf4j-api.jar;lib\slf4j-simple.jar;lib\zenless zero.mp4;lib\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1220
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Add-MpPreference -Force -ExclusionPath "C:\""' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4328
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3000
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Set-MpPreference -Force -DisableBehaviorMonitoring "' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:424
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3548
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Users\Admin\AppData\Local\Temp\OTAwMDU5ZjQwZmZlMzM0ZjQ5YzQxMzJjYjhiNjU4ZjQ.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4880

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:3992

C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\Rzlauncher Setup.exe
"C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\Rzlauncher Setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3968
- C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\jre\bin\javaw.exe
  "C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\activation.jar;lib\asm-all.jar;lib\commons-email.jar;lib\cs2 skin.mp4;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\gson.jar;lib\jfoenix.jar;lib\jkeymaster.jar;lib\jna.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-desktop-hotkey-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-gui-jfoenix-ext.jar;lib\jphp-json-ext.jar;lib\jphp-jsoup-ext.jar;lib\jphp-mail-ext.jar;lib\jphp-runtime.jar;lib\jphp-systemtray-ext.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\jsoup.jar;lib\mail.jar;lib\slf4j-api.jar;lib\slf4j-simple.jar;lib\zenless zero.mp4;lib\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1120
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Add-MpPreference -Force -ExclusionPath "C:\""' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3972
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2148
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Set-MpPreference -Force -DisableBehaviorMonitoring "' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1716
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4124
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Users\Admin\AppData\Local\Temp\ZjhmM2RiN2I4NDU3MjdmMjIyMjA3YWM4ZTJhZDQxZmI.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4088

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:988
- C:\Users\Admin\AppData\Local\Temp\OTAwMDU5ZjQwZmZlMzM0ZjQ5YzQxMzJjYjhiNjU4ZjQ.exe
  "C:\Users\Admin\AppData\Local\Temp\OTAwMDU5ZjQwZmZlMzM0ZjQ5YzQxMzJjYjhiNjU4ZjQ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1036
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 2008
      4⤵
      Program crash
      PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2688 -ip 2688
1⤵
PID:3392

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2092
- C:\Users\Admin\AppData\Local\Temp\ZjhmM2RiN2I4NDU3MjdmMjIyMjA3YWM4ZTJhZDQxZmI.exe
  "C:\Users\Admin\AppData\Local\Temp\ZjhmM2RiN2I4NDU3MjdmMjIyMjA3YWM4ZTJhZDQxZmI.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3480
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1108
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 2012
      4⤵
      Program crash
      PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1108 -ip 1108
1⤵
PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
026e0c65239e15ba609a874aeac2dc33

SHA1
a75e1622bc647ab73ab3bb2809872c2730dcf2df

SHA256
593f20dfb73d2b81a17bfcc1f246848080dfc96898a1a62c5ddca62105ed1292

SHA512
9fb7644c87bdd3430700f42137154069badbf2b7a67e5ac6c364382bca8cba95136d460f49279b346703d4b4fd81087e884822a01a2a38901568a3c3e3387569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
228fefc98d7fb5b4e27c6abab1de7207

SHA1
ada493791316e154a906ec2c83c412adf3a7061a

SHA256
448d09169319374935a249b1fc76bcf2430b4e1436611f3c2f3331b6eafe55a2

SHA512
fa74f1cc5da8db978a7a5b8c9ebff3cd433660db7e91ce03c44a1d543dd667a51659ba79270d3d783d52b9e45d76d0f9467458df1482ded72ea79c873b2a5e56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
62KB

MD5
6b04ab52540bdc8a646d6e42255a6c4b

SHA1
4cdfc59b5b62dafa3b20d23a165716b5218aa646

SHA256
33353d2328ea91f6abf5fb5c5f3899853dcc724a993b9086cab92d880da99f4d

SHA512
4f3b417c77c65936486388b618a7c047c84fb2e2dd8a470f7fe4ffec1ad6699d02fa9c1bbd551414eef0f2e6747a9ee59ca87198b20f9f4a9a01394ae69fa730

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
31KB

MD5
c03ff64e7985603de96e7f84ec7dd438

SHA1
dfc067c6cb07b81281561fdfe995aca09c18d0e9

SHA256
0db8e9f0a185bd5dd2ec4259db0a0e89363afa953069f5238a0537671de6f526

SHA512
bb0fd94c5a8944a99f792f336bb8a840f23f6f0f1cb9661b156511a9984f0bb6c96baf05b7c1cf0efb83f43a224ecea52740432e3cfc85e0799428765eefb692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\481963cd074f1a48_0

Filesize
268B

MD5
34b91fb9c6f72a2ff48f658d5214ddfb

SHA1
e4458ff4ff3901c6d44692025231c24efb9787b6

SHA256
557a9510b5e2e96ce9e5a266c544e9b0c7c7fb1678e2b2334bbad9fe6d4055c6

SHA512
de86c94e84949fcc4bf885579e24901fb8f772a0bef8d8bd7d4787baf37960a06080a574984779e538d396e3eabdaa0f78cf166d1c15ef593e3db2a64283ea38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\56d6f409590db490_0

