gozi | 1503a40da3eee4ba11db866b31dd8f09bbb2ebfeef5e406c2806a18cdf9fa01d

Analysis

max time kernel
150s
max time network
150s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
28/12/2022, 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1503a40da3eee4ba11db866b31dd8f09bbb2ebfeef5e406c2806a18cdf9fa01d.exe
Size

222KB
MD5

42a0ace2505232df5f4178922a374bca
SHA1

8f08ce12259f02d9b6eabe80b3d248899b17e05d
SHA256

1503a40da3eee4ba11db866b31dd8f09bbb2ebfeef5e406c2806a18cdf9fa01d
SHA512

be082d4d538c8e0f928420549a2adc20bd819707186ea1a5d23e282a64840b2785f8584f39ae84b2f05272f5af98ace02057ee0573c8428f6c9a2829381d8282
SSDEEP

3072:YYBLb95mHgC8cMDMtqW+LCyzcq7dB96PgdxdQt+FG+wD3tdmdhxH:DLbS8DGqXLfzPE4xS8Fri3tm

Score

10^/10

gozi smokeloader 22500 backdoor banker isfb trojan

Malware Config

Extracted

Family

gozi

Botnet

22500

confisg.edge.skype.com

http://5icvzwz.xyz

http://185.14.45.80

Attributes

base_path
/recycle/
build
250249
exe_type
worker
extension
.alo
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral1/memory/4600-304-0x00000000004B0000-0x00000000004B9000-memory.dmp	family_smokeloader

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 1 IoCs

pid	Process
4600	urfawwv

Deletes itself 1 IoCs

pid	Process
2312	Explorer.EXE

Loads dropped DLL 1 IoCs

pid	Process
4820	regsvr32.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2300 set thread context of 2312	2300	powershell.exe	27
PID 2312 set thread context of 3516	2312	Explorer.EXE	25
PID 2312 set thread context of 4648	2312	Explorer.EXE	78
PID 4648 set thread context of 1120	4648	cmd.exe	80
PID 2312 set thread context of 4280	2312	Explorer.EXE	81
PID 2312 set thread context of 3328	2312	Explorer.EXE	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	urfawwv
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	urfawwv
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	urfawwv
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1503a40da3eee4ba11db866b31dd8f09bbb2ebfeef5e406c2806a18cdf9fa01d.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1503a40da3eee4ba11db866b31dd8f09bbb2ebfeef5e406c2806a18cdf9fa01d.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1503a40da3eee4ba11db866b31dd8f09bbb2ebfeef5e406c2806a18cdf9fa01d.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1120	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1120	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2204	1503a40da3eee4ba11db866b31dd8f09bbb2ebfeef5e406c2806a18cdf9fa01d.exe
2204	1503a40da3eee4ba11db866b31dd8f09bbb2ebfeef5e406c2806a18cdf9fa01d.exe
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE
2312	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2312	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
2204	1503a40da3eee4ba11db866b31dd8f09bbb2ebfeef5e406c2806a18cdf9fa01d.exe
2300	powershell.exe
2312	Explorer.EXE
2312	Explorer.EXE
4648	cmd.exe
2312	Explorer.EXE
2312	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2312	Explorer.EXE
Token: SeCreatePagefilePrivilege	2312	Explorer.EXE
Token: SeShutdownPrivilege	2312	Explorer.EXE
Token: SeCreatePagefilePrivilege	2312	Explorer.EXE
Token: SeShutdownPrivilege	2312	Explorer.EXE
Token: SeCreatePagefilePrivilege	2312	Explorer.EXE
Token: SeShutdownPrivilege	2312	Explorer.EXE
Token: SeCreatePagefilePrivilege	2312	Explorer.EXE
Token: SeShutdownPrivilege	2312	Explorer.EXE
Token: SeCreatePagefilePrivilege	2312	Explorer.EXE
Token: SeShutdownPrivilege	2312	Explorer.EXE
Token: SeCreatePagefilePrivilege	2312	Explorer.EXE
Token: SeShutdownPrivilege	2312	Explorer.EXE
Token: SeCreatePagefilePrivilege	2312	Explorer.EXE
Token: SeShutdownPrivilege	2312	Explorer.EXE
Token: SeCreatePagefilePrivilege	2312	Explorer.EXE
Token: SeShutdownPrivilege	2312	Explorer.EXE
Token: SeCreatePagefilePrivilege	2312	Explorer.EXE
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeShutdownPrivilege	2312	Explorer.EXE
Token: SeCreatePagefilePrivilege	2312	Explorer.EXE
Token: SeShutdownPrivilege	2312	Explorer.EXE
Token: SeCreatePagefilePrivilege	2312	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2312	Explorer.EXE

