gozi | d5c77653349176a796c3846dfc596292563d0588564eabf542c978b61597278a

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2023 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5c77653349176a796c3846dfc596292563d0588564eabf542c978b61597278a_JC.exe
Size

295KB
MD5

b54e56a2503ac379bcd8e61852d5e861
SHA1

abcfaff56afa6239ac8efaf8e36ef22b6cc9e8d9
SHA256

d5c77653349176a796c3846dfc596292563d0588564eabf542c978b61597278a
SHA512

fa22a6d5369dd5a06647752ea9ec9f335fe57682931b6808bcd4dd84a3eac5d33f0ec525e23f893b820c6b0e76f46c53ae3cf14ecfbf4e468730dcff817a6513
SSDEEP

3072:w6JyBmvmBEayo1tFHtWl0VnkDS7cW6VnYR4UhsyT+dNIY:xJyIv4EayofFNVtMns4y7T+r

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

185.247.184.139

62.72.33.155

incontroler.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

mifrutty.com

systemcheck.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation mshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2792 set thread context of 3124	2792	powershell.exe	Explorer.EXE
PID 3124 set thread context of 3700	3124	Explorer.EXE	RuntimeBroker.exe
PID 3124 set thread context of 4080	3124	Explorer.EXE	RuntimeBroker.exe
PID 3124 set thread context of 5012	3124	Explorer.EXE	RuntimeBroker.exe
PID 3124 set thread context of 4968	3124	Explorer.EXE	cmd.exe
PID 3124 set thread context of 3468	3124	Explorer.EXE	RuntimeBroker.exe
PID 3124 set thread context of 1744	3124	Explorer.EXE	cmd.exe
PID 4968 set thread context of 2564	4968	cmd.exe	PING.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1412 3308 WerFault.exe d5c77653349176a796c3846dfc596292563d0588564eabf542c978b61597278a_JC.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2564 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

2564 PING.EXE

pid	pid_target	process	target process
1412	3308	WerFault.exe	d5c77653349176a796c3846dfc596292563d0588564eabf542c978b61597278a_JC.exe

pid	process
2564	PING.EXE

pid	process
2564	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d5c77653349176a796c3846dfc596292563d0588564eabf542c978b61597278a_JC.exepowershell.exeExplorer.EXE

pid	process
3308	d5c77653349176a796c3846dfc596292563d0588564eabf542c978b61597278a_JC.exe
3308	d5c77653349176a796c3846dfc596292563d0588564eabf542c978b61597278a_JC.exe
2792	powershell.exe
2792	powershell.exe
2792	powershell.exe
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

2792 powershell.exe
3124 Explorer.EXE
3124 Explorer.EXE
3124 Explorer.EXE
3124 Explorer.EXE
3124 Explorer.EXE
3124 Explorer.EXE
4968 cmd.exe

pid	process
2792	powershell.exe
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
3124	Explorer.EXE
4968	cmd.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

svchost.exepowershell.exeExplorer.EXE

description	pid	process
Token: SeManageVolumePrivilege	2380	svchost.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeShutdownPrivilege	3124	Explorer.EXE
Token: SeCreatePagefilePrivilege	3124	Explorer.EXE
Token: SeShutdownPrivilege	3124	Explorer.EXE
Token: SeCreatePagefilePrivilege	3124	Explorer.EXE
Token: SeShutdownPrivilege	3124	Explorer.EXE
Token: SeCreatePagefilePrivilege	3124	Explorer.EXE
Token: SeShutdownPrivilege	3124	Explorer.EXE
Token: SeCreatePagefilePrivilege	3124	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3124 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3124 Explorer.EXE