Filesize
55KB

MD5
39877bf0eb9dfc180443b8f6cc175abb

SHA1
561d1aec0c5de1e345620fb7564c86a97a4ffd26

SHA256
40f291eca1aac45123ab223d2555acf8c01813d69117439949c93368d7ea96a1

SHA512
55b8285b1fe09599831fe67909711c7fad93e6d9fc4ee35a65794f957f8b87983e0006317df24883456abb649fbd2878699a1bf9723d49727fa6611473b26f85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\653252038d8a36c8_0

Filesize
328KB

MD5
d54d112b3a6d9388ea540c5c63058aaa

SHA1
22dae5b0bd71801c7e3642116cfff47f0319c9b4

SHA256
ce4308de57921b974e865c950f9f5245eddca187ed26055d262c4576087a0c6a

SHA512
5ba8676b9ccdd25e3c41978236a6f52e7673025734dda6458d5d3014886ebc3375895083e5e0ab60740a6bdd31e3995b28d97f7aa325efa44d69f0fd3b2cab92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
ab4018aa5f4862ab14b287cd13fc5b65

SHA1
7c6c78632c68450d0767139f77ac291c536c8633

SHA256
1f6ec86a1863fb097858e75306cb825ad7b3c756bb4fc7fbf652b38b7f2a9d03

SHA512
94e51b06fefeac70b88aa893444953bf38cd864b6686c5daf6afc6d8b6abfb61167837693f79a0536190d5c398d49413cfaf151de0a8cc9417912f500eb52eb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
cfffb16bbbff768443a576c25ac80e24

SHA1
e7e9059f09a6aa7d84e3c4f588b1c73818ec6c49

SHA256
4258208f9076e64c47173b41e0295c3daaf94cfcfcab6498fcd3552d01a211b8

SHA512
b256c2ddccea855b6123112622ebc559b6b6238a2e6bd39f9b612c5bce2c4210d23198b3bf976ef68f9ea6973ffd54a4df432a74d3a287bd66132107ef147ad5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
e74166e29e66009cf51dff859ac62553

SHA1
3a8b3945de2335bf4b7761413360ba72c2d3497f

SHA256
9813d4ee4ae8ac2ade08da4b1345040b5f7d267e4f73b0c85cadf60a7d21f20c

SHA512
b7c663011951f3e6197aff7557a3b08962483b042e34a3d0dc84aa097ea2465d513dca1833ef666ae7b242861fbe6582b99f1edf283b9007cf661873e985b11d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
4b7fb8faf14a5bc01092c7d50c8336c0

SHA1
fddabf3952f3ce2999d48f404edc68b57120dca5

SHA256
df3b60a194f01e5c60020ef0eec305bf58a3f50b2e1b2e9d5fd0de2507b1bce5

SHA512
a877cb7c52df9dffaf6f8c5a977ee31c3a895827395476613d73cce445c1610c64996f32a3e4ff27a8ddb943b4b1396c60b99404bb7e6af9bc5343adf7aa3116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
b6d8abf871c9d632d42e102b91940674

SHA1
50ab51aaeb1762168a7d5a22949c0e6e65c61616

SHA256
b5f437200d15ff14a4d04d17427bfd655d6211a195d3b5b9458b493892713ece

SHA512
ee10c4a4a04ba6883354beef0d98ee2a77559e7dbf61a8ff14b5676dfc9f163b5cd6af338a81d9515a7f55e9b40b89018856b6d201e2c3a6eac977500fe25ca5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
10KB

MD5
c58d5fed30ee88899b469bee7b431ce2

SHA1
ff3fb5cc30a18a3c627e32bd05d869befc82feec

SHA256
c051b3788abcdb638cd9039b8761f3388be92d855332cd1ed0d8a93f8309725a

SHA512
5b1904e63e9bbb022344a64c44f3a20c3f55e3ae5d7b0c667885b2633bfbd001d33db996d636f78d51228b0f09778745f323be22b7821ededbbd07605bd6d21b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
10KB

MD5
fcc13e77ae1041bb7ee7b8a4073a2734

SHA1
aec28ef64a976cf63c8292408aaace768445f13a

SHA256
a85b116637f3959f04e35cd9acd0a4d1e931054443ea5d6004e0a0baeb9b298b

SHA512
3972885fde03bc0e14c4ea4cc9fc4662e0cfe5d57777d071bb82f5086fccdacc97a9a1178dc42ddf8337a9c307118caba3f51114aea5634e7a22d6d388652918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
451fa7933c308760092d6010ddc9bd2a

SHA1
5a0bf42292f4fe728fe6fb48ccfa18dbc5840530

SHA256
7b33370b12ce7152fe093c00c2cdb273dc8174be794b48b1dd1ba75dc975d26a

SHA512
2d72940eb00f39bf5c521528d8e539b03f1fa5220288e9cf363c8a22d90083b26318baa20c285260a3c87c478b3d3f30f5e156562b9c79502ddf039ef4e73a0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
22db1128e1c5c2b64a8990505f6b31e6

