gozi | 999d43ee4c9a1ec38c0b00fc38abe0b29b13cc83983c6ee895cbb2768b29022d

Analysis

max time kernel
168s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2023 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe
Size

274KB
MD5

d18f3fecf6d28ddd0f4cf4a9b53c0aec
SHA1

05263b9ec69fcf48cc71443ba23545fabe21df12
SHA256

911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4
SHA512

4629ce7f35716bd2c0fc3c14104251c6b2f3eaf07f7b35cf181654d6bc9be85bda6cb6f802b00f98c6bbb446db4790940605dcf8f8d6391282281ac029ff0512
SSDEEP

3072:utyJSwPI9F4BwVVO+kjH4wjyIphvo3ZDivScpBaa4l8QU:iyrPa4BI7wuIphg3ZDi6cnA8Q

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

http://igrovdow.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation mshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1556 set thread context of 3172	1556	powershell.exe	Explorer.EXE
PID 3172 set thread context of 3764	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 set thread context of 4036	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 set thread context of 2676	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 set thread context of 888	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 set thread context of 3160	3172	Explorer.EXE	cmd.exe
PID 3172 set thread context of 1888	3172	Explorer.EXE	cmd.exe
PID 3160 set thread context of 4348	3160	cmd.exe	PING.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1116 3800 WerFault.exe 911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4348 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

4348 PING.EXE

pid	pid_target	process	target process
1116	3800	WerFault.exe	911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe

pid	process
4348	PING.EXE

pid	process
4348	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exepowershell.exeExplorer.EXE

pid	process
3800	911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe
3800	911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe
1556	powershell.exe
1556	powershell.exe
1556	powershell.exe
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3172 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

1556 powershell.exe
3172 Explorer.EXE
3172 Explorer.EXE
3172 Explorer.EXE
3172 Explorer.EXE
3172 Explorer.EXE
3172 Explorer.EXE
3160 cmd.exe

pid	process
3172	Explorer.EXE

pid	process
1556	powershell.exe
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3160	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3172 Explorer.EXE
Suspicious use of UnmapMainImage 2 IoCs

Processes:

Explorer.EXERuntimeBroker.exe

pid process

3172 Explorer.EXE
3764 RuntimeBroker.exe

pid	process
3172	Explorer.EXE

pid	process
3172	Explorer.EXE
3764	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 984 wrote to memory of 1556	984	mshta.exe	powershell.exe
PID 984 wrote to memory of 1556	984	mshta.exe	powershell.exe
PID 1556 wrote to memory of 4124	1556	powershell.exe	csc.exe
PID 1556 wrote to memory of 4124	1556	powershell.exe	csc.exe
PID 4124 wrote to memory of 1804	4124	csc.exe	cvtres.exe
PID 4124 wrote to memory of 1804	4124	csc.exe	cvtres.exe
PID 1556 wrote to memory of 4712	1556	powershell.exe	csc.exe
PID 1556 wrote to memory of 4712	1556	powershell.exe	csc.exe
PID 4712 wrote to memory of 3820	4712	csc.exe	cvtres.exe
PID 4712 wrote to memory of 3820	4712	csc.exe	cvtres.exe
PID 1556 wrote to memory of 3172	1556	powershell.exe	Explorer.EXE
PID 1556 wrote to memory of 3172	1556	powershell.exe	Explorer.EXE
PID 1556 wrote to memory of 3172	1556	powershell.exe	Explorer.EXE
PID 1556 wrote to memory of 3172	1556	powershell.exe	Explorer.EXE
PID 3172 wrote to memory of 3764	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 wrote to memory of 3764	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 wrote to memory of 3764	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 wrote to memory of 3764	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 wrote to memory of 4036	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 wrote to memory of 4036	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 wrote to memory of 4036	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 wrote to memory of 4036	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 wrote to memory of 2676	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 wrote to memory of 2676	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 wrote to memory of 2676	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 wrote to memory of 2676	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 wrote to memory of 888	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 wrote to memory of 888	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 wrote to memory of 888	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 wrote to memory of 888	3172	Explorer.EXE	RuntimeBroker.exe
PID 3172 wrote to memory of 3160	3172	Explorer.EXE	cmd.exe
PID 3172 wrote to memory of 3160	3172	Explorer.EXE	cmd.exe
PID 3172 wrote to memory of 3160	3172	Explorer.EXE	cmd.exe
PID 3172 wrote to memory of 3160	3172	Explorer.EXE	cmd.exe
PID 3172 wrote to memory of 3160	3172	Explorer.EXE	cmd.exe
PID 3172 wrote to memory of 1888	3172	Explorer.EXE	cmd.exe
PID 3172 wrote to memory of 1888	3172	Explorer.EXE	cmd.exe
PID 3172 wrote to memory of 1888	3172	Explorer.EXE	cmd.exe
PID 3172 wrote to memory of 1888	3172	Explorer.EXE	cmd.exe
PID 3160 wrote to memory of 4348	3160	cmd.exe	PING.EXE
PID 3160 wrote to memory of 4348	3160	cmd.exe	PING.EXE
PID 3160 wrote to memory of 4348	3160	cmd.exe	PING.EXE
PID 3172 wrote to memory of 1888	3172	Explorer.EXE	cmd.exe
PID 3172 wrote to memory of 1888	3172	Explorer.EXE	cmd.exe
PID 3160 wrote to memory of 4348	3160	cmd.exe	PING.EXE
PID 3160 wrote to memory of 4348	3160	cmd.exe	PING.EXE

