gozi | 911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4

Analysis

max time kernel
151s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2023 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4_JC.exe
Size

274KB
MD5

d18f3fecf6d28ddd0f4cf4a9b53c0aec
SHA1

05263b9ec69fcf48cc71443ba23545fabe21df12
SHA256

911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4
SHA512

4629ce7f35716bd2c0fc3c14104251c6b2f3eaf07f7b35cf181654d6bc9be85bda6cb6f802b00f98c6bbb446db4790940605dcf8f8d6391282281ac029ff0512
SSDEEP

3072:utyJSwPI9F4BwVVO+kjH4wjyIphvo3ZDivScpBaa4l8QU:iyrPa4BI7wuIphg3ZDi6cnA8Q

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

http://igrovdow.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation mshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1892 set thread context of 2420	1892	powershell.exe	Explorer.EXE
PID 2420 set thread context of 3684	2420	Explorer.EXE	RuntimeBroker.exe
PID 2420 set thread context of 3328	2420	Explorer.EXE	RuntimeBroker.exe
PID 2420 set thread context of 5092	2420	Explorer.EXE	RuntimeBroker.exe
PID 2420 set thread context of 1900	2420	Explorer.EXE	cmd.exe
PID 2420 set thread context of 4796	2420	Explorer.EXE	RuntimeBroker.exe
PID 1900 set thread context of 1744	1900	cmd.exe	PING.EXE
PID 2420 set thread context of 4984	2420	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4092 4888 WerFault.exe NEAS.911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4_JC.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1744 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

1744 PING.EXE

pid	pid_target	process	target process
4092	4888	WerFault.exe	NEAS.911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4_JC.exe

pid	process
1744	PING.EXE

pid	process
1744	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

NEAS.911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4_JC.exepowershell.exeExplorer.EXE

pid	process
4888	NEAS.911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4_JC.exe
4888	NEAS.911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4_JC.exe
1892	powershell.exe
1892	powershell.exe
1892	powershell.exe
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2420 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

1892 powershell.exe
2420 Explorer.EXE
2420 Explorer.EXE
2420 Explorer.EXE
2420 Explorer.EXE
2420 Explorer.EXE
2420 Explorer.EXE
1900 cmd.exe

pid	process
2420	Explorer.EXE

pid	process
1892	powershell.exe
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
2420	Explorer.EXE
1900	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeShutdownPrivilege	2420	Explorer.EXE
Token: SeCreatePagefilePrivilege	2420	Explorer.EXE
Token: SeShutdownPrivilege	2420	Explorer.EXE
Token: SeCreatePagefilePrivilege	2420	Explorer.EXE
Token: SeShutdownPrivilege	2420	Explorer.EXE
Token: SeCreatePagefilePrivilege	2420	Explorer.EXE
Token: SeShutdownPrivilege	2420	Explorer.EXE
Token: SeCreatePagefilePrivilege	2420	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