SHA1
efbbad8a99e38a0f758d34b36f3745f2691fd7cc

SHA256
b5472bfac1c806d1847b73b38c406060395c394cc7f333a3e755cee8e9f9083d

SHA512
f3df3e3771c5dad46ac6a7a95108712e8871ad379857e2c4dc5169c3fbff30acd8c80fc83ed414e818530c47359b2281caee658bd747e34ae7f08faa184f9e4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
cc05ada1abd925640b143a9d2b1fe30c

SHA1
9cea1f5cfb5c4900b66cd4bef29f7a073bd16ef0

SHA256
4f4cdb9f48471df284cc7727814968930aedd0a3c86e9c87306572266486a979

SHA512
ffbda83cb39d3b553c1e3af99b0055d5d6c2db78c63629c7668acd25e528fe0a9116cccc0c8884020c132b1dc1acc4827630077ee31f3216c2f144697549f7c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
b1fa2a9ecb4059953404d8be5ea11cc2

SHA1
2c97a524d1e76cc0e7d7142e613d98ab9d6e5513

SHA256
39d2328b24b81ccc6ef5fb43cc54201110ed9a4de1e9dda5cc6257691381914c

SHA512
efc741f4bb79f18477e70c0c5f51dff48f845772bf6a547d22cf8383e3a39f8b569093741e657c745bc9508a8df988611e10f453913268f60b1859d97a4355c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
b47b539a88eefa926b0074f5f94ff715

SHA1
6fdd9ca69dde1c3c45bbf0ae0e0311874ac2ecaa

SHA256
b0dd394405fd43906ceef94446da43505968b494b3728a18825286e3a199a2a4

SHA512
2bb4be2d99867dc25d999f7167a2ef0a7bd8299308a2d66f52d908e0b8138a3a705956f5fd4acc9901652d86b0206d594f5c7540ad05311ae8ae6b54ff18337c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
57c4f2b5048bfcd69510e5f8bad60c08

SHA1
6d5eb30bb79b69cbc41b547d684f5a9c5e54a7b3

SHA256
af409cdef67d55d6283237ba1e44c9dd56615be9d3217f77611329cfc8135026

SHA512
4ef3ba7d4fa42288da53628ca9610e3310903c250a1524094cec14c86b3b94e34c09bc4abc4edb95036d96c63a772ffdce9b0d03f2bcf1921400ea266220d521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
29bd56eb8a2ec01aefa7a8da59b2efd8

SHA1
b27d23641b2a0fc1b479346acb7d7df39310be47

SHA256
6f1adc840240697dcf22511009a7304cd19f7bb4acb1b07db687229f07fb97a8

SHA512
e17c2a56154a8cc3d14a9f1fc99dbe47ab8193c74bfbbcc086ca735b951fd19ae0ba3583f59e7e388a9f5f4ffec55d4c4a5ed1afd9cdce574f36649f1c574112

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
18542416bfe40880337a100c1194e3cc

SHA1
e5425cb1343a8b35a3a57774689fb3c825d9c477

SHA256
35cfb17d96c3ee26e7b2aa885bf7ed3eef1ee5690e48bda6e6ea714799e0063c

SHA512
0df1c3ca1dc5736bc7df31c64bd6352e2464a26a1e34242d41adf27e4521087770241dda14a0da9cae812c3dbefeb6932d2a2bbfa31b8bb881d7b49b9f0e1724

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
5ba472cbd8da2861b62274246f82984e

SHA1
a766d038ef3af4d32dc971a9de65346275c93670

SHA256
b09b5ca349a5c517bac1138909acad6b519bb334c7e562bcebade3f76114ae95

SHA512
259423da293c961dd39891e4c2c2054eb88d58165f49167162cc4836a3a9efef6e9bca240017d90c985c15a9cc5fc0417e1d3171c4723ad341ee9dc2c42a0661

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
ab83db28e357a9c590641b70b06c4e9e

SHA1
70525cd0dc230efae0d5a5ad738ce0c5509c661c

SHA256
96879e20e68f3f67c19bf76e71f68c62afd70098b2752813e92ef11f99b93519

SHA512
09af7b4551ba89dddf6864fe870fb3b1ecb60ea048f04e0af39c38ab9e546326adfdcacd86dcb3e87fa93146cd0de04258404c50e328037aa022cc1541c949d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
166a0b888d9af38b7763aa8997f589f7

SHA1
bb6d8eec943da730b964eb6ce74e4154cb170fff

SHA256
5079da6ab5594e5d834e3425e1473c8653586c3ebf0465fc0432d1dada18cd36

SHA512
4b46ed2d58d43a576b5d3ea5f616edf2aeb08acc8a90d87b81bfe462320bd34d2267513d1870fe9536dbcb727232a9dc853c4f335f586c732a63243fc389c843

