growtopia | hxxps://www[.]mediafire[.]com/file/r599ey99pk4ht8l/Vespy_Reborn[.]zip/file

Analysis

max time kernel
90s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-02-2024 21:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/r599ey99pk4ht8l/Vespy_Reborn.zip/file

Score

10^/10

growtopia zgrat evasion persistence pyinstaller rat stealer

Malware Config

Extracted

Family

growtopia

https://discord.com/api/webhooks/1199763266872803338/8vedcXoMcyExhe1xhBm5f8ncmafWmOB3pkulE0l8g9Pel0t3ziyr2V51cLTVEjYsE4Rj

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/5448-395-0x0000000005390000-0x00000000053FC000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-397-0x0000000005390000-0x00000000053F5000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-398-0x0000000005390000-0x00000000053F5000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-414-0x0000000005390000-0x00000000053F5000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-402-0x0000000005390000-0x00000000053F5000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-417-0x0000000005390000-0x00000000053F5000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-431-0x0000000005390000-0x00000000053F5000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-452-0x0000000005390000-0x00000000053F5000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-459-0x0000000005390000-0x00000000053F5000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-465-0x0000000005390000-0x00000000053F5000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-479-0x0000000005390000-0x00000000053F5000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-481-0x0000000005390000-0x00000000053F5000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-477-0x0000000005390000-0x00000000053F5000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-486-0x0000000005390000-0x00000000053F5000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-483-0x0000000005390000-0x00000000053F5000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-489-0x0000000005390000-0x00000000053F5000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-492-0x0000000005390000-0x00000000053F5000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-495-0x0000000005390000-0x00000000053F5000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-497-0x0000000005390000-0x00000000053F5000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-519-0x0000000005390000-0x00000000053F5000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-521-0x0000000005390000-0x00000000053F5000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-514-0x0000000005390000-0x00000000053F5000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-528-0x0000000005390000-0x00000000053F5000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-530-0x0000000005390000-0x00000000053F5000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-540-0x0000000005390000-0x00000000053F5000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-545-0x0000000005390000-0x00000000053F5000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-547-0x0000000005390000-0x00000000053F5000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-550-0x0000000005390000-0x00000000053F5000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-552-0x0000000005390000-0x00000000053F5000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-554-0x0000000005390000-0x00000000053F5000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-556-0x0000000005390000-0x00000000053F5000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-558-0x0000000005390000-0x00000000053F5000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-561-0x0000000005390000-0x00000000053F5000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-563-0x0000000005390000-0x00000000053F5000-memory.dmp	family_zgrat_v1

Growtopia
Growtopa is an opensource modular stealer written in C#.
stealer growtopia
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 2 IoCs

pid	Process
5448	Ilkdt.exe
4008	WinHostMgr.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
264	discord.com
265	discord.com

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3560	sc.exe
4352	sc.exe
5876	sc.exe
6004	sc.exe
1516	sc.exe
408	sc.exe
1076	sc.exe
2184	sc.exe
5732	sc.exe

Detects Pyinstaller 4 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x00070000000232f7-392.dat	pyinstaller
behavioral1/files/0x00070000000232f7-390.dat	pyinstaller
behavioral1/files/0x00070000000232f7-403.dat	pyinstaller
behavioral1/files/0x00070000000232f7-430.dat	pyinstaller

