gozi | 1aa20713c9af2eeec3756392dca573d39bf5fa8d18a14087d67cd39f07509eea

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2023 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.1aa20713c9af2eeec3756392dca573d39bf5fa8d18a14087d67cd39f07509eea_JC.exe
Size

292KB
MD5

33ddb8880db29cac11e05bfc30bcec6b
SHA1

fb90dc44ba4b8f6b356735bd46231e6f99e15b62
SHA256

1aa20713c9af2eeec3756392dca573d39bf5fa8d18a14087d67cd39f07509eea
SHA512

b99e8ac3be923ea8eb21967595f93bef903b9719300045862dca54bf64b709f7c10e536d8407fa07da67e89245ffa15f9608531700a668b84d0a3a8383f51e0f
SSDEEP

3072:/yktbYYNGzHPg2I1eWy9O9El/pjBXDzrFEd1Uot:K4YIGz4ToTHl9BXz6Uo

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

mifrutty.com

systemcheck.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation mshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 4672 set thread context of 3148	4672	powershell.exe	Explorer.EXE
PID 3148 set thread context of 3764	3148	Explorer.EXE	RuntimeBroker.exe
PID 3148 set thread context of 4072	3148	Explorer.EXE	RuntimeBroker.exe
PID 3148 set thread context of 4956	3148	Explorer.EXE	cmd.exe
PID 3148 set thread context of 2340	3148	Explorer.EXE	RuntimeBroker.exe
PID 3148 set thread context of 4540	3148	Explorer.EXE	RuntimeBroker.exe
PID 4956 set thread context of 1580	4956	cmd.exe	PING.EXE
PID 3148 set thread context of 4200	3148	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1632 2916 WerFault.exe NEAS.1aa20713c9af2eeec3756392dca573d39bf5fa8d18a14087d67cd39f07509eea_JC.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1580 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

1580 PING.EXE

pid	pid_target	process	target process
1632	2916	WerFault.exe	NEAS.1aa20713c9af2eeec3756392dca573d39bf5fa8d18a14087d67cd39f07509eea_JC.exe

pid	process
1580	PING.EXE

pid	process
1580	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

NEAS.1aa20713c9af2eeec3756392dca573d39bf5fa8d18a14087d67cd39f07509eea_JC.exepowershell.exeExplorer.EXE

pid	process
2916	NEAS.1aa20713c9af2eeec3756392dca573d39bf5fa8d18a14087d67cd39f07509eea_JC.exe
2916	NEAS.1aa20713c9af2eeec3756392dca573d39bf5fa8d18a14087d67cd39f07509eea_JC.exe
4672	powershell.exe
4672	powershell.exe
4672	powershell.exe
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3148 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

4672 powershell.exe
3148 Explorer.EXE
3148 Explorer.EXE
3148 Explorer.EXE
3148 Explorer.EXE
3148 Explorer.EXE
3148 Explorer.EXE
4956 cmd.exe

pid	process
3148	Explorer.EXE

pid	process
4672	powershell.exe
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
3148	Explorer.EXE
4956	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeShutdownPrivilege	3148	Explorer.EXE
Token: SeCreatePagefilePrivilege	3148	Explorer.EXE
Token: SeShutdownPrivilege	3148	Explorer.EXE
Token: SeCreatePagefilePrivilege	3148	Explorer.EXE
Token: SeShutdownPrivilege	3148	Explorer.EXE
Token: SeCreatePagefilePrivilege	3148	Explorer.EXE
Token: SeShutdownPrivilege	3148	Explorer.EXE
Token: SeCreatePagefilePrivilege	3148	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3148 Explorer.EXE
Suspicious use of UnmapMainImage 2 IoCs

Processes:

RuntimeBroker.exeExplorer.EXE

pid process

3764 RuntimeBroker.exe
3148 Explorer.EXE

pid	process
3148	Explorer.EXE

pid	process
3764	RuntimeBroker.exe
3148	Explorer.EXE

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2672 wrote to memory of 4672	2672	mshta.exe	powershell.exe
PID 2672 wrote to memory of 4672	2672	mshta.exe	powershell.exe
PID 4672 wrote to memory of 4816	4672	powershell.exe	csc.exe
PID 4672 wrote to memory of 4816	4672	powershell.exe	csc.exe
PID 4816 wrote to memory of 2704	4816	csc.exe	cvtres.exe
PID 4816 wrote to memory of 2704	4816	csc.exe	cvtres.exe
PID 4672 wrote to memory of 4132	4672	powershell.exe	csc.exe
PID 4672 wrote to memory of 4132	4672	powershell.exe	csc.exe
PID 4132 wrote to memory of 1120	4132	csc.exe	cvtres.exe
PID 4132 wrote to memory of 1120	4132	csc.exe	cvtres.exe
PID 4672 wrote to memory of 3148	4672	powershell.exe	Explorer.EXE
PID 4672 wrote to memory of 3148	4672	powershell.exe	Explorer.EXE
PID 4672 wrote to memory of 3148	4672	powershell.exe	Explorer.EXE
PID 4672 wrote to memory of 3148	4672	powershell.exe	Explorer.EXE
PID 3148 wrote to memory of 3764	3148	Explorer.EXE	RuntimeBroker.exe
PID 3148 wrote to memory of 3764	3148	Explorer.EXE	RuntimeBroker.exe
PID 3148 wrote to memory of 4956	3148	Explorer.EXE	cmd.exe
PID 3148 wrote to memory of 4956	3148	Explorer.EXE	cmd.exe
PID 3148 wrote to memory of 4956	3148	Explorer.EXE	cmd.exe
PID 3148 wrote to memory of 3764	3148	Explorer.EXE	RuntimeBroker.exe
PID 3148 wrote to memory of 3764	3148	Explorer.EXE	RuntimeBroker.exe
PID 3148 wrote to memory of 4072	3148	Explorer.EXE	RuntimeBroker.exe
PID 3148 wrote to memory of 4072	3148	Explorer.EXE	RuntimeBroker.exe
PID 3148 wrote to memory of 4072	3148	Explorer.EXE	RuntimeBroker.exe
PID 3148 wrote to memory of 4072	3148	Explorer.EXE	RuntimeBroker.exe
PID 3148 wrote to memory of 2340	3148	Explorer.EXE	RuntimeBroker.exe
PID 3148 wrote to memory of 2340	3148	Explorer.EXE	RuntimeBroker.exe
PID 3148 wrote to memory of 4956	3148	Explorer.EXE	cmd.exe
PID 3148 wrote to memory of 2340	3148	Explorer.EXE	RuntimeBroker.exe
PID 3148 wrote to memory of 4956	3148	Explorer.EXE	cmd.exe
PID 3148 wrote to memory of 2340	3148	Explorer.EXE	RuntimeBroker.exe
PID 3148 wrote to memory of 4540	3148	Explorer.EXE	RuntimeBroker.exe
PID 3148 wrote to memory of 4540	3148	Explorer.EXE	RuntimeBroker.exe
PID 3148 wrote to memory of 4540	3148	Explorer.EXE	RuntimeBroker.exe
PID 3148 wrote to memory of 4540	3148	Explorer.EXE	RuntimeBroker.exe
PID 3148 wrote to memory of 4200	3148	Explorer.EXE	cmd.exe
PID 3148 wrote to memory of 4200	3148	Explorer.EXE	cmd.exe
PID 3148 wrote to memory of 4200	3148	Explorer.EXE	cmd.exe
PID 3148 wrote to memory of 4200	3148	Explorer.EXE	cmd.exe
PID 4956 wrote to memory of 1580	4956	cmd.exe	PING.EXE
PID 4956 wrote to memory of 1580	4956	cmd.exe	PING.EXE
PID 4956 wrote to memory of 1580	4956	cmd.exe	PING.EXE
PID 4956 wrote to memory of 1580	4956	cmd.exe	PING.EXE
PID 3148 wrote to memory of 4200	3148	Explorer.EXE	cmd.exe
PID 3148 wrote to memory of 4200	3148	Explorer.EXE	cmd.exe
PID 4956 wrote to memory of 1580	4956	cmd.exe	PING.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3148

C:\Users\Admin\AppData\Local\Temp\NEAS.1aa20713c9af2eeec3756392dca573d39bf5fa8d18a14087d67cd39f07509eea_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1aa20713c9af2eeec3756392dca573d39bf5fa8d18a14087d67cd39f07509eea_JC.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 472
3⤵
- Program crash
PID:1632

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Jveh='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Jveh).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\47C55FEA-FA41-11E9-3C6B-CED530CFE2D9\\\ActiveStart'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name oymosqxk -value gp; new-alias -name tgvfswg -value iex; tgvfswg ([System.Text.Encoding]::ASCII.GetString((oymosqxk "HKCU:Software\AppDataLow\Software\Microsoft\47C55FEA-FA41-11E9-3C6B-CED530CFE2D9").ClassFile))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4672

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ori2vqqq\ori2vqqq.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC06.tmp" "c:\Users\Admin\AppData\Local\Temp\ori2vqqq\CSC5E2A2CD957C14BC0932C61BEDED7BE.TMP"
5⤵
PID:2704

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xgfuzvuh\xgfuzvuh.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4132

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED0F.tmp" "c:\Users\Admin\AppData\Local\Temp\xgfuzvuh\CSC9D08B1C86C9045FBB72B5A6E3F1711FA.TMP"
5⤵
PID:1120