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57cfe3.TMP

Filesize
1KB

MD5
32dadff340ab4d080ce1e9bfae861ce6

SHA1
eb1001622c723e2cfb33092bcc35eb4f52d5148f

SHA256
8e2d519aedadd95709fc16b9b8e93701cb09206dbc42e91c7c6f83a2566da13d

SHA512
d5c48e5a5921e1882867fb431fcf7172e7618b350cdcc38164a957508c2f1358265c6e3230c89a2e72ca4df731d3e1efbbb5b930aa5d4fedd1fa8a3fc0ae0952

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6dddab12cce26b5d847ba612f5c65632

SHA1
5e6668d1b6dc9d5e528cf57ef67d060f166a9f2f

SHA256
e85da8f9e609c5fe4d07fadc81bc6fe2eaae55615a3525b63014b8361dd4fbbe

SHA512
754c68e85b291d9ea05efc791022d9a0e3ab7329f9a8ee3cc2c6d1b33cfd932a12b4e756a8e97e188c1e1d351ea877706138748bf9424606760d5788e1316f05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
49c9420426f4fa5c6eeb1080fba276c0

SHA1
471b8f4dd142f002f1de1717938a695599afc914

SHA256
83afa69f609822454304796f8f3264073c2b9f57c4bceeab0dd82e6bd7a17bdf

SHA512
010eb9d45221ad9de940ae22fdc96da738d4a3edd1c3729b49a7f2693c756b3fbc12066b38e7948dd60744edb3d5b4f1c3ca578a58d9ffbbfd1689ea3fbce7e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a5e9ec4aff98bdf6e43fef7dc2c652ad

SHA1
c1694aef1b96cad047884f83178d612b539bb77e

SHA256
9272ac72d361c4cc91c07e3fde11c565ba9f09f90cf73cd6f7fb2da0867a4c7f

SHA512
832a860b55510aaa64ac01fc0e556f827d703231b9daa39c1711bb980cc883f190a7f43e4fc77ee186d4dd18cc448f2ce85eeab0c82fb168077e5c338787e827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2c637dddd8a79e5b0aba8d64e1d69c19

SHA1
70096ba6a7516e0b7852f69b71a8350281c31131

SHA256
287b787f63e3b05d278b6bb48f5da7fc9ae59b345d81898e4d047b1f30c461db

SHA512
28fdb78864794ef34221f79f987320ea6d1014995f9efab2fc8f81798ee0eadbb6a7d297fa2a1ab94d9078c5c1d4497dc4d1c11f72f64efdd64cb0c5c591e50e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a4nfqwvp.mey.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\msvcp110.dll

Filesize
440KB

MD5
2144bb21dc2b6e249c1675491b460b3a

SHA1
44c677eac532eff35258c5891303592168aba822

SHA256
a34b2bc8a33eca8bfbb35e62558f2d1cda6cef50dc3e0894b62339d53225d495

SHA512
7b8fcc13bfa2ad80954b97b930c61f866ce31b6b90bc0032acb65d42d4124e2bec98791763e6d532fdb281728a8de49d65ddb74b3983a3328848b00b0225c605

Download Submit
C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\P.S.txt

Filesize
229B

MD5
a87a452b961038777f25859ea1709faa

SHA1
dd3b45ad4d1a038c5ab237c564696b816a41160a

SHA256
5f0b5da62f14658a9722aedd1a2822c1eafbf624c20349515309520a30a149f6

SHA512
634a3dd0b8e05bd2d8b962e62ca7ff9e25a7ff297ecd0c87d38dbda34c02f4fcb68646f52e0ec4b2f2c72fed2d61d103bf493afa3622bdb9d235aef7f472fd5e

Download Submit
C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\Rzlauncher Setup.exe

Filesize
32KB

MD5
c919047959690a1646e561e81d45e5fd

SHA1
5bd528b9f0ec25ea19f0d0bbba41f4422597a488

SHA256
a9f0a76d6e73189b7385b6fcddeccb50e67b65c315b5c20108f86f22fce17802

SHA512
dee29e35b748bb69d0acc56d744eebd50cd462a93178072f9585dadd0c12b93907d7572832733ed0ba255909ae665a8cb102a360acfe3729365ea123480c3fca

Download Submit
C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\jre\bin\client\jvm.dll

Filesize
3.7MB

MD5
39c302fe0781e5af6d007e55f509606a

SHA1
23690a52e8c6578de6a7980bb78aae69d0f31780

SHA256
b1fbdbb1e4c692b34d3b9f28f8188fc6105b05d311c266d59aa5e5ec531966bc

SHA512
67f91a75e16c02ca245233b820df985bd8290a2a50480dff4b2fd2695e3cf0b4534eb1bf0d357d0b14f15ce8bd13c82d2748b5edd9cc38dc9e713f5dc383ed77

Download Submit
C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\jre\bin\java.dll