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2068	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4120	msedge.exe
4120	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
5580	identity_helper.exe
5580	identity_helper.exe
5676	msedge.exe
5676	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5496	VespyGrabberBuilder.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 3132	4728	msedge.exe	49
PID 4728 wrote to memory of 3132	4728	msedge.exe	49
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 1144	4728	msedge.exe	87
PID 4728 wrote to memory of 4120	4728	msedge.exe	86
PID 4728 wrote to memory of 4120	4728	msedge.exe	86
PID 4728 wrote to memory of 2940	4728	msedge.exe	88
PID 4728 wrote to memory of 2940	4728	msedge.exe	88
PID 4728 wrote to memory of 2940	4728	msedge.exe	88
PID 4728 wrote to memory of 2940	4728	msedge.exe	88
PID 4728 wrote to memory of 2940	4728	msedge.exe	88
PID 4728 wrote to memory of 2940	4728	msedge.exe	88
PID 4728 wrote to memory of 2940	4728	msedge.exe	88
PID 4728 wrote to memory of 2940	4728	msedge.exe	88
PID 4728 wrote to memory of 2940	4728	msedge.exe	88
PID 4728 wrote to memory of 2940	4728	msedge.exe	88
PID 4728 wrote to memory of 2940	4728	msedge.exe	88
PID 4728 wrote to memory of 2940	4728	msedge.exe	88
PID 4728 wrote to memory of 2940	4728	msedge.exe	88
PID 4728 wrote to memory of 2940	4728	msedge.exe	88
PID 4728 wrote to memory of 2940	4728	msedge.exe	88
PID 4728 wrote to memory of 2940	4728	msedge.exe	88
PID 4728 wrote to memory of 2940	4728	msedge.exe	88
PID 4728 wrote to memory of 2940	4728	msedge.exe	88
PID 4728 wrote to memory of 2940	4728	msedge.exe	88
PID 4728 wrote to memory of 2940	4728	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/r599ey99pk4ht8l/Vespy_Reborn.zip/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaf53746f8,0x7ffaf5374708,0x7ffaf5374718
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,15514698008383555302,7273235208219985528,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,15514698008383555302,7273235208219985528,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
  2⤵
  PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,15514698008383555302,7273235208219985528,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15514698008383555302,7273235208219985528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15514698008383555302,7273235208219985528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15514698008383555302,7273235208219985528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15514698008383555302,7273235208219985528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
  2⤵
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15514698008383555302,7273235208219985528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15514698008383555302,7273235208219985528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15514698008383555302,7273235208219985528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15514698008383555302,7273235208219985528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15514698008383555302,7273235208219985528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6676 /prefetch:1
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15514698008383555302,7273235208219985528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:1
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15514698008383555302,7273235208219985528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7076 /prefetch:1
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15514698008383555302,7273235208219985528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7288 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15514698008383555302,7273235208219985528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15514698008383555302,7273235208219985528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:5208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2176,15514698008383555302,7273235208219985528,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7232 /prefetch:8
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,15514698008383555302,7273235208219985528,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6200 /prefetch:8
  2⤵
  PID:5564
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,15514698008383555302,7273235208219985528,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6200 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,15514698008383555302,7273235208219985528,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6608 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15514698008383555302,7273235208219985528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6664 /prefetch:1
  2⤵
  PID:5780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15514698008383555302,7273235208219985528,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
  2⤵
  PID:5788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15514698008383555302,7273235208219985528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6992 /prefetch:1
  2⤵
  PID:5980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15514698008383555302,7273235208219985528,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7804 /prefetch:1
  2⤵
  PID:5988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15514698008383555302,7273235208219985528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7936 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15514698008383555302,7273235208219985528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15514698008383555302,7273235208219985528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1292 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15514698008383555302,7273235208219985528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1212

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5276

C:\Users\Admin\Downloads\Vespy_Reborn\Vespy\VespyGrabberBuilder.exe
"C:\Users\Admin\Downloads\Vespy_Reborn\Vespy\VespyGrabberBuilder.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5496
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAcgB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAZAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AdABwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGkAYgBxACMAPgA="
  2⤵
  PID:5216
- C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe
  "C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe"
  2⤵
  - Executes dropped EXE
  PID:5448
- C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe
  "C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe"
  2⤵
  - Executes dropped EXE
  PID:4008
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    PID:5220
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3164
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:5160
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:5732
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:4352
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:6004
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "GMDTJRUT"
    3⤵
    - Launches sc.exe
    PID:1516
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    PID:2140
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    PID:2744
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    PID:6068
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    PID:1048
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:5876
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "GMDTJRUT" binpath= "C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:3560
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GMDTJRUT"
    3⤵
    - Launches sc.exe
    PID:408
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1076
- C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe
  "C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe"
  2⤵
  PID:3304
- C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe
  "C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe"
  2⤵
  PID:544
- - C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe
    "C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe"
    3⤵
    PID:5484
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "WindowsErrorHandler" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFBDF.tmp" /F
      4⤵
      Creates scheduled task(s)
      PID:2068
- C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe
  "C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"
  2⤵
  PID:5736
- - C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe
    "C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"
    3⤵
    PID:5952

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Vespy_Reborn\Vespy\READ ME.txt
1⤵
PID:2136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffaf53746f8,0x7ffaf5374708,0x7ffaf5374718
1⤵
PID:2292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://onepiecered.co/s?mH4q
1⤵
PID:3956

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
1⤵
PID:5400

C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
1⤵
PID:3584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe

Filesize
512KB

MD5
eead9d6a936e06d8e4bde69416edf494

SHA1
83799dfdec0a7413d9be77da483fdbfa0cef6f5a

SHA256
56f4565aab6820923927e5f5f8612eee4ef4eb1f1bc9cdd6679dbb3d972524f2

SHA512
93140f963aaef8764f25fda7f1d125d03545dec501f47e5a0aa7a67f3f6c03a69a32bf10b3121656fd05e19033df8a8bcbb02a881532fbc3f111c21818a45656

Download Submit
C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe

Filesize
192KB

MD5
c40ea96392a644d5222f1d733e6bc8bd

SHA1
1f45890774729dea53a7a3d1e325ef4079ca4688

SHA256
1bc10f187a41daaec9496b33dae180bc8d56f1ddeb02123e53cf042186450bfe

SHA512
dac74ad528a57209d0ac7c5221d2ca822671f6166b30185018b10a3f4cf37daef746f19ad88a8745e36f98b45f8a8789f301a371b90fb8aebc60ff4c2afa6fc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
73c8d54f775a1b870efd00cb75baf547