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\NEAS.1aa20713c9af2eeec3756392dca573d39bf5fa8d18a14087d67cd39f07509eea_JC.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1580

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:4200

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2340

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4072

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3764

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2916 -ip 2916
1⤵
PID:4696

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESEC06.tmp
Filesize
1KB

MD5
54511076baa60b848cecfc674de0cd92

SHA1
45dbb263793761a26355dbb0d3b341a81a758093

SHA256
f7b15944a6cd495d42fa83b0a6b82c79a63f721bafd8f43aa603340e544bda16

SHA512
8dbf48c506ab391fef1978eee3b5d8dc2f4a38d4ca702fbd6364fcd9a6c6fea21af193211f3bd91d90e3336cf5e499b6f260a4318ed6e9000e51675d70b84932

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESED0F.tmp
Filesize
1KB

MD5
82af0bd3d0daee8fb33cec327e0744e0

SHA1
9d574b3e8217d778c4e29491f6a275b8dba1dbef

SHA256
5c957c111c283edf677fbe3901ee3fbd13ffb12e5509e18eafb293cb91d8fe28

SHA512
588c558cc2e73ab93645ca21193eb8ee7c2a65ecac14901bb70a3995a33523de8ad28dacae510704ac195e81762d647cdbf0cf48da6dd07513598dc055de3a2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fad1aexe.mjo.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ori2vqqq\ori2vqqq.dll
Filesize
3KB

MD5
d1f3c2da42030a71e83515ff90217ef4

SHA1
a2c44d2da25d2c12160f3152c728da18cf235597

SHA256
9acb3c01372d369155eb86d7ea6cc985fae98c04746c2e2f2014551dafd1d08f

SHA512
6b738fa67ef664f3ad3a428e56a6caa5be28ac80b4723f34dbbcfba34d9efc1366646ee9b01aee27c3d0a0a9a344c76f80a65fbb2cc1e8173715d9106ef4cf6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgfuzvuh\xgfuzvuh.dll
Filesize
3KB

MD5
26585d99aa2c5f71054f3c137c0443cb

SHA1
c4a870d7838898418f5323661ce3ab6453dfcd31

SHA256
a10201520fac2ed5e237acbb3a61bf7b4e89ea47fc985db24d3edb3b988365c5

SHA512
234ef5a2694cd09051a9d1b393de0b690098563a97bc3b26050a86e906cb85021c43c7ad7d2969937aef7ab83cc329b9f4aff62d2060838dc4d45b063953f23e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ori2vqqq\CSC5E2A2CD957C14BC0932C61BEDED7BE.TMP
Filesize
652B

MD5
3479cd8c5110fbb685875769277517e5

SHA1
af607466880d7877495e1d076942bdb5ec8c5815

SHA256
c58f5f122f31d43eb4e5321b70f9d348ed087c53feaf52d89c79be4fbcf0e0e1

SHA512
a9c48480c87197bacc948a7787759338c7450b1b1f9e25810947c5110bb05911687e5ca00f99ef7c7cf78ec85615a676dadf81439d8adaa578f9131527def304

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ori2vqqq\ori2vqqq.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ori2vqqq\ori2vqqq.cmdline
Filesize
369B

MD5
abd101b2a148b945460cb57baf726f04

SHA1
2deaf91d4704cce3f6be82640b61750f51aeb6cf

SHA256
9dd7886481c5686d5ce87ac96b4cf05760eb7b0d37a645f19c751a0a35396a64

SHA512
41f9362a7d2564880681094ebb7281fc3d8e873c3ae23004ea74eff098f2bc5b87ff19c96e57454816991c76e60045d905629de3127eb6f1cfe9f9d1ef12a598

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xgfuzvuh\CSC9D08B1C86C9045FBB72B5A6E3F1711FA.TMP
Filesize
652B

MD5
fe5c1c08dbbc1800fc03e92f4aaa0110

SHA1
30bcb3438fadf58b697b86f4962776f9da4aab9d

SHA256
b4ca6d06153313728e72dc40ed0cb5d3712de23ee35b809ec28b4a59eaea3573

SHA512
40a9882390e19dd9ef473f9c9bff9c176e163e07de2ab759fbce2d0d440de57f397077a46a76a1ad1d704d55ee3592f99cccc52ca0f9673ea1bced5a1ae5f272

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xgfuzvuh\xgfuzvuh.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xgfuzvuh\xgfuzvuh.cmdline
Filesize
369B

MD5
4b19b84eec29ffd38619927c02768604

SHA1
2129284f7bab2fe6b808ecb44942b3be955df9a2

SHA256
b1a0186441339a1ac4f26528725e0bc727baca856db3e8c7269cdfd8f10680b5

SHA512
86bf73cffbd5232b22e7f5e1eb4541d569eda9e69df12c73c59add117750772fb1e954921c95db030a62ea1395bad8c6b24c30688e40387cf8ae0876b381e952