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3764

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:888

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe
"C:\Users\Admin\AppData\Local\Temp\911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 472
2⤵
- Program crash
PID:1116

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4036

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3172

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>W9do='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(W9do).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\5C68964F-0BE8-EE1D-7550-6F0279841356\\\MaskControl'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name hqvfeu -value gp; new-alias -name vrhyovjlyc -value iex; vrhyovjlyc ([System.Text.Encoding]::ASCII.GetString((hqvfeu "HKCU:Software\AppDataLow\Software\Microsoft\5C68964F-0BE8-EE1D-7550-6F0279841356").PlaySystem))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pq5qxdjv\pq5qxdjv.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4124

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E91.tmp" "c:\Users\Admin\AppData\Local\Temp\pq5qxdjv\CSCE2C9F48778814E37BF5535BEFD7C35DB.TMP"
5⤵
PID:1804

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f4wlu05h\f4wlu05h.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F5C.tmp" "c:\Users\Admin\AppData\Local\Temp\f4wlu05h\CSC11DA4AB952FA4E1C86A1FCD5E511327.TMP"
5⤵
PID:3820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3160

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:4348

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3800 -ip 3800
1⤵
PID:1296

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7E91.tmp
Filesize
1KB

MD5
c6d5e2fe152a82ffbc9b151a9de9e6b4

SHA1
1e65d34f8774e4b380e8b0f6d291733fe00cf6d8

SHA256
22a90547975d2a60c1e3a496178af4f1de4c49f0681d1c863bf51a3281dbb39f

SHA512
9ccaa7e5a5004ea6e209fc6845658865d09f6c91f4826cb4236809ffc46b3e14deba23c62374a02a78465c7118f62069c0558eb6dfbaa59e92a002ec73577906

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7F5C.tmp
Filesize
1KB

MD5
6e3db770eab323ecafacb117d0091c1f

SHA1
a73a64bbbc7718215f0f42c9f7931eb414473a05

SHA256
f904a1f639aa204b24c9ea528aa0a5255545366cf6a126f8bf58d61ae2b87947

SHA512
2ea7dee48735d21093713a68bc8fa51d6a599380f0878da344fcf2780b68d9a4ba11969b5c8a8af8ebc25bca60bf5bc1e797f54a11df5b4672701bb70fe3c58e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wezt511u.pcl.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4wlu05h\f4wlu05h.dll
Filesize
3KB

MD5
b08bd55cad90a736794bf4cc2b04a7fd

SHA1
6b0d33992b5519560105c08a7c323b3a402ab570

SHA256
e88bb302ae69e7fa5c7760eb735739fefdfc540790404ec3f0bde9e0008c24c3

SHA512
88d65b117025a706f39e9489571da2956dfeaecca9cafad0942c608a64e163cd2073bf98bfe448fea7fc6c7e7983413ed41251cda0645d740d17f6d76d12f9ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\pq5qxdjv\pq5qxdjv.dll
Filesize
3KB