SHA1
33024c5b7573c9079a3b2beba9d85e3ba35e6b0e

SHA256
1ce86be0476a2a9e409fcb817126285bc4ad83efd03ee06a2f86910fe18d4d94

SHA512
191344f5830cfea68499bd49073ffa7215a42265a9629d203d07849b2417c0ffdbdbf288bf2c669e91009a0d7e8bd6a6b378c92fc283049141231ca7bf4da3b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4b206e54d55dcb61072236144d1f90f8

SHA1
c2600831112447369e5b557e249f86611b05287d

SHA256
87bf9a4c3564eb3d8bef70450da843ae6003271222734c4d28d9961c52782e0b

SHA512
c9e8d2452368873e0622b002a0c2f8a2714b5897a09475738a9f9740122d716a9f0d3841725230d58e039564c820d32a6f3a675a7bb04bd163bab53dcb4e22f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d632157f20f50da7e4fb5eee28ae8435

SHA1
016db93bc4b727a97bc563926360c7b0c579cedf

SHA256
cd8400b07ea53221abb35b6552754ea0b0ee6636debd9f276351679587957cba

SHA512
f6d85d7380cc061ea228158e92c20d043c6c0950ffcd9257c2413e2c59a150b8cd4f8fd9c8100829eb69304a0521719755db0c09cdc0f001601ab2731a32cbdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
80efccd6e282a7e763e8547467f56ae2

SHA1
66010279aaf58e56c082f14f894b8a1adec9b374

SHA256
cde6edcceb763cea36e80c75294a09400e28496daae2139e62d2fe798dc9c757

SHA512
97d6bab9e6183113a00c47fa210a86e4c198067810ef6cb962b5c9605aac7e5bea8141c2b744321361e663013abba7963e1fc7a8e11ede7d65bce5bb53ac4f80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
73b091806592bb140e1360486cc554d3

SHA1
311cd77bfc2e8b2f1194e375fd195ae27d1a9165

SHA256
4dd372a3aba8e5dd766df37ce30a7f209c29ab0c818171d52e00d0e1312544c3

SHA512
dbb44e53b4969dae3dc64b5862ce9c9a9ca115461315c509ef7bc01c7afe208a04f43c01e821b9d208fd92741e966c76603e3dddd86b3b362b72f8d91ee8e654

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
161548acac12857d0a61e0a8ec38ec16

SHA1
7aacf2e8a1da29990603eff48483ce8c082e04e2

SHA256
ac4214ddd1b5b57945facc4d1b8db1bfe48c88e7e7c232e9a909ac96e35ea8db

SHA512
0b5a9da1e473fdd284b08408022b000b343e7e81d735a6c32606df5004678bddef4d0f2af1ce6c192e58bd66d32e2531a9f07b1a516108dc953728e93607c3a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
f3ad0d204755fe326a2814706aa01c07

SHA1
7b946ac4699eb65aac3f50309b8d29a1002cbe1d

SHA256
67f4c79fe006b9f4f89111621723d62a0d94067b2b2581274c93a00916a818dc

SHA512
bb469178bca7e8d9ddaaabb97564fcb67716cc18aa422078bcb26bb9d53525f957ff5ab7a61f84c0188d040dec09cf6705f3f26ae8c12c6b61940e0fead3fe18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
8eaf62d57103be9f02ea8e9199059b3b

SHA1
b9c0422e4660a57a8f088006d0a188ce39f0d522

SHA256
a0734ba1939f40a137fd714cd0c9cf5a9800ac8ed83526948a0f932eed9ca781

SHA512
a4c561573c249d52bbc17b75ba37f49b417ffa2a1f5ed28369f79b1c560fb81b5404cd0b155c7ef7f456d68aba2d1d23db0f5d6e310cca60fb5933a75375aa29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
75c216b46a3578870cb185e5aeb8c5a6

SHA1
6a39dc3f653bc4f548e5f647bb3b61c071284b75

SHA256
01a03594e4dad4b8f3417ac94f3e137e1b9e34960fafc712bdfd035798fe99fa

SHA512
0e574b18c7ddb6f100f9e9e51e05a198963fabfa8ca73dba0317fad86fa5f5a013c2110b34a4e420360fbf396bf521ede3b66bebe8353623355bdc5196b2eb89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d3f9.TMP

Filesize
2KB

MD5
ebb4e8c8db7d08608c6c96d92794145e

SHA1
08fc2a5feb3888eb46caf41ad22a2075f51c33f0

SHA256
118801dd15595737dc7ae7ca6710174ca8b45801d1c1aa7da42b924be03f5304

SHA512
3dbb04174aab3914b1716b409f78830d7014565213fb799ff175c72ef084829a0116e29450d4585c307e768096b0e14f950b8e59f6dd9aacbbf68fa367794370