Filesize
123KB

MD5
73bd0b62b158c5a8d0ce92064600620d

SHA1
63c74250c17f75fe6356b649c484ad5936c3e871

SHA256
e7b870deb08bc864fa7fd4dec67cef15896fe802fafb3009e1b7724625d7da30

SHA512
eba1cf977365446b35740471882c5209773a313de653404a8d603245417d32a4e9f23e3b6cd85721143d2f9a0e46ed330c3d8ba8c24aee390d137f9b5cd68d8f

Download Submit
C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\jre\bin\javaw.exe

Filesize
187KB

MD5
48c96771106dbdd5d42bba3772e4b414

SHA1
e84749b99eb491e40a62ed2e92e4d7a790d09273

SHA256
a96d26428942065411b1b32811afd4c5557c21f1d9430f3696aa2ba4c4ac5f22

SHA512
9f891c787eb8ceed30a4e16d8e54208fa9b19f72eeec55b9f12d30dc8b63e5a798a16b1ccc8cea3e986191822c4d37aedb556e534d2eb24e4a02259555d56a2c

Download Submit
C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\jre\bin\msvcr100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\jre\bin\verify.dll

Filesize
38KB

MD5
de2167a880207bbf7464bcd1f8bc8657

SHA1
0ff7a5ea29c0364a1162a090dffc13d29bc3d3c7

SHA256
fd856ea783ad60215ce2f920fcb6bb4e416562d3c037c06d047f1ec103cd10b3

SHA512
bb83377c5cff6117cec6fbadf6d40989ce1ee3f37e4ceba17562a59ea903d8962091146e2aa5cc44cfdddf280da7928001eea98abf0c0942d69819b2433f1322

Download Submit
C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\jre\bin\zip.dll

Filesize
68KB

MD5
cb99b83bbc19cd0e1c2ec6031d0a80bc

SHA1
927e1e24fd19f9ca8b5191ef3cc746b74ab68bcd

SHA256
68148243e3a03a3a1aaf4637f054993cb174c04f6bd77894fe84d74af5833bec

SHA512
29c4978fa56f15025355ce26a52bdf8197b8d8073a441425df3dfc93c7d80d36755cc05b6485dd2e1f168df2941315f883960b81368e742c4ea8e69dd82fa2ba

Download Submit
C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\jre\lib\ext\meta-index

Filesize
1KB

MD5
77abe2551c7a5931b70f78962ac5a3c7

SHA1
a8bb53a505d7002def70c7a8788b9a2ea8a1d7bc

SHA256
c557f0c9053301703798e01dc0f65e290b0ae69075fb49fcc0e68c14b21d87f4

SHA512
9fe671380335804d4416e26c1e00cded200687db484f770ebbdb8631a9c769f0a449c661cb38f49c41463e822beb5248e69fd63562c3d8c508154c5d64421935

Download Submit
C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\jre\lib\i386\jvm.cfg

Filesize
657B

MD5
9fd47c1a487b79a12e90e7506469477b

SHA1
7814df0ff2ea1827c75dcd73844ca7f025998cc6

SHA256
a73aea3074360cf62adedc0c82bc9c0c36c6a777c70da6c544d0fba7b2d8529e

SHA512
97b9d4c68ac4b534f86efa9af947763ee61aee6086581d96cbf7b3dbd6fd5d9db4b4d16772dce6f347b44085cef8a6ea3bfd3b84fbd9d4ef763cef39255fbce3

Download Submit
C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
153B

MD5
1e9d8f133a442da6b0c74d49bc84a341

SHA1
259edc45b4569427e8319895a444f4295d54348f

SHA256
1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

SHA512
63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

Download Submit
C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\jre\lib\meta-index

Filesize
2KB

MD5
91aa6ea7320140f30379f758d626e59d

SHA1
3be2febe28723b1033ccdaa110eaf59bbd6d1f96

SHA256
4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4

SHA512
03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb

Download Submit
C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\lib\activation.jar

Filesize
67KB

MD5
46a37512971d8eca81c3fcf245bf07d2

SHA1
485de3a253e23f645037828c07f1d7f1af40763a

SHA256
ae475120e9fcd99b4b00b38329bd61cdc5eb754eee03fe66c01f50e137724f99

SHA512
49119b0cc3af02700685a55c6f15e6d40643f81640e642b9ea39a59e18d542f8837d30b43b5be006ce1a98c8ec9729bb2165c0442978168f64caa2fc6e3cb93d

Download Submit
C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\lib\asm-all.jar

Filesize
241KB

MD5
f5ad16c7f0338b541978b0430d51dc83

SHA1
2ea49e08b876bbd33e0a7ce75c8f371d29e1f10a

SHA256
7fbffbc1db3422e2101689fd88df8384b15817b52b9b2b267b9f6d2511dc198d

SHA512
82e6749f4a6956f5b8dd5a5596ca170a1b7ff4e551714b56a293e6b8c7b092cbec2bec9dc0d9503404deb8f175cbb1ded2e856c6bc829411c8ed311c1861336a