pid	process
3124	Explorer.EXE

pid	process
3124	Explorer.EXE

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 4540 wrote to memory of 2792	4540	mshta.exe	powershell.exe
PID 4540 wrote to memory of 2792	4540	mshta.exe	powershell.exe
PID 2792 wrote to memory of 2888	2792	powershell.exe	csc.exe
PID 2792 wrote to memory of 2888	2792	powershell.exe	csc.exe
PID 2888 wrote to memory of 2292	2888	csc.exe	cvtres.exe
PID 2888 wrote to memory of 2292	2888	csc.exe	cvtres.exe
PID 2792 wrote to memory of 852	2792	powershell.exe	csc.exe
PID 2792 wrote to memory of 852	2792	powershell.exe	csc.exe
PID 852 wrote to memory of 4984	852	csc.exe	cvtres.exe
PID 852 wrote to memory of 4984	852	csc.exe	cvtres.exe
PID 2792 wrote to memory of 3124	2792	powershell.exe	Explorer.EXE
PID 2792 wrote to memory of 3124	2792	powershell.exe	Explorer.EXE
PID 2792 wrote to memory of 3124	2792	powershell.exe	Explorer.EXE
PID 2792 wrote to memory of 3124	2792	powershell.exe	Explorer.EXE
PID 3124 wrote to memory of 3700	3124	Explorer.EXE	RuntimeBroker.exe
PID 3124 wrote to memory of 3700	3124	Explorer.EXE	RuntimeBroker.exe
PID 3124 wrote to memory of 3700	3124	Explorer.EXE	RuntimeBroker.exe
PID 3124 wrote to memory of 3700	3124	Explorer.EXE	RuntimeBroker.exe
PID 3124 wrote to memory of 4080	3124	Explorer.EXE	RuntimeBroker.exe
PID 3124 wrote to memory of 4080	3124	Explorer.EXE	RuntimeBroker.exe
PID 3124 wrote to memory of 4968	3124	Explorer.EXE	cmd.exe
PID 3124 wrote to memory of 4968	3124	Explorer.EXE	cmd.exe
PID 3124 wrote to memory of 4968	3124	Explorer.EXE	cmd.exe
PID 3124 wrote to memory of 4080	3124	Explorer.EXE	RuntimeBroker.exe
PID 3124 wrote to memory of 4080	3124	Explorer.EXE	RuntimeBroker.exe
PID 3124 wrote to memory of 5012	3124	Explorer.EXE	RuntimeBroker.exe
PID 3124 wrote to memory of 5012	3124	Explorer.EXE	RuntimeBroker.exe
PID 3124 wrote to memory of 5012	3124	Explorer.EXE	RuntimeBroker.exe
PID 3124 wrote to memory of 5012	3124	Explorer.EXE	RuntimeBroker.exe
PID 3124 wrote to memory of 3468	3124	Explorer.EXE	RuntimeBroker.exe
PID 3124 wrote to memory of 3468	3124	Explorer.EXE	RuntimeBroker.exe
PID 3124 wrote to memory of 4968	3124	Explorer.EXE	cmd.exe
PID 3124 wrote to memory of 4968	3124	Explorer.EXE	cmd.exe
PID 3124 wrote to memory of 3468	3124	Explorer.EXE	RuntimeBroker.exe
PID 3124 wrote to memory of 3468	3124	Explorer.EXE	RuntimeBroker.exe
PID 3124 wrote to memory of 1744	3124	Explorer.EXE	cmd.exe
PID 3124 wrote to memory of 1744	3124	Explorer.EXE	cmd.exe
PID 3124 wrote to memory of 1744	3124	Explorer.EXE	cmd.exe
PID 3124 wrote to memory of 1744	3124	Explorer.EXE	cmd.exe
PID 4968 wrote to memory of 2564	4968	cmd.exe	PING.EXE
PID 4968 wrote to memory of 2564	4968	cmd.exe	PING.EXE
PID 4968 wrote to memory of 2564	4968	cmd.exe	PING.EXE
PID 3124 wrote to memory of 1744	3124	Explorer.EXE	cmd.exe
PID 3124 wrote to memory of 1744	3124	Explorer.EXE	cmd.exe
PID 4968 wrote to memory of 2564	4968	cmd.exe	PING.EXE
PID 4968 wrote to memory of 2564	4968	cmd.exe	PING.EXE