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f9d40ba68c69049440de31602451539c

SHA1
8454213bcfa752d39ef7694cef0d10cdac859577

SHA256
0582c0f6cffeeda61de17cbd2415412e39b8440bc599dc1d4ee9f25a4ad1a164

SHA512
49e8f6ac18fe8e623e8b220656431260d158a1dd19c8c7ed05f03e00a74dce13ec1b1f7c4a6dda8fbb72827988649f62813a75baecb28fba542852f74cf38eda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c9339707ddab227476c42bb314fe7913

SHA1
e532a425dfa07d65d337fbb932c575781b6ed374

SHA256
3a30072df183e1f200505012718c879fc62e914f602adfa5cb9432fd308f2aed

SHA512
a0dd9f70b40aeaa42d50a3e3ddd1d8996076529b221e73b479e2f5e16efc0d986b5264a64c695cc8bc06a1463f6640965facc1b6aa510282b8ffb784454909d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
9405b012edc91e6d6d06ce67b1d16227

SHA1
da54e0738c0ae460ef654e6547a964f5f60a1eac

SHA256
5efb5c54c58e4b683c81d51115bbe8a0b4f93ff77e65a0323c633e4ca99215c6

SHA512
8118c0daee43e0c022be3460f9177400100a16fb05889d1803b7e6b113120887796bea5ad2b2e268d7e623b864bf49d80d471fd5bd5ef77fbbeef7645c81e525

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe

Filesize
191KB

MD5
e004a568b841c74855f1a8a5d43096c7

SHA1
b90fd74593ae9b5a48cb165b6d7602507e1aeca4

SHA256
d49013d6be0f0e727c0b53bce1d3fed00656c7a2836ceef0a9d4cb816a5878db

SHA512
402dd4d4c57fb6f5c7a531b7210a897dfe41d68df99ae4d605944f6e5b2cecaafa3fe27562fe45e7e216a7c9e29e63139d4382310b41f04a35ad56115fbed2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe

Filesize
1.6MB

MD5
839f95d4934c462e3320a43a72dfed1d

SHA1
6087ad0e4c409a82005155b50b4836faef414286

SHA256
36fa24f22245322aa9fec2817b85aa82256477baf780bb3358bbdd715992dfc2

SHA512
542fad98ed298f4cc077cda1bcb6eeb794b1a94539512385d50ed6efa8ea075459836ec17ae3401240cefb59235f840a24f227265ea53e22cab950fc6391014f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe

Filesize
704KB

MD5
b48278dae3884da2b7d752c8ebd3d611

SHA1
88f6db74bf6bff42a97468035ff90c14a5ba1ff1

SHA256
57e49ecc12290ef6736d0a9341a1e4d820c32af90d0691ac055a3d01fb8458b8

SHA512
73cd1c1b0ccadc5b8abf975c6bc392c8431c1d4435c0e909d71ec6d581a87d6747d74c46c78bdd6be4cf013db22ffd9470446004608c1332be3ebdbc3653de2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe

Filesize
192KB

MD5
d20b2f2c91929babf6c41356866e79b3

SHA1
9516dbf3cbc6214fb180906b6e3283d22026615c

SHA256
01fa70728a9bd67b9d6b0a1db8f15ccbacdcd7fc0167eeb0388dcea98a504e72

SHA512
78675bf9db6a23c797a5d96fa79f417e117c993b557c1f681d1a834887aef538a715e0dbd39f6427ff1776396bf6ae80aa7502775418c05fa887c5423c809249

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe

Filesize
2.9MB

MD5
d3e8e407ad0267adc4e9052e7c1e6079

SHA1
cdcdeca98ca55aba51fdb7894f1f8277063993ba

SHA256
758445d338578571c242a29b29206f560e2cbfa164789306b1bb50c1487d5a85

SHA512
4a3d0406b11d8717265d3d40661240124e6f4e3fbb277f7df0e1b700dccb1f4a0a31dafb11b23af3b5232d906491244341d55ea492887ca8940266a9cb191b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe

Filesize
316KB

MD5
675d9e9ab252981f2f919cf914d9681d

SHA1
7485f5c9da283475136df7fa8b62756efbb5dd17

SHA256
0f055835332ef8e368185ae461e7c9eacdeb3d600ea550d605b09a20e0856e2d

SHA512
9dd936705fd43ebe8be17fcf77173eaaf16046f5880f8fe48fc68ded91ef6202ba65c605980bd2e330d2c7f463f772750a1bd96246fffdc9cb6bf8e1b00a2ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe

Filesize
42KB

MD5
d499e979a50c958f1a67f0e2a28af43d

SHA1
1e5fa0824554c31f19ce01a51edb9bed86f67cf0

SHA256
bc3d545c541e42420ce2c2eabc7e5afab32c869a1adb20adb11735957d0d0b0e

SHA512
668047f178d82bebefeb8c2e7731d34ff24dc755dacd3362b43d8b44c6b148fc51af0d0ab2d0a67f0344ab6158b883fe568e4eeb0e34152108735574f0e1e763