MD5
65532c9c8a2e4ae6deb776f101b046ff

SHA1
8ca8f1680ddfa828e9030d84f90ee89ae725efd8

SHA256
94fc37d6d5393f7381f1fde2f3892d20ff7c51a9c02da53d998128cc7dff3c83

SHA512
88f66bdba3ca80892846b4c9e7dc15c4b13893eed6950807140c396d3f6f231e5b2ff83760f07806614bce1c6f6d209db5880f4e49f6ba6a0abce4bcec9f9e8d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f4wlu05h\CSC11DA4AB952FA4E1C86A1FCD5E511327.TMP
Filesize
652B

MD5
acfbbf0fed0645a430a808b006a7d261

SHA1
12200321e40eda2bdd7750594e566bd63eb5fe94

SHA256
789144a1f747570fd64865cb80049fcfb4bd9bddb56dd381db890ee86e08e4d3

SHA512
ee9bdf2728e549ce2e443a2878814ecfb9dd275b516913f174a0da6b8f53627e7b1c70b056780467f0d93a7b29f3986c5b2c210cf8ac0f292d4dd8cbeabe78a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f4wlu05h\f4wlu05h.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f4wlu05h\f4wlu05h.cmdline
Filesize
369B

MD5
80f60c55d7592ffcd33f808553f49ea3

SHA1
87b60c379c4c57c6dd17b3300c80ee809a48c070

SHA256
ca0a227aee6e13e21e1c2fb0b16585201af95712aa04335af769a21713842e8c

SHA512
d2b8c42ca89f9ae907814947e867775f0574b76883c37d25f855cc6f4fe686cbcc5461b0ef4a2e0e12f38801dfdacee75550f9b4f0354f768f254be0975af457

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pq5qxdjv\CSCE2C9F48778814E37BF5535BEFD7C35DB.TMP
Filesize
652B

MD5
a6d15815de0e4e842e7913347d392f8a

SHA1
2c019e85e74097e9903eb2a7e0e95258b936085b

SHA256
75dbb0280e6da47d1e2acd5e6d447b6b9378e67c66b5f6bbf1fc1cce492f514f

SHA512
ce9318a34d011e5f90a99030a0dd71cffce34589c88c38847933a63fa0771cbfe1ffe0f2c4764fd9e918486cb2cccf03b0f34956cb576027791d907d526917c6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pq5qxdjv\pq5qxdjv.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pq5qxdjv\pq5qxdjv.cmdline
Filesize
369B

MD5
5a97c8a3552f9c784c816e3f0842ff7a

SHA1
00a422b59cca2cd28047037572588b4dab253d7a

SHA256
ea95f1800f47d905f18f40b0ebb10426a7bf7ad9810539a78957b23110cf42c0

SHA512
33bf96b28e857819e6fadaf1cf2282c3545a0d1e014093b458bca0e4ece921c13b0a190e6dbd763932c4e561152e5a8b2acffab0545e516e20db85ac77112a6d