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3700

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5012

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4080

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3124

C:\Users\Admin\AppData\Local\Temp\d5c77653349176a796c3846dfc596292563d0588564eabf542c978b61597278a_JC.exe
"C:\Users\Admin\AppData\Local\Temp\d5c77653349176a796c3846dfc596292563d0588564eabf542c978b61597278a_JC.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 872
3⤵
- Program crash
PID:1412

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ksl5='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ksl5).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\47C55FEA-FA41-11E9-3C6B-CED530CFE2D9\\\ActiveStart'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name brxbbbn -value gp; new-alias -name payrinan -value iex; payrinan ([System.Text.Encoding]::ASCII.GetString((brxbbbn "HKCU:Software\AppDataLow\Software\Microsoft\47C55FEA-FA41-11E9-3C6B-CED530CFE2D9").ClassFile))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xe0alnds\xe0alnds.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5162.tmp" "c:\Users\Admin\AppData\Local\Temp\xe0alnds\CSC64384299B0E6462B8D9F84DC12A69FBC.TMP"
5⤵
PID:2292

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nz0ytuhg\nz0ytuhg.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES525C.tmp" "c:\Users\Admin\AppData\Local\Temp\nz0ytuhg\CSCA9E57D9D15954213AA2C86D741A8A742.TMP"
5⤵
PID:4984

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\d5c77653349176a796c3846dfc596292563d0588564eabf542c978b61597278a_JC.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2564

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:1744

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3468

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:1552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3308 -ip 3308
1⤵
PID:3720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5162.tmp
Filesize
1KB

MD5
0c9a0ab1e3fd2cbcffd731428ff4b8f3

SHA1
0b4e26cc0eaee96cbdad773e7409c7453939ba18

SHA256
a418494bd4a4041f5f7f97a979c019062b7df1b58cb6ae94586c4128177ede3c

SHA512
a0818dd4ff318812f2e7ef88a65f51d8177cbb552e4993ae1f7d85e30e8f7e81ced2234193470c67c8b5389b64ebed665887fd93d2fd4be82b9adb21fbd28bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES525C.tmp
Filesize
1KB

MD5
3a5aeed61b6f415f296007212f173cc4

SHA1
8b1a04c5e81631b3cf0513c8be9c59623624b40a

SHA256
c5648a6eb27c7d31feeea2b9e55f16664bc8af464ecc5c9f6c0cae70e2dc6e8f

SHA512
1d4ad30ce8c159fe0d6eac34ac860ea7c079ae291ffd055bf0d20e9c51cd55ed292b1ffdb3e19af2c5c65d22d02a2d346c7319d51f9d0832efd91662b1fafad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_frliwdsd.i2f.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nz0ytuhg\nz0ytuhg.dll
Filesize
3KB

MD5
12d583013f1f1e94508851cc80cc143e

SHA1
85d2918edfd81e7e6991f751cb41feb33ec7fd8b

SHA256
10f4e6c083d8592659fbb1e62c1fdb1bd6433f65ca53ec6774ae490cd0b5b2ec

SHA512
6a5bcafaa8fc6291cdd33293db12365b814cdd9a07d5c5310e082e35796a8f26246d1bd493470a012cf11c557e9a5cd0d1e788952df8d3832f3dcb0697960eee

Download Submit
C:\Users\Admin\AppData\Local\Temp\xe0alnds\xe0alnds.dll
Filesize
3KB

MD5
e1dccd7c22dac4365232506f35779ce8

SHA1
ce04a47ee72a6ea73b1d89c2b9c9a367fb95ac42

SHA256
8cf6967ba44a4cbbda29c7e86a92aa10097b5ed818e70cb61883b48a4cc3eb95

SHA512
365b2e2fe383766162462d85b256a249ed4b204fc97ad9a20bb3a0005895bb8e8fe8d16205b730425e3387a7f9ea8a917e08fff0be683d063135a907d6181865