2420 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2420 Explorer.EXE

pid	process
2420	Explorer.EXE

pid	process
2420	Explorer.EXE

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3184 wrote to memory of 1892	3184	mshta.exe	powershell.exe
PID 3184 wrote to memory of 1892	3184	mshta.exe	powershell.exe
PID 1892 wrote to memory of 2496	1892	powershell.exe	csc.exe
PID 1892 wrote to memory of 2496	1892	powershell.exe	csc.exe
PID 2496 wrote to memory of 4908	2496	csc.exe	cvtres.exe
PID 2496 wrote to memory of 4908	2496	csc.exe	cvtres.exe
PID 1892 wrote to memory of 524	1892	powershell.exe	csc.exe
PID 1892 wrote to memory of 524	1892	powershell.exe	csc.exe
PID 524 wrote to memory of 4712	524	csc.exe	cvtres.exe
PID 524 wrote to memory of 4712	524	csc.exe	cvtres.exe
PID 1892 wrote to memory of 2420	1892	powershell.exe	Explorer.EXE
PID 1892 wrote to memory of 2420	1892	powershell.exe	Explorer.EXE
PID 1892 wrote to memory of 2420	1892	powershell.exe	Explorer.EXE
PID 1892 wrote to memory of 2420	1892	powershell.exe	Explorer.EXE
PID 2420 wrote to memory of 3684	2420	Explorer.EXE	RuntimeBroker.exe
PID 2420 wrote to memory of 3684	2420	Explorer.EXE	RuntimeBroker.exe
PID 2420 wrote to memory of 3684	2420	Explorer.EXE	RuntimeBroker.exe
PID 2420 wrote to memory of 3684	2420	Explorer.EXE	RuntimeBroker.exe
PID 2420 wrote to memory of 3328	2420	Explorer.EXE	RuntimeBroker.exe
PID 2420 wrote to memory of 3328	2420	Explorer.EXE	RuntimeBroker.exe
PID 2420 wrote to memory of 1900	2420	Explorer.EXE	cmd.exe
PID 2420 wrote to memory of 1900	2420	Explorer.EXE	cmd.exe
PID 2420 wrote to memory of 1900	2420	Explorer.EXE	cmd.exe
PID 2420 wrote to memory of 3328	2420	Explorer.EXE	RuntimeBroker.exe
PID 2420 wrote to memory of 3328	2420	Explorer.EXE	RuntimeBroker.exe
PID 2420 wrote to memory of 5092	2420	Explorer.EXE	RuntimeBroker.exe
PID 2420 wrote to memory of 5092	2420	Explorer.EXE	RuntimeBroker.exe
PID 2420 wrote to memory of 5092	2420	Explorer.EXE	RuntimeBroker.exe
PID 2420 wrote to memory of 5092	2420	Explorer.EXE	RuntimeBroker.exe
PID 2420 wrote to memory of 4796	2420	Explorer.EXE	RuntimeBroker.exe
PID 2420 wrote to memory of 4796	2420	Explorer.EXE	RuntimeBroker.exe
PID 2420 wrote to memory of 1900	2420	Explorer.EXE	cmd.exe
PID 2420 wrote to memory of 4796	2420	Explorer.EXE	RuntimeBroker.exe
PID 2420 wrote to memory of 1900	2420	Explorer.EXE	cmd.exe
PID 2420 wrote to memory of 4796	2420	Explorer.EXE	RuntimeBroker.exe
PID 2420 wrote to memory of 4984	2420	Explorer.EXE	cmd.exe
PID 2420 wrote to memory of 4984	2420	Explorer.EXE	cmd.exe
PID 2420 wrote to memory of 4984	2420	Explorer.EXE	cmd.exe
PID 2420 wrote to memory of 4984	2420	Explorer.EXE	cmd.exe
PID 1900 wrote to memory of 1744	1900	cmd.exe	PING.EXE
PID 1900 wrote to memory of 1744	1900	cmd.exe	PING.EXE
PID 1900 wrote to memory of 1744	1900	cmd.exe	PING.EXE
PID 1900 wrote to memory of 1744	1900	cmd.exe	PING.EXE
PID 1900 wrote to memory of 1744	1900	cmd.exe	PING.EXE
PID 2420 wrote to memory of 4984	2420	Explorer.EXE	cmd.exe
PID 2420 wrote to memory of 4984	2420	Explorer.EXE	cmd.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5092

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3328

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3684

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2420

C:\Users\Admin\AppData\Local\Temp\NEAS.911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4_JC.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 564
3⤵
- Program crash
PID:4092

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Rc6q='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Rc6q).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\DD164BDA-982A-17AD-8A61-4C3B5E25409F\\\FolderOptions'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name kjfojbct -value gp; new-alias -name jasxyxqqnq -value iex; jasxyxqqnq ([System.Text.Encoding]::ASCII.GetString((kjfojbct "HKCU:Software\AppDataLow\Software\Microsoft\DD164BDA-982A-17AD-8A61-4C3B5E25409F").MelodyTool))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ji2k2mtw\ji2k2mtw.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B15.tmp" "c:\Users\Admin\AppData\Local\Temp\ji2k2mtw\CSC2106779B18CC4F1B8838488A134F52FE.TMP"
5⤵
PID:4908

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\flmta5xw\flmta5xw.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D28.tmp" "c:\Users\Admin\AppData\Local\Temp\flmta5xw\CSCC59A2B0B72414C9B8A68FDB0FE71845D.TMP"
5⤵
PID:4712

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\NEAS.911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4_JC.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1744

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:4984

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4888 -ip 4888
1⤵
PID:884

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1B15.tmp
Filesize
1KB

MD5
3b16e0d93bd295ca5ea3bc1907dd9328

SHA1
e59233b18afdc4cbf9c4b8a377f49de5350301ea

SHA256
79ada5f4ac04e874375b399b86580454cc6292a440e6919d7e301d0b51f9a61c

SHA512
af22fa07dfcd2205537e01b85f657891d1935957d28c3d417bd63febc63e15db3faeed7dda0901afc122187a697c2cc7999032207308235c7224e8f11d4c1343