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 5044	2312	Explorer.EXE	66
PID 2312 wrote to memory of 5044	2312	Explorer.EXE	66
PID 5044 wrote to memory of 4820	5044	regsvr32.exe	67
PID 5044 wrote to memory of 4820	5044	regsvr32.exe	67
PID 5044 wrote to memory of 4820	5044	regsvr32.exe	67
PID 2312 wrote to memory of 780	2312	Explorer.EXE	71
PID 2312 wrote to memory of 780	2312	Explorer.EXE	71
PID 780 wrote to memory of 2300	780	mshta.exe	72
PID 780 wrote to memory of 2300	780	mshta.exe	72
PID 2300 wrote to memory of 4216	2300	powershell.exe	74
PID 2300 wrote to memory of 4216	2300	powershell.exe	74
PID 4216 wrote to memory of 3292	4216	csc.exe	75
PID 4216 wrote to memory of 3292	4216	csc.exe	75
PID 2300 wrote to memory of 4908	2300	powershell.exe	76
PID 2300 wrote to memory of 4908	2300	powershell.exe	76
PID 4908 wrote to memory of 8	4908	csc.exe	77
PID 4908 wrote to memory of 8	4908	csc.exe	77
PID 2300 wrote to memory of 2312	2300	powershell.exe	27
PID 2300 wrote to memory of 2312	2300	powershell.exe	27
PID 2300 wrote to memory of 2312	2300	powershell.exe	27
PID 2300 wrote to memory of 2312	2300	powershell.exe	27
PID 2312 wrote to memory of 4648	2312	Explorer.EXE	78
PID 2312 wrote to memory of 4648	2312	Explorer.EXE	78
PID 2312 wrote to memory of 4648	2312	Explorer.EXE	78
PID 2312 wrote to memory of 3516	2312	Explorer.EXE	25
PID 2312 wrote to memory of 3516	2312	Explorer.EXE	25
PID 2312 wrote to memory of 3516	2312	Explorer.EXE	25
PID 2312 wrote to memory of 3516	2312	Explorer.EXE	25
PID 2312 wrote to memory of 4648	2312	Explorer.EXE	78
PID 2312 wrote to memory of 4648	2312	Explorer.EXE	78
PID 4648 wrote to memory of 1120	4648	cmd.exe	80
PID 4648 wrote to memory of 1120	4648	cmd.exe	80
PID 4648 wrote to memory of 1120	4648	cmd.exe	80
PID 4648 wrote to memory of 1120	4648	cmd.exe	80
PID 4648 wrote to memory of 1120	4648	cmd.exe	80
PID 2312 wrote to memory of 4280	2312	Explorer.EXE	81
PID 2312 wrote to memory of 4280	2312	Explorer.EXE	81
PID 2312 wrote to memory of 4280	2312	Explorer.EXE	81
PID 2312 wrote to memory of 4280	2312	Explorer.EXE	81
PID 2312 wrote to memory of 4280	2312	Explorer.EXE	81
PID 2312 wrote to memory of 3328	2312	Explorer.EXE	82
PID 2312 wrote to memory of 3328	2312	Explorer.EXE	82
PID 2312 wrote to memory of 3328	2312	Explorer.EXE	82
PID 2312 wrote to memory of 3328	2312	Explorer.EXE	82
PID 2312 wrote to memory of 3328	2312	Explorer.EXE	82
PID 2312 wrote to memory of 3328	2312	Explorer.EXE	82