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nz0ytuhg\CSCA9E57D9D15954213AA2C86D741A8A742.TMP
Filesize
652B

MD5
8a8e316c388151bfb4cb7a911f2b399b

SHA1
082eccfe9b9a543aeb47807f451f452e30c002c1

SHA256
f2d3dba60563c79f2752745dfe8cb383fc9ba26c889d9f138f6f5d1d80cf0ab5

SHA512
c47028303ce04e15409d2a9de63ac2102306c9cc5f7ab23aa35df8e007d2181786d54f632888e289f7da4fe86c40d18bccfd5e9ca36e7777d5491c9de5bbb239

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nz0ytuhg\nz0ytuhg.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nz0ytuhg\nz0ytuhg.cmdline
Filesize
369B

MD5
3fa90aca212792dca9cff6086e9d024b

SHA1
0a373b0d6abe7940d4935bcc992da3f145925830

SHA256
4148e892b80f85e9a4babab76d0c4fc25cb72e25ad757036c82905f594c420ff

SHA512
15992b43472cec03365f2ef273160f411df648c9ae0faeabd85321d902af5ac519c8fcf0fcfd5c9a48a49a3a33f3ff7fabb88dd0be37ec021b83ec613b4ac276

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xe0alnds\CSC64384299B0E6462B8D9F84DC12A69FBC.TMP
Filesize
652B

MD5
f2672f932028ba63ae8005de16e67a18

SHA1
818d6b324f4ce9e3b7d7e3c5135fad0c5fcb9928

SHA256
cd4b083b391fadd2c8ec48bed2bd9e49983be32f60f49ad4f6a8f096fd3c704d

SHA512
99eea1ef2f78fd632abc759879e4cb13cd6a669a0342181bfa5ef00587bf46e16a46995d4e1e069a24bae969d0d027d857453337507613303aaf4d7fa585603f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xe0alnds\xe0alnds.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xe0alnds\xe0alnds.cmdline
Filesize
369B

MD5
774d79e7bd422b658e8b3e73904e6ba9

SHA1
4b6ecc45930c024c7e53892ba96cdefec5ec8810

SHA256
e4066cf6610de28e58c23e2ec1a93460cf66461fe7586a732b7bf262f95054c9

SHA512
7f95270286cf0223cd6c553dc1ad7073dcab99663546d0f24576bb70c5d4261690f45be12c81cb6a79e3747140639d50b97f582151790ef0ae685040a00f5d53