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1D28.tmp
Filesize
1KB

MD5
1f77d2fff7e83cc4671e9a4c7a8bb84e

SHA1
2de91faa2549569ba8ac0d6c970bae6b6f2904fc

SHA256
dc18a83989b6dfafc272136e7e677671f58cbef8ac866a7ed39eb27ca3d43096

SHA512
ff058a1a7a393d4bf5f392275e93c318c20eb1b386597ea7d15fd37891e288e4adc1242a7cf8b16feec9af1c278275f080bad819621879a2955e8493228bf802

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_flh1a1pp.3sc.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\flmta5xw\flmta5xw.dll
Filesize
3KB

MD5
f6e5456da01efac3859656ea9bb03150

SHA1
1e4cd543c746ae32abfc953e8160d8a091bd4c5f

SHA256
b8dce5f714e1992ba19830853deecaac236f748427311bce515a7ef7ecd4046f

SHA512
678a870cfba0b7ea616103e4565887b518f814262a89831a9232421618d37721b90a0d7353bd5642a07a091da8b4d4472e5ff51bd1e63cc48516a71704a5dd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\ji2k2mtw\ji2k2mtw.dll
Filesize
3KB

MD5
120b896b3ae6d5ee99b3f94ae40f6711

SHA1
a45bb3ea0d6f25f5df76ab789aa8f80474089314

SHA256
041c7644b6eb48e6e81ef17365a9d2e7c9b574010b0ee26b8a4782cbef6c3308

SHA512
47daca8a5f522ad69ab8a58dd1bfa08199eed8db96934766235ba5f7ccbd2055191e078e34318f518256948963f51d5a5d973f4208e4aa4527e7190b821b3ee8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\flmta5xw\CSCC59A2B0B72414C9B8A68FDB0FE71845D.TMP
Filesize
652B

MD5
33215344303be48e26960b0fa16c4bfa

SHA1
c79ce8baf2a631eef5b7e03695767a6e4fcbb438

SHA256
2a54492c0000363ffe806b36a378513956df7ca0b7ee690d8355dbf00965f1fc

SHA512
4ea377f1116d55f2d9501399a9fa9c03d4731825462e3610726acc752ee1f756f7b85d6bdaf0a5912f3fe085682820731acc30ee0a9ab5fc1c29e7ac487cebcf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\flmta5xw\flmta5xw.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\flmta5xw\flmta5xw.cmdline
Filesize
369B

MD5
7a67c1f054201144344f1e46af3e0440

SHA1
09dc4d9d244d49e5676834c42fd01b1f95b2afd6

SHA256
d7614ff035d1416c2b9804f368519b0659b3429a6a85a1c6045fbb397e05a221

SHA512
0f9c3f0f07d3cb08f2f4b5ab1b15678ade387954b5b4767f97767cc8092fcad8ce7fb9eba78d98445562006f69d23983dd7a8465ca2c02a20627f1401c334c02

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ji2k2mtw\CSC2106779B18CC4F1B8838488A134F52FE.TMP
Filesize
652B

MD5
ae4b0aad8a211703d64f92a496c33bd5

SHA1
dcb9202232cdc1cb97de2818384a1bbe6b957a0a

SHA256
a3b6e28df2b6dbb80e281e37de13b59f8ca26dd358b7570c8a43db0b8c4a233b

SHA512
85d565bdd5d2bc0210c32b20b260018994ed1398983e786d7e704824b13c61dfa8f6cc310176b9fb71cbc9bc78f937383012f8595f32ed0a55d4ae8d6ff6815e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ji2k2mtw\ji2k2mtw.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ji2k2mtw\ji2k2mtw.cmdline
Filesize
369B

MD5
dc24f645aa796ce9191f02769d279253

SHA1
4300971d0766ba56fc5f27f5232307ce06f49c39

SHA256
8fbacad8ecf8e864c6bc15cfcfdca1f5ca5a0e5ca86a99952af67d3b04d8c791

SHA512
6eefa956fd16ff2e7d3f2c3d277e1fc18aa7572eab06a1a591a9c180503357ae085c3f323ccff3f63d724985400f562716b4dc1f439dfc624a63cc383d93039d