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3516

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Local\Temp\1503a40da3eee4ba11db866b31dd8f09bbb2ebfeef5e406c2806a18cdf9fa01d.exe
  "C:\Users\Admin\AppData\Local\Temp\1503a40da3eee4ba11db866b31dd8f09bbb2ebfeef5e406c2806a18cdf9fa01d.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2204
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\10B9.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Windows\SysWOW64\regsvr32.exe
    /s C:\Users\Admin\AppData\Local\Temp\10B9.dll
    3⤵
    - Loads dropped DLL
    PID:4820
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "about:<hta:application><script>P8qm='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(P8qm).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\8AD4E7FF-61BA-4C10-3B5E-25409F722974\\\BlackMode'));if(!window.flag)close()</script>"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wqhsfu -value gp; new-alias -name gbmugrg -value iex; gbmugrg ([System.Text.Encoding]::ASCII.GetString((wqhsfu "HKCU:Software\AppDataLow\Software\Microsoft\8AD4E7FF-61BA-4C10-3B5E-25409F722974").CoreLink))
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ex1xanhy\ex1xanhy.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4216
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE6D1.tmp" "c:\Users\Admin\AppData\Local\Temp\ex1xanhy\CSC98DA16D5BA7D48A3A9779DF29CD5649A.TMP"
        5⤵
        
        PID:3292
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qtforfy3\qtforfy3.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4908
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE79C.tmp" "c:\Users\Admin\AppData\Local\Temp\qtforfy3\CSCCE4D1C7F55D24345B0EE13C8D73154A.TMP"
        5⤵
        
        PID:8
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\10B9.dll"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Windows\system32\PING.EXE
    ping localhost -n 5
    3⤵
    - Runs ping.exe
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1120
- C:\Program Files\Windows Mail\WinMail.exe
  "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
  2⤵
  PID:4280
- C:\Windows\syswow64\cmd.exe
  "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
  2⤵
  PID:3328

C:\Users\Admin\AppData\Roaming\urfawwv
C:\Users\Admin\AppData\Roaming\urfawwv
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\10B9.dll

Filesize
584KB

MD5
71bb495869bfff145090bdb878800130

SHA1
5d1e298129bc9c8bf6d1b5d3d9f321a8858e9ab5

SHA256
9475ff9c5e05af184d06a10b33225f74e89cb941495a82bf4038df98169a432f

SHA512
ef22db3f32bf5cd34bc69245c41e9eea8bff7b61c8062631a0817744155e802c7caf4f2711ff653572a15903fc07b1af283cd2289d75f268c22eec14ae173c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE6D1.tmp

Filesize
1KB

MD5
ff92297f5f093b2b15879949c87d0bd4

SHA1
89c83981b04b3fdc0e0ace3996c06a380c2a2456

SHA256
47ba43b0978cdc3a62eb361702684ab96bbc9f99a9bb23a72586cf93ec04cd6b

SHA512
723254891e8f467b98426ca19108fc851e95d2a01bce0da654ee9ce7fe52ef58c93ffb1bc3993edfc569a390aa10304bf9bd77f7127efe61e53c419c3408708a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE79C.tmp

Filesize
1KB

MD5
977aeaf8eb32994273b4d145d921c517

SHA1
9da2c7aba0d9311e9fa9358d7ae565dbb8866e1b

SHA256
5f7fc2854773769c2cab348c76d6221af754338f72956fc87c9207b7c663ee53

SHA512
50184484b9d0c051fbf895194753452c4d344803eb147ab792249364ce83206fcce07cba2f9e3acef6744aa28bf89fe44b21e2e83deb93b242c1044f1bc45fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ex1xanhy\ex1xanhy.dll

Filesize
3KB

MD5
3a5e696b8dd34f2ab9a85102ddc119f7

SHA1
b33a67be1597098b951b3ac422ff0502a8e291c7

SHA256
c876c32e3f60b01d2c84785b320a723eb2a3d43cf6cd5df7c3054c1f42359011

SHA512
26c23d4c6eaa526b38e089b8fd3ec7d3e292684ba01f6db651b7f5a53fcda6dce287d32d5b4e794870195027c35f63232965e05f0121628fc6ff41e5f9c579d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qtforfy3\qtforfy3.dll