Download Submit
memory/1744-153-0x0000000001720000-0x00000000017B8000-memory.dmp

Filesize
608KB

Download
memory/1744-150-0x00000000013A0000-0x00000000013A1000-memory.dmp

Filesize
4KB

Download
memory/1744-159-0x0000000001720000-0x00000000017B8000-memory.dmp

Filesize
608KB

Download
memory/2380-52-0x000001DAB9D20000-0x000001DAB9D21000-memory.dmp

Filesize
4KB

Download
memory/2380-51-0x000001DAB9C10000-0x000001DAB9C11000-memory.dmp

Filesize
4KB

Download
memory/2380-50-0x000001DAB9C10000-0x000001DAB9C11000-memory.dmp

Filesize
4KB

Download
memory/2380-48-0x000001DAB9BE0000-0x000001DAB9BE1000-memory.dmp

Filesize
4KB

Download
memory/2380-32-0x000001DAB1870000-0x000001DAB1880000-memory.dmp

Filesize
64KB

Download
memory/2380-16-0x000001DAB1770000-0x000001DAB1780000-memory.dmp

Filesize
64KB

Download
memory/2564-157-0x0000028B28450000-0x0000028B28451000-memory.dmp

Filesize
4KB

Download
memory/2564-156-0x0000028B285A0000-0x0000028B28644000-memory.dmp

Filesize
656KB

Download
memory/2564-165-0x0000028B285A0000-0x0000028B28644000-memory.dmp

Filesize
656KB

Download
memory/2792-57-0x000002CDF5960000-0x000002CDF5982000-memory.dmp

Filesize
136KB

Download
memory/2792-69-0x000002CDF57E0000-0x000002CDF57F0000-memory.dmp

Filesize
64KB

Download
memory/2792-68-0x000002CDF57E0000-0x000002CDF57F0000-memory.dmp

Filesize
64KB

Download
memory/2792-67-0x00007FFBED650000-0x00007FFBEE111000-memory.dmp

Filesize
10.8MB

Download
memory/2792-96-0x000002CDF5AF0000-0x000002CDF5AF8000-memory.dmp

Filesize
32KB

Download
memory/2792-82-0x000002CDF5AD0000-0x000002CDF5AD8000-memory.dmp

Filesize
32KB

Download
memory/2792-102-0x000002CDF5B00000-0x000002CDF5B3D000-memory.dmp

Filesize
244KB

Download
memory/2792-112-0x00007FFBED650000-0x00007FFBEE111000-memory.dmp

Filesize
10.8MB

Download
memory/3124-147-0x000000000B5B0000-0x000000000B654000-memory.dmp

Filesize
656KB

Download
memory/3124-100-0x000000000B5B0000-0x000000000B654000-memory.dmp

Filesize
656KB

Download
memory/3124-104-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/3308-4-0x0000000003EF0000-0x0000000003EFD000-memory.dmp

Filesize
52KB

Download
memory/3308-8-0x00000000023F0000-0x00000000023FB000-memory.dmp

Filesize
44KB

Download
memory/3308-2-0x00000000023F0000-0x00000000023FB000-memory.dmp

Filesize
44KB

Download
memory/3308-163-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/3308-3-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/3308-1-0x0000000002410000-0x0000000002510000-memory.dmp

Filesize
1024KB

Download
memory/3308-7-0x0000000002410000-0x0000000002510000-memory.dmp

Filesize
1024KB

Download
memory/3308-9-0x0000000000400000-0x0000000002290000-memory.dmp

Filesize
30.6MB

Download
memory/3468-168-0x0000020F87E40000-0x0000020F87EE4000-memory.dmp

Filesize
656KB

Download
memory/3468-139-0x0000020F87E40000-0x0000020F87EE4000-memory.dmp

Filesize
656KB

Download
memory/3468-142-0x0000020F879F0000-0x0000020F879F1000-memory.dmp

Filesize
4KB

Download
memory/3700-161-0x000002A21CA90000-0x000002A21CB34000-memory.dmp

Filesize
656KB

Download
memory/3700-114-0x000002A21CA90000-0x000002A21CB34000-memory.dmp

Filesize
656KB

Download
memory/3700-115-0x000002A21BDF0000-0x000002A21BDF1000-memory.dmp

Filesize
4KB

Download
memory/4080-164-0x000002B497F20000-0x000002B497FC4000-memory.dmp

Filesize
656KB

Download
memory/4080-121-0x000002B497ED0000-0x000002B497ED1000-memory.dmp

Filesize
4KB

Download
memory/4080-120-0x000002B497F20000-0x000002B497FC4000-memory.dmp

Filesize
656KB

Download
memory/4968-135-0x000002161F7C0000-0x000002161F864000-memory.dmp

Filesize
656KB

Download
memory/4968-131-0x000002161F640000-0x000002161F641000-memory.dmp

Filesize
4KB

Download
memory/4968-166-0x000002161F7C0000-0x000002161F864000-memory.dmp

Filesize
656KB

Download
memory/5012-126-0x000001C325A60000-0x000001C325B04000-memory.dmp

Filesize
656KB

Download
memory/5012-127-0x000001C325B10000-0x000001C325B11000-memory.dmp

Filesize
4KB

Download
memory/5012-167-0x000001C325A60000-0x000001C325B04000-memory.dmp

Filesize
656KB

Download