Download Submit
memory/1580-104-0x0000025737C00000-0x0000025737CA4000-memory.dmp

Filesize
656KB

Download
memory/1580-107-0x0000025737B90000-0x0000025737B91000-memory.dmp

Filesize
4KB

Download
memory/1580-116-0x0000025737C00000-0x0000025737CA4000-memory.dmp

Filesize
656KB

Download
memory/2340-86-0x000001CF765D0000-0x000001CF765D1000-memory.dmp

Filesize
4KB

Download
memory/2340-118-0x000001CF76E20000-0x000001CF76EC4000-memory.dmp

Filesize
656KB

Download
memory/2340-83-0x000001CF76E20000-0x000001CF76EC4000-memory.dmp

Filesize
656KB

Download
memory/2916-9-0x0000000003FD0000-0x0000000003FDB000-memory.dmp

Filesize
44KB

Download
memory/2916-8-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/2916-7-0x0000000002420000-0x0000000002520000-memory.dmp

Filesize
1024KB

Download
memory/2916-4-0x0000000004140000-0x000000000414D000-memory.dmp

Filesize
52KB

Download
memory/2916-3-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/2916-2-0x0000000003FD0000-0x0000000003FDB000-memory.dmp

Filesize
44KB

Download
memory/2916-1-0x0000000002420000-0x0000000002520000-memory.dmp

Filesize
1024KB

Download
memory/3148-56-0x00000000081B0000-0x0000000008254000-memory.dmp

Filesize
656KB

Download
memory/3148-57-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/3148-102-0x00000000081B0000-0x0000000008254000-memory.dmp

Filesize
656KB

Download
memory/3764-113-0x0000028FAB020000-0x0000028FAB0C4000-memory.dmp

Filesize
656KB

Download
memory/3764-69-0x0000028FAB020000-0x0000028FAB0C4000-memory.dmp

Filesize
656KB

Download
memory/3764-70-0x0000028FAB0D0000-0x0000028FAB0D1000-memory.dmp

Filesize
4KB

Download
memory/4072-76-0x000002B3FD660000-0x000002B3FD661000-memory.dmp

Filesize
4KB

Download
memory/4072-115-0x000002B3FD6A0000-0x000002B3FD744000-memory.dmp

Filesize
656KB

Download
memory/4072-75-0x000002B3FD6A0000-0x000002B3FD744000-memory.dmp

Filesize
656KB

Download
memory/4200-110-0x0000000000A70000-0x0000000000B08000-memory.dmp

Filesize
608KB

Download
memory/4200-101-0x0000000000A70000-0x0000000000B08000-memory.dmp

Filesize
608KB

Download
memory/4200-105-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/4540-92-0x000001E39F040000-0x000001E39F0E4000-memory.dmp

Filesize
656KB

Download
memory/4540-93-0x000001E39EB60000-0x000001E39EB61000-memory.dmp

Filesize
4KB

Download
memory/4540-119-0x000001E39F040000-0x000001E39F0E4000-memory.dmp

Filesize
656KB

Download
memory/4672-66-0x00007FF92D6D0000-0x00007FF92E191000-memory.dmp

Filesize
10.8MB

Download
memory/4672-24-0x000002C17D980000-0x000002C17D990000-memory.dmp

Filesize
64KB

Download
memory/4672-38-0x000002C17DA70000-0x000002C17DA78000-memory.dmp

Filesize
32KB

Download
memory/4672-54-0x000002C17E2A0000-0x000002C17E2DD000-memory.dmp

Filesize
244KB

Download
memory/4672-23-0x000002C17D980000-0x000002C17D990000-memory.dmp

Filesize
64KB

Download
memory/4672-67-0x000002C17E2A0000-0x000002C17E2DD000-memory.dmp

Filesize
244KB

Download
memory/4672-25-0x000002C17D980000-0x000002C17D990000-memory.dmp

Filesize
64KB

Download
memory/4672-52-0x000002C17DC10000-0x000002C17DC18000-memory.dmp

Filesize
32KB

Download
memory/4672-22-0x00007FF92D6D0000-0x00007FF92E191000-memory.dmp

Filesize
10.8MB

Download
memory/4672-12-0x000002C17D9C0000-0x000002C17D9E2000-memory.dmp

Filesize
136KB

Download
memory/4956-82-0x000001DBB0FF0000-0x000001DBB0FF1000-memory.dmp

Filesize
4KB

Download
memory/4956-117-0x000001DBB1040000-0x000001DBB10E4000-memory.dmp

Filesize
656KB

Download
memory/4956-80-0x000001DBB1040000-0x000001DBB10E4000-memory.dmp

Filesize
656KB

Download