Download Submit
memory/888-94-0x000001A538860000-0x000001A538861000-memory.dmp

Filesize
4KB

Download
memory/888-93-0x000001A538C00000-0x000001A538CA4000-memory.dmp

Filesize
656KB

Download
memory/888-104-0x000001A538C00000-0x000001A538CA4000-memory.dmp

Filesize
656KB

Download
memory/1556-62-0x0000029D7BCB0000-0x0000029D7BCC0000-memory.dmp

Filesize
64KB

Download
memory/1556-73-0x0000029D7C040000-0x0000029D7C07D000-memory.dmp

Filesize
244KB

Download
memory/1556-26-0x0000029D7BCB0000-0x0000029D7BCC0000-memory.dmp

Filesize
64KB

Download
memory/1556-24-0x0000029D7BCB0000-0x0000029D7BCC0000-memory.dmp

Filesize
64KB

Download
memory/1556-40-0x0000029D7C010000-0x0000029D7C018000-memory.dmp

Filesize
32KB

Download
memory/1556-23-0x00007FFA8C0E0000-0x00007FFA8CBA1000-memory.dmp

Filesize
10.8MB

Download
memory/1556-22-0x0000029D7BDC0000-0x0000029D7BDE2000-memory.dmp

Filesize
136KB

Download
memory/1556-25-0x0000029D7BCB0000-0x0000029D7BCC0000-memory.dmp

Filesize
64KB

Download
memory/1556-72-0x00007FFA8C0E0000-0x00007FFA8CBA1000-memory.dmp

Filesize
10.8MB

Download
memory/1556-54-0x0000029D7C030000-0x0000029D7C038000-memory.dmp

Filesize
32KB

Download
memory/1556-65-0x0000029D7BCB0000-0x0000029D7BCC0000-memory.dmp

Filesize
64KB

Download
memory/1556-56-0x00007FFA8C0E0000-0x00007FFA8CBA1000-memory.dmp

Filesize
10.8MB

Download
memory/1556-57-0x0000029D7C040000-0x0000029D7C07D000-memory.dmp

Filesize
244KB

Download
memory/1556-60-0x0000029D7BCB0000-0x0000029D7BCC0000-memory.dmp

Filesize
64KB

Download
memory/1888-111-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/1888-119-0x0000000001470000-0x0000000001508000-memory.dmp

Filesize
608KB

Download
memory/1888-107-0x0000000001470000-0x0000000001508000-memory.dmp

Filesize
608KB

Download
memory/2676-122-0x0000027E82190000-0x0000027E82234000-memory.dmp

Filesize
656KB

Download
memory/2676-87-0x0000027E82190000-0x0000027E82234000-memory.dmp

Filesize
656KB

Download
memory/2676-88-0x0000027E7FF90000-0x0000027E7FF91000-memory.dmp

Filesize
4KB

Download
memory/3160-101-0x000002A429010000-0x000002A429011000-memory.dmp

Filesize
4KB

Download
memory/3160-125-0x000002A429170000-0x000002A429214000-memory.dmp

Filesize
656KB

Download
memory/3160-99-0x000002A429170000-0x000002A429214000-memory.dmp

Filesize
656KB

Download
memory/3172-63-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/3172-59-0x0000000008EE0000-0x0000000008F84000-memory.dmp

Filesize
656KB

Download
memory/3172-100-0x0000000008EE0000-0x0000000008F84000-memory.dmp

Filesize
656KB

Download
memory/3764-76-0x0000016BF3AC0000-0x0000016BF3AC1000-memory.dmp

Filesize
4KB

Download
memory/3764-108-0x0000016BF3C40000-0x0000016BF3CE4000-memory.dmp

Filesize
656KB

Download
memory/3764-75-0x0000016BF3C40000-0x0000016BF3CE4000-memory.dmp

Filesize
656KB

Download
memory/3800-121-0x0000000000400000-0x000000000228B000-memory.dmp

Filesize
30.5MB

Download
memory/3800-3-0x0000000000400000-0x000000000228B000-memory.dmp

Filesize
30.5MB

Download
memory/3800-2-0x0000000002430000-0x000000000243B000-memory.dmp

Filesize
44KB

Download
memory/3800-9-0x0000000002430000-0x000000000243B000-memory.dmp

Filesize
44KB

Download
memory/3800-4-0x0000000004150000-0x000000000415D000-memory.dmp

Filesize
52KB

Download
memory/3800-1-0x0000000002560000-0x0000000002660000-memory.dmp

Filesize
1024KB

Download
memory/3800-8-0x0000000002560000-0x0000000002660000-memory.dmp

Filesize
1024KB

Download
memory/3800-7-0x0000000000400000-0x000000000228B000-memory.dmp

Filesize
30.5MB

Download
memory/4036-120-0x000001BF3AB20000-0x000001BF3ABC4000-memory.dmp

Filesize
656KB

Download
memory/4036-81-0x000001BF3AB20000-0x000001BF3ABC4000-memory.dmp

Filesize
656KB

Download
memory/4036-82-0x000001BF387C0000-0x000001BF387C1000-memory.dmp

Filesize
4KB

Download
memory/4348-116-0x00000266ADD60000-0x00000266ADD61000-memory.dmp

Filesize
4KB

Download
memory/4348-114-0x00000266ADE80000-0x00000266ADF24000-memory.dmp

Filesize
656KB

Download
memory/4348-124-0x00000266ADE80000-0x00000266ADF24000-memory.dmp

Filesize
656KB

Download