Download Submit
C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\lib\commons-email.jar

Filesize
48KB

MD5
f045afea3cb27ead50b0c59fc3f0dffd

SHA1
c1a7133db9008fa1eae082e6158c3f4c128ec27e

SHA256
268253139a8936afa68909df8ced52a9d769665ee9373a60e19a93f254fd54b5

SHA512
0e2d2cbef9d4c19310748e37ad909e57aa37490a7dfd41557b1914857fe7235e434a6fdee00f663688941da3e70fe882b5c63df10ba8c7ad18936959f906722b

Download Submit
C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\lib\cs2 skin.mp4

Filesize
29.8MB

MD5
2f7673bca9174e64a57f29ca1e7ebde6

SHA1
03a65d9372a3c2525d69d5ec68caa468dbaed7f9

SHA256
525f4d30e77d75e48d4d12eb128180a15a4d38d919e64454904cab45478daa32

SHA512
4c97a01838bbd30e60ddf0e9f0b4a36dcaf095b217fc544e008b0b163e242760ee2f482e7dd84aff2a4d8ce9e53017e1378e22ca7de1fb40186cbdbbac3162cd

Download Submit
C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\lib\dn-compiled-module.jar

Filesize
1.0MB

MD5
1d23a047992eef13c68e96a8c11fc056

SHA1
e47f3e187f77d18b29491b9d39cf0744f968c358

SHA256
53aa97ce411f6f185580c3683cc3b4ba8b8b8c6f0bcd29009243667e7fd33593

SHA512
526a042f2eb0d502b137c3d63648206510ee53f49e449c40d53f3980bb1116bc9998afbbb5f01c591a5fb773112f87dd4ec3ec8fcfbb1f16483ab60f08d9d5f9

Download Submit
C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\lib\dn-php-sdk.jar

Filesize
12KB

MD5
3e5e8cccff7ff343cbfe22588e569256

SHA1
66756daa182672bff27e453eed585325d8cc2a7a

SHA256
0f26584763ef1c5ec07d1f310f0b6504bc17732f04e37f4eb101338803be0dc4

SHA512
8ea5f31e25c3c48ee21c51abe9146ee2a270d603788ec47176c16acac15dad608eef4fa8ca0f34a1bbc6475c29e348bd62b0328e73d2e1071aaa745818867522

Download Submit
C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\lib\gson.jar

Filesize
226KB

MD5
5134a2350f58890ffb9db0b40047195d

SHA1
751f548c85fa49f330cecbb1875893f971b33c4e

SHA256
2d43eb5ea9e133d2ee2405cc14f5ee08951b8361302fdd93494a3a997b508d32

SHA512
c3cdaf66a99e6336abc80ff23374f6b62ac95ab2ae874c9075805e91d849b18e3f620cc202b4978fc92b73d98de96089c8714b1dd096b2ae1958cfa085715f7a

Download Submit
C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\lib\jfoenix.jar

Filesize
2.3MB

MD5
6316f84bc78d40b138dab1adc978ca5d

SHA1
b12ea05331ad89a9b09937367ebc20421f17b9ff

SHA256
d637e3326f87a173abd5f51ac98906a3237b9e511d07d31d6aafcf43f33dac17

SHA512
1cdca01ed9c2bc607207c8c51f4b532f4153e94b3846308332eccae25f9c5fddf8279e3063f44a75dd43d696eab0f9f340f9bf2f3ec805ab0f2f1de5135a426c

Download Submit
C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\lib\jkeymaster.jar

Filesize
51KB

MD5
21a017201cbb16ae0546069d4371f1c2

SHA1
9f1e8c9341a8a0c51299b961c4f6c7661c822756

SHA256
a2d68aaf08f15ff1c3b9b224641e8b4c35ee30b10f655d6420571b0429f19c87

SHA512
6c65740c17de72ba7b0df95aa29d095a1502f298924c63f364328f6fbb38920e92e0246d28a642f7c9fe3ab582341e607b0ae01515d470b4595d698ce81363d6

Download Submit
C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\lib\jna.jar

Filesize
1.1MB

MD5
8d536ddbe44d1500d262960891911f91

SHA1
fcc5b10cb812c41b00708e7b57baccc3aee5567c

SHA256
edc2a2c4f9b0b55fdc66aef3c9a9ddfff97e4b892842d4c0e1bc6eaff704abcb

SHA512
0ff97f158d1b1fbbef35813a1be2cc9f0c2321fa66e47af3276d3cb93178e668a652bac8a1aee82986dbf86e6db34518045eddfdd10ca827f3e4762faaa814f3

Download Submit
C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\lib\jphp-app-framework.jar

Filesize
103KB

MD5
0c8768cdeb3e894798f80465e0219c05

SHA1
c4da07ac93e4e547748ecc26b633d3db5b81ce47

SHA256
15f36830124fc7389e312cf228b952024a8ce8601bf5c4df806bc395d47db669

SHA512
35db507a3918093b529547e991ab6c1643a96258fc95ba1ea7665ff762b0b8abb1ef732b3854663a947effe505be667bd2609ffcccb6409a66df605f971da106