Filesize
3KB

MD5
3867614ae7381dc67cc3197bda46f893

SHA1
888b176e3b38b19132cea86f1bae438ab420ba4c

SHA256
ffcf21155f91a9a4e5e70bd917a6cf9fa0a0e2feee2467aa286e7887e2ad7155

SHA512
848ffb3b8326eb4091412c71e5a07ce42f27b9a54dfe3702bbcef4a758184a1bd6cb6bc16c4eda375e31606127a069ef30ee904fc50a419d1326c525e14cc204

Download Submit
C:\Users\Admin\AppData\Roaming\urfawwv

Filesize
222KB

MD5
42a0ace2505232df5f4178922a374bca

SHA1
8f08ce12259f02d9b6eabe80b3d248899b17e05d

SHA256
1503a40da3eee4ba11db866b31dd8f09bbb2ebfeef5e406c2806a18cdf9fa01d

SHA512
be082d4d538c8e0f928420549a2adc20bd819707186ea1a5d23e282a64840b2785f8584f39ae84b2f05272f5af98ace02057ee0573c8428f6c9a2829381d8282

Download Submit
C:\Users\Admin\AppData\Roaming\urfawwv

Filesize
222KB

MD5
42a0ace2505232df5f4178922a374bca

SHA1
8f08ce12259f02d9b6eabe80b3d248899b17e05d

SHA256
1503a40da3eee4ba11db866b31dd8f09bbb2ebfeef5e406c2806a18cdf9fa01d

SHA512
be082d4d538c8e0f928420549a2adc20bd819707186ea1a5d23e282a64840b2785f8584f39ae84b2f05272f5af98ace02057ee0573c8428f6c9a2829381d8282

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ex1xanhy\CSC98DA16D5BA7D48A3A9779DF29CD5649A.TMP

Filesize
652B

MD5
f52b74e2d7dfa365d2541521cf13a6bb

SHA1
02d0d3ed99becfff5eae4deb53b917fd83cdde2d

SHA256
b0f2f1395e623ddb00d717f73cdc29948fbb7faedb6c01061596b2887d7355f3

SHA512
ebcc0916088b485ab787737cd829b8be19416bcd41df53235602dac8a8527433b71993d447f875ee8a0cca08e12e91f7ea28dd7da73098b137f42217b74b7926

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ex1xanhy\ex1xanhy.0.cs

Filesize
408B

MD5
f58cc7462a9dc35fa5ccf9d605d846f9

SHA1
c864bbe18005d5c8e0c95cf71cf82afc1f2222a0

SHA256
adea20d896d1565230e0799ac1e5e14719062ce0e00080c412222a98bddcadcb

SHA512
d13c80ea909a9f6ebedeaa8d4e73cfd01d3d8b465b02b1f5663f22ef189e9f0b5329b60fcb6c888334c370c69ca92dee1a9b5f0b0262377132e4a6822970e6f1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ex1xanhy\ex1xanhy.cmdline

Filesize
369B

MD5
d7767088c15eef1b98bf683db44d37fd

SHA1
311a020d75ee61a5eb77ab61294980c8c99359c4

SHA256
a087c9242b9a3f3da83481c5af59a42a8416bc9430a8adf351ae7c20f2726b8a

SHA512
e85f0fdc4d5dce25db0c9872e5b338fe960a22fb7b46e059e954da32e88e89c3aa1611569149f11d956c3881ca92b59245fcbe956fa151e7089f1a9d9edcd30d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qtforfy3\CSCCE4D1C7F55D24345B0EE13C8D73154A.TMP

Filesize
652B

MD5
424f5f72aba8cc59845a9d8d805c2118

SHA1
0c644eda788ae22d7956b254fbe0c6899f4b4fc8

SHA256
b1be464ae0b4e63a3e6ca513b4e5e25025e5bd13b57fdb8c30ed3032860ff383

SHA512
d08dd2ae144d472445ca446b24ec8c18416caa9a107741523643d730a526f0b090aa95c894e179b96127cf4ade3de556373a500c208760c4e5987b15bb2972c3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qtforfy3\qtforfy3.0.cs