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe

Filesize
2.6MB

MD5
a6c444a3f743ab46213fa60542593cf3

SHA1
64f70fb1eaa0eb971ec110ada277d17a202e3dfe

SHA256
b37c8099b6d467aadf111eb16a9294f73ab5bf99d6bc6809778b5c5124166fab

SHA512
b8d847184142d727f6284a1b75af489aa27ac19a56acd8bfda8424d5c90a54e6daaa529752ffe4eea078b579d279e67fb4cee6208a7c10f694a11ccbe145af04

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe

Filesize
1.3MB

MD5
8b1ea2f1a5c15133040fb4ba2042418d

SHA1
2d3877644be31c8b656ae6ebaf055dac92e55c1d

SHA256
dc765d9320319b32dbd81eb117b3f1e00cf506179a0ac3ae519d0d93da3ff1dc

SHA512
0cef02a420f911ae978025d8cee61174edc8703c511f56b5149bccf0921ab8d0b37ebe6156e7e13e0bcdc961f5efbf01a3ac9031ea60cf492f3f9ee54e3e0720

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe

Filesize
1.6MB

MD5
5c293c1035cad3f8a85305b2a9177309

SHA1
ad6c6ca256f5b678cb2b6067222b153465b98240

SHA256
37b41d250019d599087c0e441f96238f92f425ed663a3e931aa0114541f3cb22

SHA512
4e6976f0c747dd7bd6f770279f942fe4141e1d6f103f8b33684baad59a8feb19eed1a01decde6f9ff2944ba3536addcf15a5190773ad8e8bdf3c784886d427ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\_bz2.pyd

Filesize
82KB

MD5
90f58f625a6655f80c35532a087a0319

SHA1
d4a7834201bd796dc786b0eb923f8ec5d60f719b

SHA256
bd8621fcc901fa1de3961d93184f61ea71068c436794af2a4449738ccf949946

SHA512
b5bb1ecc195700ad7bea5b025503edd3770b1f845f9beee4b067235c4e63496d6e0b19bdd2a42a1b6591d1131a2dc9f627b2ae8036e294300bb6983ecd644dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\_bz2.pyd

Filesize
64KB

MD5
20773730cf9bee2cfbe7ac699167d377

SHA1
e0c9ceccfb1771283d07b0564dfb0a6faa545f23

SHA256
f47926f74c09a41ccce879b11e7798564309a9b91a6d7cf9a0002450fdbe9724

SHA512
327d3b30fb4c1a3d9c6a7120f07928ae8ceff45d8bcc85b7d261f82b54dd60ca656484259a3a3de688a173da4dd6c764a848d02b53eba87030c0ae22ef3059d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\_decimal.pyd

Filesize
247KB

MD5
f78f9855d2a7ca940b6be51d68b80bf2

SHA1
fd8af3dbd7b0ea3de2274517c74186cb7cd81a05

SHA256
d4ae192bbd4627fc9487a2c1cd9869d1b461c20cfd338194e87f5cf882bbed12

SHA512
6b68c434a6f8c436d890d3c1229d332bd878e5777c421799f84d79679e998b95d2d4a013b09f50c5de4c6a85fcceb796f3c486e36a10cbac509a0da8d8102b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\_hashlib.pyd

Filesize
64KB

MD5
8baeb2bd6e52ba38f445ef71ef43a6b8

SHA1
4132f9cd06343ef8b5b60dc8a62be049aa3270c2

SHA256
6c50c9801a5caf0bb52b384f9a0d5a4aa182ca835f293a39e8999cf6edf2f087

SHA512
804a4e19ea622646cea9e0f8c1e284b7f2d02f3620199fa6930dbdadc654fa137c1e12757f87c3a1a71ceff9244aa2f598ee70d345469ca32a0400563fe3aa65

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\_lzma.pyd

Filesize
155KB

MD5
cf8de1137f36141afd9ff7c52a3264ee

SHA1
afde95a1d7a545d913387624ef48c60f23cf4a3f

SHA256
22d10e2d6ad3e3ed3c49eb79ab69a81aaa9d16aeca7f948da2fe80877f106c16

SHA512
821985ff5bc421bd16b2fa5f77f1f4bf8472d0d1564bc5768e4dbe866ec52865a98356bb3ef23a380058acd0a25cd5a40a1e0dae479f15863e48c4482c89a03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\_lzma.pyd

Filesize
42KB

MD5
84c546b9238195d929e94e921f4ffe8e

SHA1
1a6fe20458da7cd3b2b5d660cb231536c2b00a71

SHA256
7ebd54ed31d3eef90c77d89aa83223a0bfc06d933cb30d418707c2e97ad3ae8f

SHA512
49a872b858e08456355427172efa21ee00b4879e79fc10ba6ec05817bb4d313afcc7a4210b5bbe7847ab0b48e986747a9dcbe26f1e9d0b275b0958da9c40ce7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\_socket.pyd