Download Submit
C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\lib\jphp-core.jar

Filesize
464KB

MD5
7e5e3d6d352025bd7f093c2d7f9b21ab

SHA1
ad9bfc2c3d70c574d34a752c5d0ebcc43a046c57

SHA256
5b37e8ff2850a4cbb02f9f02391e9f07285b4e0667f7e4b2d4515b78e699735a

SHA512
c19c29f8ad8b6beb3eed40ab7dc343468a4ca75d49f1d0d4ea0b4a5cee33f745893fba764d35c8bd157f7842268e0716b1eb4b8b26dcf888fb3b3f4314844aad

Download Submit
C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\lib\jphp-desktop-ext.jar

Filesize
16KB

MD5
b50e2c75f5f0e1094e997de8a2a2d0ca

SHA1
d789eb689c091536ea6a01764bada387841264cb

SHA256
cf4068ebb5ecd47adec92afba943aea4eb2fee40871330d064b69770cccb9e23

SHA512
57d8ac613805edada6aeba7b55417fd7d41c93913c56c4c2c1a8e8a28bbb7a05aade6e02b70a798a078dc3c747967da242c6922b342209874f3caf7312670cb0

Download Submit
C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\lib\jphp-desktop-hotkey-ext.jar

Filesize
5KB

MD5
22acc05e1efc1d4c5faa0359ce725d47

SHA1
458e7f911d024a3d786e76f256b017b0901f48f8

SHA256
c55c267d954ec9f24226780ee49fa7e1bc2baec3af6bfc0caa6cc1b49d8ca90c

SHA512
b11754f5337a73d317ae311fd4c20c0b548e1163107b741cc9e6d4d9027a8f99551e3184a83f9ad20098092e87ef1741c1e437058b7cac92727124589c303ef5

Download Submit
C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\lib\jphp-gui-ext.jar

Filesize
688KB

MD5
6696368a09c7f8fed4ea92c4e5238cee

SHA1
f89c282e557d1207afd7158b82721c3d425736a7

SHA256
c25d7a7b8f0715729bccb817e345f0fdd668dd4799c8dab1a4db3d6a37e7e3e4

SHA512
0ab24f07f956e3cdcd9d09c3aa4677ff60b70d7a48e7179a02e4ff9c0d2c7a1fc51624c3c8a5d892644e9f36f84f7aaf4aa6d2c9e1c291c88b3cff7568d54f76

Download Submit
C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\lib\jphp-gui-jfoenix-ext.jar

Filesize
50KB

MD5
d093f94c050d5900795de8149cb84817

SHA1
54058dda5c9e66a22074590072c8a48559bba1fb

SHA256
4bec0794a0d69debe2f955bf495ea7c0858ad84cb0d2d549cacb82e70c060cba

SHA512
3faaa415fba5745298981014d0042e8e01850fccaac22f92469765fd8c56b920da877ff3138a629242d9c52e270e7e2ce89e7c69f6902859f48ea0359842e2fb

Download Submit
C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\lib\jphp-json-ext.jar

Filesize
16KB

MD5
fde38932b12fc063451af6613d4470cc

SHA1
bc08c114681a3afc05fb8c0470776c3eae2eefeb

SHA256
9967ea3c3d1aee8db5a723f714fba38d2fc26d8553435ab0e1d4e123cd211830

SHA512
0f211f81101ced5fff466f2aab0e6c807bb18b23bc4928fe664c60653c99fa81b34edf5835fcc3affb34b0df1fa61c73a621df41355e4d82131f94fcc0b0e839

Download Submit
C:\Users\Admin\Desktop\Rz_Laun_v_6.3.5\lib\jphp-jsoup-ext.jar

Filesize
19KB

MD5
d963210c02cd1825e967086827da8294

SHA1
26c4d004b5ffdb8f81de2d6b158a3f34819faf01

SHA256
7908145cf17301bedefd6e3af8c93e0320582c0562919ffb56cc21b7fd532b96

SHA512
756c21dc1a02d579f0e2ed39e5bedca5491087cdc28e3e96c8663a493bcfeeeeea44dc40681ec6341426dfa995883dbce11b76d1f921e043ae220399a9e554fb

Download Submit
C:\Users\Admin\Downloads\Rz_Laun_v_6.3.5.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\LOCAL\crashpad_2076_BDANBJQKLUFIGHDO

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/424-1344-0x0000000006EB0000-0x0000000006F46000-memory.dmp