Download Submit
memory/1744-102-0x0000021D41840000-0x0000021D41841000-memory.dmp

Filesize
4KB

Download
memory/1744-100-0x0000021D41A90000-0x0000021D41B34000-memory.dmp

Filesize
656KB

Download
memory/1744-113-0x0000021D41A90000-0x0000021D41B34000-memory.dmp

Filesize
656KB

Download
memory/1892-58-0x00000218F6620000-0x00000218F665D000-memory.dmp

Filesize
244KB

Download
memory/1892-23-0x00000218F6240000-0x00000218F6250000-memory.dmp

Filesize
64KB

Download
memory/1892-37-0x00000218F65F0000-0x00000218F65F8000-memory.dmp

Filesize
32KB

Download
memory/1892-24-0x00000218F6240000-0x00000218F6250000-memory.dmp

Filesize
64KB

Download
memory/1892-22-0x00007FF968A40000-0x00007FF969501000-memory.dmp

Filesize
10.8MB

Download
memory/1892-12-0x00000218F6280000-0x00000218F62A2000-memory.dmp

Filesize
136KB

Download
memory/1892-51-0x00000218F6610000-0x00000218F6618000-memory.dmp

Filesize
32KB

Download
memory/1892-80-0x00007FF968A40000-0x00007FF969501000-memory.dmp

Filesize
10.8MB

Download
memory/1900-89-0x0000027465610000-0x0000027465611000-memory.dmp

Filesize
4KB

Download
memory/1900-87-0x0000027465870000-0x0000027465914000-memory.dmp

Filesize
656KB

Download
memory/1900-114-0x0000027465870000-0x0000027465914000-memory.dmp

Filesize
656KB

Download
memory/2420-55-0x0000000009190000-0x0000000009234000-memory.dmp

Filesize
656KB

Download
memory/2420-60-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/2420-61-0x0000000009190000-0x0000000009234000-memory.dmp

Filesize
656KB

Download
memory/2420-107-0x0000000009190000-0x0000000009234000-memory.dmp

Filesize
656KB

Download
memory/3328-73-0x000001743DB60000-0x000001743DC04000-memory.dmp

Filesize
656KB

Download
memory/3328-75-0x000001743DB20000-0x000001743DB21000-memory.dmp

Filesize
4KB

Download
memory/3328-112-0x000001743DB60000-0x000001743DC04000-memory.dmp

Filesize
656KB

Download
memory/3684-68-0x000002E058440000-0x000002E0584E4000-memory.dmp

Filesize
656KB

Download
memory/3684-69-0x000002E057F10000-0x000002E057F11000-memory.dmp

Filesize
4KB

Download
memory/3684-111-0x000002E058440000-0x000002E0584E4000-memory.dmp

Filesize
656KB

Download
memory/4796-92-0x00000265255F0000-0x00000265255F1000-memory.dmp

Filesize
4KB

Download
memory/4796-88-0x0000026526340000-0x00000265263E4000-memory.dmp

Filesize
656KB

Download
memory/4796-117-0x0000026526340000-0x00000265263E4000-memory.dmp

Filesize
656KB

Download
memory/4888-8-0x0000000002570000-0x0000000002670000-memory.dmp

Filesize
1024KB

Download
memory/4888-1-0x0000000002570000-0x0000000002670000-memory.dmp

Filesize
1024KB

Download
memory/4888-5-0x0000000002560000-0x000000000256D000-memory.dmp

Filesize
52KB

Download
memory/4888-3-0x0000000000400000-0x000000000228B000-memory.dmp

Filesize
30.5MB

Download
memory/4888-9-0x0000000002530000-0x000000000253B000-memory.dmp

Filesize
44KB

Download
memory/4888-115-0x0000000000400000-0x000000000228B000-memory.dmp

Filesize
30.5MB

Download
memory/4888-2-0x0000000002530000-0x000000000253B000-memory.dmp

Filesize
44KB

Download
memory/4888-4-0x0000000000400000-0x000000000228B000-memory.dmp

Filesize
30.5MB

Download
memory/4984-110-0x0000000000FC0000-0x0000000001058000-memory.dmp

Filesize
608KB

Download
memory/4984-101-0x0000000000FC0000-0x0000000001058000-memory.dmp

Filesize
608KB

Download
memory/4984-109-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/5092-79-0x0000023D2AAB0000-0x0000023D2AB54000-memory.dmp

Filesize
656KB

Download
memory/5092-116-0x0000023D2AAB0000-0x0000023D2AB54000-memory.dmp

Filesize
656KB

Download
memory/5092-82-0x0000023D287E0000-0x0000023D287E1000-memory.dmp

Filesize
4KB

Download