Filesize
64KB

MD5
7eee7b9d1550294472568e320d55810d

SHA1
df0fd822e935ddd54cc394ceba37905b67e70e60

SHA256
a0af1fa29f3589a0a68b8778d75e5b30defe161247ccfcc588facdb54167bc33

SHA512
a0c400a20a45432391ff073180d492928e19a9d01f6120036db2e41e46ba6654313616420e3ac7316bdf14b7569c8366e5e86fe99ed860e2017ccff8d5f8fb61

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\base_library.zip

Filesize
1.3MB

MD5
44db87e9a433afe94098d3073d1c86d7

SHA1
24cc76d6553563f4d739c9e91a541482f4f83e05

SHA256
2b8b36bd4b1b0ee0599e5d519a91d35d70f03cc09270921630168a386b60ac71

SHA512
55bc2961c0bca42ef6fb4732ec25ef7d7d2ec47c7fb96d8819dd2daa32d990000b326808ae4a03143d6ff2144416e218395cccf8edaa774783234ec7501db611

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\libcrypto-3.dll

Filesize
1.6MB

MD5
f1b84ab46987ffd0d5772f4b2566cd50

SHA1
6de3934e1b8de88263dd67793c6eea3051526009

SHA256
c7d47250f3965ed2e47ef314b18e9eceaccbb0d03374b8d507e73899a2580147

SHA512
737b52657ab088a88ffa7c81e51a387869819da52c604aa6a15116336a6604ba982d7fd0da60c6eb9a28a4a95d2aea04890301e7876ec0265fee4811e3730bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\python312.dll

Filesize
2.2MB

MD5
34bdc2c9e8d297cace955becbdb192ea

SHA1
5dec070e7343a38364acb89c8b2b3700585e6e09

SHA256
83e155ce03945b7bb9567dead1e599c9b1a64f8aa5d2257aed7b156110422185

SHA512
ad857208b892e708dd1c7ef04cfe5a743ca0e41c2145d9cbc0f58563aca4066d0ced53eb2eba792fea9f9c888f9c80da53c16f6497bb5001ee4af0457b8dc3a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\python312.dll

Filesize
2.4MB

MD5
aba6fa7ae518e5adb1fa1eb3d492dd67

SHA1
1ac49f14ac212aa5cd507941e4fae76e29593658

SHA256
261bb6befca036a6e7f4d46541c5320c3dee011cb9e9ec6357d96adfbc32ea35

SHA512
2a468d62f5fc61f4b3cad82a246c647afdb45b4810e6a9d3b9fadd12e49a2421bf56c97331f7035eaff26144c37ae4fa95f11a2816cea4f0337184485730a6f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\select.pyd

Filesize
29KB

MD5
e1604afe8244e1ce4c316c64ea3aa173

SHA1
99704d2c0fa2687997381b65ff3b1b7194220a73

SHA256
74cca85600e7c17ea6532b54842e26d3cae9181287cdf5a4a3c50af4dab785e5

SHA512
7bf35b1a9da9f1660f238c2959b3693b7d9d2da40cf42c6f9eba2164b73047340d0adff8995049a2fe14e149eba05a5974eee153badd9e8450f961207f0b3d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\unicodedata.pyd

Filesize
1.1MB

MD5
fc47b9e23ddf2c128e3569a622868dbe

SHA1
2814643b70847b496cbda990f6442d8ff4f0cb09

SHA256
2a50d629895a05b10a262acf333e7a4a31db5cb035b70d14d1a4be1c3e27d309

SHA512
7c08683820498fdff5f1703db4ad94ad15f2aa877d044eddc4b54d90e7dc162f48b22828cd577c9bb1b56f7c11f777f9785a9da1867bf8c0f2b6e75dc57c3f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jblknmzi.ifc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFBDF.tmp

Filesize
1KB

MD5
7f673f709ab0e7278e38f0fd8e745cd4

SHA1
ac504108a274b7051e3b477bcd51c9d1a4a01c2c

SHA256
da5ab3278aaa04fbd51272a617aef9b903ca53c358fac48fc0f558e257e063a4

SHA512
e932ccbd9d3ec6ee129f0dab82710904b84e657532c5b623d3c7b3b4ce45732caf8ff5d7b39095cf99ecf97d4e40dd9d755eb2b89c8ede629b287c29e41d1132

Download Submit
C:\Users\Admin\Downloads\Vespy_Reborn.zip

Filesize
4.0MB

MD5
363cdee92bcef3e915fce174db4ba92a

SHA1
d391643d58bbf7d699da49f5bf1af6d5bc92b677

SHA256
486a7218f5b0d28b235ff2e7f0e7285d3fa8208aaded2aeb58917e94f7258546

SHA512
fb265303acf1dad8d89742106ce90406e65d2db3323a85e0db331ce353f0e897b02b7ee557767322429a33b9751c9ba9d7d77bc752adc2ac40d0f0fa466f41b6