Filesize
408B

MD5
0a5374e53f44ac8b609707a893f72b21

SHA1
83ec00746897bcacf4c5a049b7e090d057f62cf9

SHA256
0388c68b7b848cb08941edbfe4bcaa8f6df3c461df1c9a7542103e279f64c5f9

SHA512
ce62cb7723a6fcb5448c7c096c293a503662888f75f1a92ea8a9a15955e82ad6f7773829604633782f0e3e8d5bb07286bc281a94d2f99f0f57d4cea4e873cdd4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qtforfy3\qtforfy3.cmdline

Filesize
369B

MD5
64a2ca13b1654c605441d54771862ee5

SHA1
54c8e323abb9254819f8d4c5582fd371b28bc559

SHA256
28cdb3c774305975e16a49c06a203795458107a3417a1080489c93bea742587d

SHA512
83be58aef2394b058b598c72a110c2f84820c955979d5e35b272c554e16f93b6d4a43a202c0b034a4729c2211bf3b718ea1b1797c2e70c726f7db005de7e6ada

Download Submit
\Users\Admin\AppData\Local\Temp\10B9.dll

Filesize
584KB

MD5
71bb495869bfff145090bdb878800130

SHA1
5d1e298129bc9c8bf6d1b5d3d9f321a8858e9ab5

SHA256
9475ff9c5e05af184d06a10b33225f74e89cb941495a82bf4038df98169a432f

SHA512
ef22db3f32bf5cd34bc69245c41e9eea8bff7b61c8062631a0817744155e802c7caf4f2711ff653572a15903fc07b1af283cd2289d75f268c22eec14ae173c73

Download Submit
memory/1120-345-0x000001AF73FF0000-0x000001AF74092000-memory.dmp

Filesize
648KB

Download
memory/2204-150-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-129-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-141-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-142-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-143-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-144-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-146-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-147-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-148-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-120-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-151-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-149-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-152-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-153-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-154-0x00000000004C0000-0x000000000060A000-memory.dmp

Filesize
1.3MB

Download
memory/2204-156-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2204-155-0x00000000004C0000-0x000000000060A000-memory.dmp

Filesize
1.3MB

Download
memory/2204-145-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-157-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2204-136-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-139-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-134-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-121-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-140-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-138-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-133-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-132-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-131-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-122-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-128-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-137-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-130-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-123-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-127-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-124-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-126-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-125-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2300-318-0x00000224FD280000-0x00000224FD288000-memory.dmp

Filesize
32KB

Download
memory/2300-323-0x00000224FD540000-0x00000224FD57C000-memory.dmp

Filesize
240KB

Download
memory/2300-310-0x00000224FD260000-0x00000224FD268000-memory.dmp

Filesize
32KB

Download
memory/2300-266-0x00000224FABE0000-0x00000224FAC02000-memory.dmp

Filesize
136KB

Download
memory/2300-271-0x00000224FD2C0000-0x00000224FD336000-memory.dmp

Filesize
472KB

Download
memory/2312-329-0x0000000005700000-0x00000000057A2000-memory.dmp

Filesize
648KB

Download
memory/3328-383-0x0000000003280000-0x0000000003316000-memory.dmp

Filesize
600KB

Download
memory/3516-342-0x0000027771B00000-0x0000027771BA2000-memory.dmp

Filesize
648KB

Download
memory/4280-347-0x000001A224550000-0x000001A2245F2000-memory.dmp

Filesize
648KB

Download
memory/4600-303-0x00000000004F0000-0x000000000063A000-memory.dmp

Filesize
1.3MB

Download
memory/4600-304-0x00000000004B0000-0x00000000004B9000-memory.dmp

Filesize
36KB

Download
memory/4600-305-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4648-343-0x000001E9789C0000-0x000001E978A62000-memory.dmp

Filesize
648KB

Download
memory/4820-162-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-175-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-209-0x0000000002AD0000-0x0000000002C1A000-memory.dmp

Filesize
1.3MB

Download
memory/4820-191-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-182-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-184-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-190-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-187-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-189-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-188-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-185-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-186-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-183-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-181-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-171-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-173-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-232-0x0000000002AD0000-0x0000000002C1A000-memory.dmp

Filesize
1.3MB

Download
memory/4820-179-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-180-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-178-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-176-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-177-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-174-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-172-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-170-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-169-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-168-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-167-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-165-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-166-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-164-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-163-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-161-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download