Filesize
600KB

Download
memory/424-1347-0x0000000007500000-0x0000000007AA6000-memory.dmp

Filesize
5.6MB

Download
memory/424-1319-0x0000000000CF0000-0x0000000000D26000-memory.dmp

Filesize
216KB

Download
memory/424-1345-0x00000000061A0000-0x00000000061BA000-memory.dmp

Filesize
104KB

Download
memory/424-1346-0x00000000061F0000-0x0000000006212000-memory.dmp

Filesize
136KB

Download
memory/424-1342-0x0000000005CB0000-0x0000000005CCE000-memory.dmp

Filesize
120KB

Download
memory/424-1343-0x0000000005CE0000-0x0000000005D2C000-memory.dmp

Filesize
304KB

Download
memory/1036-1599-0x00000000008A0000-0x0000000000904000-memory.dmp

Filesize
400KB

Download
memory/1036-1600-0x0000000002D60000-0x0000000002D66000-memory.dmp

Filesize
24KB

Download
memory/1120-1474-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

Filesize
4KB

Download
memory/1120-1441-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

Filesize
4KB

Download
memory/1120-1479-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

Filesize
4KB

Download
memory/1120-1483-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

Filesize
4KB

Download
memory/1220-1254-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/1220-1288-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/1220-1296-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/1220-1293-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/2148-1531-0x0000000005B90000-0x0000000005EE7000-memory.dmp

Filesize
3.3MB

Download
memory/2148-1540-0x000000006E760000-0x000000006E7AC000-memory.dmp

Filesize
304KB

Download
memory/2688-1608-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2688-1610-0x0000000006630000-0x00000000066C2000-memory.dmp

Filesize
584KB

Download
memory/3000-1392-0x0000000007030000-0x000000000703E000-memory.dmp

Filesize
56KB

Download
memory/3000-1394-0x0000000007130000-0x000000000714A000-memory.dmp

Filesize
104KB

Download
memory/3000-1390-0x0000000006E60000-0x0000000006E6A000-memory.dmp

Filesize
40KB

Download
memory/3000-1351-0x0000000005510000-0x0000000005867000-memory.dmp

Filesize
3.3MB

Download
memory/3000-1380-0x000000006E760000-0x000000006E7AC000-memory.dmp

Filesize
304KB

Download
memory/3000-1393-0x0000000007040000-0x0000000007055000-memory.dmp

Filesize
84KB

Download
memory/3548-1395-0x0000000007E50000-0x0000000007E58000-memory.dmp

Filesize
32KB

Download
memory/3548-1389-0x0000000008150000-0x00000000087CA000-memory.dmp

Filesize
6.5MB

Download
memory/3548-1379-0x0000000007A20000-0x0000000007AC4000-memory.dmp

Filesize
656KB

Download
memory/3548-1378-0x0000000007750000-0x000000000776E000-memory.dmp

Filesize
120KB

Download
memory/3548-1369-0x000000006E760000-0x000000006E7AC000-memory.dmp

Filesize
304KB

Download
memory/3548-1368-0x0000000007770000-0x00000000077A4000-memory.dmp

Filesize
208KB

Download
memory/3548-1391-0x0000000007D20000-0x0000000007D31000-memory.dmp

Filesize
68KB

Download
memory/3948-1191-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3968-1411-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3992-1406-0x0000022356DC0000-0x0000022356DC1000-memory.dmp

Filesize
4KB

Download
memory/3992-1405-0x0000022356DC0000-0x0000022356DC1000-memory.dmp

Filesize
4KB

Download
memory/3992-1404-0x0000022356DC0000-0x0000022356DC1000-memory.dmp

Filesize
4KB

Download
memory/3992-1407-0x0000022356DC0000-0x0000022356DC1000-memory.dmp

Filesize
4KB

Download
memory/3992-1408-0x0000022356DC0000-0x0000022356DC1000-memory.dmp

Filesize
4KB

Download
memory/3992-1409-0x0000022356DC0000-0x0000022356DC1000-memory.dmp

Filesize
4KB

Download
memory/3992-1410-0x0000022356DC0000-0x0000022356DC1000-memory.dmp

Filesize
4KB

Download
memory/3992-1399-0x0000022356DC0000-0x0000022356DC1000-memory.dmp

Filesize
4KB

Download
memory/3992-1400-0x0000022356DC0000-0x0000022356DC1000-memory.dmp

Filesize
4KB

Download
memory/3992-1398-0x0000022356DC0000-0x0000022356DC1000-memory.dmp

Filesize
4KB

Download
memory/4124-1549-0x000000006E760000-0x000000006E7AC000-memory.dmp

Filesize
304KB

Download
memory/4328-1327-0x00000000064C0000-0x0000000006817000-memory.dmp

Filesize
3.3MB

Download
memory/4328-1323-0x0000000005CE0000-0x0000000005D46000-memory.dmp

Filesize
408KB

Download
memory/4328-1324-0x0000000005D50000-0x0000000005DB6000-memory.dmp

Filesize
408KB

Download
memory/4328-1322-0x0000000005940000-0x0000000005962000-memory.dmp

Filesize
136KB

Download
memory/4328-1320-0x0000000005E90000-0x00000000064BA000-memory.dmp

Filesize
6.2MB

Download