Download Submit
memory/544-387-0x0000000000050000-0x0000000000060000-memory.dmp

Filesize
64KB

Download
memory/544-429-0x0000000073E10000-0x00000000745C0000-memory.dmp

Filesize
7.7MB

Download
memory/544-457-0x0000000073E10000-0x00000000745C0000-memory.dmp

Filesize
7.7MB

Download
memory/3304-382-0x000001F90D110000-0x000001F90D164000-memory.dmp

Filesize
336KB

Download
memory/3304-464-0x00007FFADCF90000-0x00007FFADDA51000-memory.dmp

Filesize
10.8MB

Download
memory/3304-400-0x00007FFADCF90000-0x00007FFADDA51000-memory.dmp

Filesize
10.8MB

Download
memory/3304-405-0x000001F90D540000-0x000001F90D550000-memory.dmp

Filesize
64KB

Download
memory/5216-396-0x0000000004C30000-0x0000000005258000-memory.dmp

Filesize
6.2MB

Download
memory/5216-526-0x0000000006E70000-0x0000000006E7A000-memory.dmp

Filesize
40KB

Download
memory/5216-575-0x0000000007170000-0x000000000718A000-memory.dmp

Filesize
104KB

Download
memory/5216-565-0x0000000007130000-0x0000000007144000-memory.dmp

Filesize
80KB

Download
memory/5216-485-0x0000000005AC0000-0x0000000005ADE000-memory.dmp

Filesize
120KB

Download
memory/5216-560-0x0000000007040000-0x000000000704E000-memory.dmp

Filesize
56KB

Download
memory/5216-488-0x0000000005B20000-0x0000000005B6C000-memory.dmp

Filesize
304KB

Download
memory/5216-541-0x0000000007000000-0x0000000007011000-memory.dmp

Filesize
68KB

Download
memory/5216-515-0x000000007FAA0000-0x000000007FAB0000-memory.dmp

Filesize
64KB

Download
memory/5216-432-0x00000000045F0000-0x0000000004600000-memory.dmp

Filesize
64KB

Download
memory/5216-513-0x0000000006080000-0x000000000609E000-memory.dmp

Filesize
120KB

Download
memory/5216-503-0x0000000075830000-0x000000007587C000-memory.dmp

Filesize
304KB

Download
memory/5216-502-0x0000000006AA0000-0x0000000006AD2000-memory.dmp

Filesize
200KB

Download
memory/5216-401-0x00000000045F0000-0x0000000004600000-memory.dmp

Filesize
64KB

Download
memory/5216-766-0x0000000073E10000-0x00000000745C0000-memory.dmp

Filesize
7.7MB

Download
memory/5216-527-0x0000000007090000-0x0000000007126000-memory.dmp

Filesize
600KB

Download
memory/5216-462-0x0000000005650000-0x00000000059A4000-memory.dmp

Filesize
3.3MB

Download
memory/5216-584-0x0000000007080000-0x0000000007088000-memory.dmp

Filesize
32KB

Download
memory/5216-456-0x00000000055E0000-0x0000000005646000-memory.dmp

Filesize
408KB

Download
memory/5216-517-0x0000000006CE0000-0x0000000006D83000-memory.dmp

Filesize
652KB

Download
memory/5216-453-0x00000000054F0000-0x0000000005556000-memory.dmp

Filesize
408KB

Download
memory/5216-388-0x0000000004510000-0x0000000004546000-memory.dmp

Filesize
216KB

Download
memory/5216-525-0x0000000006E00000-0x0000000006E1A000-memory.dmp

Filesize
104KB

Download
memory/5216-383-0x0000000073E10000-0x00000000745C0000-memory.dmp

Filesize
7.7MB

Download
memory/5216-524-0x0000000007440000-0x0000000007ABA000-memory.dmp

Filesize
6.5MB

Download
memory/5216-437-0x0000000005340000-0x0000000005362000-memory.dmp

Filesize
136KB

Download
memory/5220-1027-0x000001E5E5B00000-0x000001E5E5B10000-memory.dmp

Filesize
64KB

Download
memory/5220-1024-0x00007FFADCF90000-0x00007FFADDA51000-memory.dmp

Filesize
10.8MB

Download
memory/5220-1029-0x000001E5E5B00000-0x000001E5E5B10000-memory.dmp

Filesize
64KB

Download
memory/5220-1093-0x00007FFADCF90000-0x00007FFADDA51000-memory.dmp

Filesize
10.8MB

Download
memory/5220-1065-0x000001E5E5B00000-0x000001E5E5B10000-memory.dmp

Filesize
64KB

Download
memory/5220-1044-0x000001E5E65F0000-0x000001E5E6612000-memory.dmp

Filesize
136KB

Download
memory/5400-1156-0x000001D056A10000-0x000001D056A20000-memory.dmp

Filesize
64KB

Download
memory/5400-1154-0x00007FFADCF90000-0x00007FFADDA51000-memory.dmp

Filesize
10.8MB

Download
memory/5448-397-0x0000000005390000-0x00000000053F5000-memory.dmp

Filesize
404KB

Download
memory/5448-561-0x0000000005390000-0x00000000053F5000-memory.dmp

Filesize
404KB

Download
memory/5448-521-0x0000000005390000-0x00000000053F5000-memory.dmp

Filesize
404KB

Download
memory/5448-497-0x0000000005390000-0x00000000053F5000-memory.dmp

Filesize
404KB

Download
memory/5448-495-0x0000000005390000-0x00000000053F5000-memory.dmp

Filesize
404KB

Download
memory/5448-492-0x0000000005390000-0x00000000053F5000-memory.dmp

Filesize
404KB

Download
memory/5448-514-0x0000000005390000-0x00000000053F5000-memory.dmp

Filesize
404KB

Download
memory/5448-381-0x0000000000A50000-0x0000000000A86000-memory.dmp

Filesize
216KB

Download
memory/5448-528-0x0000000005390000-0x00000000053F5000-memory.dmp

Filesize
404KB

Download
memory/5448-530-0x0000000005390000-0x00000000053F5000-memory.dmp

Filesize
404KB

Download
memory/5448-489-0x0000000005390000-0x00000000053F5000-memory.dmp

Filesize
404KB

Download
memory/5448-483-0x0000000005390000-0x00000000053F5000-memory.dmp

Filesize
404KB

Download
memory/5448-540-0x0000000005390000-0x00000000053F5000-memory.dmp

Filesize
404KB

Download
memory/5448-545-0x0000000005390000-0x00000000053F5000-memory.dmp

Filesize
404KB

Download
memory/5448-547-0x0000000005390000-0x00000000053F5000-memory.dmp

Filesize
404KB

Download
memory/5448-550-0x0000000005390000-0x00000000053F5000-memory.dmp

Filesize
404KB

Download
memory/5448-552-0x0000000005390000-0x00000000053F5000-memory.dmp

Filesize
404KB

Download
memory/5448-554-0x0000000005390000-0x00000000053F5000-memory.dmp

Filesize
404KB

Download
memory/5448-556-0x0000000005390000-0x00000000053F5000-memory.dmp

Filesize
404KB

Download
memory/5448-558-0x0000000005390000-0x00000000053F5000-memory.dmp

Filesize
404KB

Download
memory/5448-486-0x0000000005390000-0x00000000053F5000-memory.dmp

Filesize
404KB

Download
memory/5448-519-0x0000000005390000-0x00000000053F5000-memory.dmp

Filesize
404KB

Download
memory/5448-477-0x0000000005390000-0x00000000053F5000-memory.dmp

Filesize
404KB

Download
memory/5448-563-0x0000000005390000-0x00000000053F5000-memory.dmp

Filesize
404KB

Download
memory/5448-481-0x0000000005390000-0x00000000053F5000-memory.dmp

Filesize
404KB

Download
memory/5448-479-0x0000000005390000-0x00000000053F5000-memory.dmp

Filesize
404KB

Download
memory/5448-465-0x0000000005390000-0x00000000053F5000-memory.dmp

Filesize
404KB

Download
memory/5448-393-0x0000000073E10000-0x00000000745C0000-memory.dmp

Filesize
7.7MB

Download
memory/5448-459-0x0000000005390000-0x00000000053F5000-memory.dmp

Filesize
404KB

Download
memory/5448-452-0x0000000005390000-0x00000000053F5000-memory.dmp

Filesize
404KB

Download
memory/5448-431-0x0000000005390000-0x00000000053F5000-memory.dmp

Filesize
404KB

Download
memory/5448-417-0x0000000005390000-0x00000000053F5000-memory.dmp

Filesize
404KB

Download
memory/5448-1063-0x0000000073E10000-0x00000000745C0000-memory.dmp

Filesize
7.7MB

Download
memory/5448-402-0x0000000005390000-0x00000000053F5000-memory.dmp

Filesize
404KB

Download
memory/5448-1075-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/5448-414-0x0000000005390000-0x00000000053F5000-memory.dmp

Filesize
404KB

Download
memory/5448-411-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/5448-398-0x0000000005390000-0x00000000053F5000-memory.dmp

Filesize
404KB

Download
memory/5448-395-0x0000000005390000-0x00000000053FC000-memory.dmp

Filesize
432KB

Download
memory/5484-460-0x0000000073E10000-0x00000000745C0000-memory.dmp

Filesize
7.7MB

Download
memory/5484-463-0x0000000002D30000-0x0000000002D40000-memory.dmp

Filesize
64KB

Download