gozi | bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd

Analysis

max time kernel
157s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd_JC.exe
Size

422KB
MD5

c788f8e7a2d0311297bd198ca9d05ec8
SHA1

64240992ba99ae27b0bb4fe277a95524a4b139db
SHA256

bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd
SHA512

2295c28aa11e3c1ea09f0ba790ea1e8322b3c996f4f27bf0aec9edf0997329ea8d13b98417e856f7bd922f4a0d9ef786117b8354a04b752d53e6b53733db4f5d
SSDEEP

6144:eH0vsBFRMXdX0tn7qnmUVR9g0pHii2B8mG+R2FLxgwExgw:eH0v4FRyX0tnWnN9pHiN4+R2NxEx

Score

10^/10

gozi 5050 banker dave isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

netsecurez.com

whofoxy.com

mimemoa.com

ntcgo.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

fotexion.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral2/memory/4400-1-0x0000000001210000-0x000000000121C000-memory.dmp	dave

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation mshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd_JC.execontrol.exeExplorer.EXEpowershell.exe

description	pid	process	target process
PID 4400 set thread context of 5016	4400	bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd_JC.exe	control.exe
PID 5016 set thread context of 3160	5016	control.exe	Explorer.EXE
PID 3160 set thread context of 3660	3160	Explorer.EXE	RuntimeBroker.exe
PID 5016 set thread context of 4996	5016	control.exe	rundll32.exe
PID 3160 set thread context of 3904	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 set thread context of 4760	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 set thread context of 3524	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 set thread context of 4980	3160	Explorer.EXE	cmd.exe
PID 456 set thread context of 3160	456	powershell.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd_JC.exepowershell.exeExplorer.EXE

pid	process
4400	bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd_JC.exe
4400	bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd_JC.exe
456	powershell.exe
456	powershell.exe
456	powershell.exe
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE

Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd_JC.execontrol.exeExplorer.EXEpowershell.exe

pid	process
4400	bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd_JC.exe
5016	control.exe
3160	Explorer.EXE
5016	control.exe
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
456	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

powershell.exeExplorer.EXERuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	456	powershell.exe
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3660	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3160 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3160 Explorer.EXE

pid	process
3160	Explorer.EXE

pid	process
3160	Explorer.EXE

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

mshta.exebf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd_JC.exepowershell.execsc.execsc.execontrol.exeExplorer.EXE

description	pid	process	target process
PID 4684 wrote to memory of 456	4684	mshta.exe	powershell.exe
PID 4684 wrote to memory of 456	4684	mshta.exe	powershell.exe
PID 4400 wrote to memory of 5016	4400	bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd_JC.exe	control.exe
PID 4400 wrote to memory of 5016	4400	bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd_JC.exe	control.exe
PID 4400 wrote to memory of 5016	4400	bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd_JC.exe	control.exe
PID 4400 wrote to memory of 5016	4400	bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd_JC.exe	control.exe
PID 4400 wrote to memory of 5016	4400	bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd_JC.exe	control.exe
PID 456 wrote to memory of 568	456	powershell.exe	csc.exe
PID 456 wrote to memory of 568	456	powershell.exe	csc.exe
PID 568 wrote to memory of 5080	568	csc.exe	cvtres.exe
PID 568 wrote to memory of 5080	568	csc.exe	cvtres.exe
PID 456 wrote to memory of 1680	456	powershell.exe	csc.exe
PID 456 wrote to memory of 1680	456	powershell.exe	csc.exe
PID 1680 wrote to memory of 1360	1680	csc.exe	cvtres.exe
PID 1680 wrote to memory of 1360	1680	csc.exe	cvtres.exe
PID 5016 wrote to memory of 3160	5016	control.exe	Explorer.EXE
PID 5016 wrote to memory of 3160	5016	control.exe	Explorer.EXE
PID 5016 wrote to memory of 3160	5016	control.exe	Explorer.EXE
PID 5016 wrote to memory of 3160	5016	control.exe	Explorer.EXE
PID 3160 wrote to memory of 3660	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 wrote to memory of 3660	3160	Explorer.EXE	RuntimeBroker.exe
PID 5016 wrote to memory of 4996	5016	control.exe	rundll32.exe
PID 5016 wrote to memory of 4996	5016	control.exe	rundll32.exe
PID 5016 wrote to memory of 4996	5016	control.exe	rundll32.exe
PID 3160 wrote to memory of 3660	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 wrote to memory of 3660	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 wrote to memory of 3904	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 wrote to memory of 3904	3160	Explorer.EXE	RuntimeBroker.exe
PID 5016 wrote to memory of 4996	5016	control.exe	rundll32.exe
PID 5016 wrote to memory of 4996	5016	control.exe	rundll32.exe
PID 3160 wrote to memory of 3904	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 wrote to memory of 3904	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 wrote to memory of 4760	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 wrote to memory of 4760	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 wrote to memory of 4760	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 wrote to memory of 4760	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 wrote to memory of 3524	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 wrote to memory of 3524	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 wrote to memory of 3524	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 wrote to memory of 3524	3160	Explorer.EXE	RuntimeBroker.exe
PID 3160 wrote to memory of 4980	3160	Explorer.EXE	cmd.exe
PID 3160 wrote to memory of 4980	3160	Explorer.EXE	cmd.exe
PID 3160 wrote to memory of 4980	3160	Explorer.EXE	cmd.exe
PID 3160 wrote to memory of 4980	3160	Explorer.EXE	cmd.exe
PID 3160 wrote to memory of 4980	3160	Explorer.EXE	cmd.exe
PID 3160 wrote to memory of 4980	3160	Explorer.EXE	cmd.exe
PID 456 wrote to memory of 3160	456	powershell.exe	Explorer.EXE
PID 456 wrote to memory of 3160	456	powershell.exe	Explorer.EXE
PID 456 wrote to memory of 3160	456	powershell.exe	Explorer.EXE
PID 456 wrote to memory of 3160	456	powershell.exe	Explorer.EXE

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3660

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4760

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3904

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3160

C:\Users\Admin\AppData\Local\Temp\bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd_JC.exe
"C:\Users\Admin\AppData\Local\Temp\bf237f642cd049be1e0be68de0f3bd6ed97be7d05059fb2825f94fd0a5afebfd_JC.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\system32\control.exe
C:\Windows\system32\control.exe -h
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
4⤵
PID:4996

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>P8qm='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(P8qm).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\2B8EB0FA-8E4D-9577-F08F-A2992433F6DD\\\LinkActive'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name tobirikjlw -value gp; new-alias -name bcfmyhx -value iex; bcfmyhx ([System.Text.Encoding]::ASCII.GetString((tobirikjlw "HKCU:Software\AppDataLow\Software\Microsoft\2B8EB0FA-8E4D-9577-F08F-A2992433F6DD").PlayPlay))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fgjaibby\fgjaibby.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C7C.tmp" "c:\Users\Admin\AppData\Local\Temp\fgjaibby\CSC1189FC5924DF49E88BEBC6AC36569D13.TMP"
5⤵
PID:5080

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5c5secgh\5c5secgh.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D47.tmp" "c:\Users\Admin\AppData\Local\Temp\5c5secgh\CSC9D9ADB6485B5471D841058174FCA89.TMP"
5⤵
PID:1360

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:4980

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5c5secgh\5c5secgh.dll
Filesize
3KB

MD5
a8108942b4fc1bfea4e7cf5f4a3d3fea

SHA1
e850a90c57c2b8391bcbd14c9c29ba688572f7bf

SHA256
c1dbd294fa135fa23f4a6de8725a5e29955245220e3f0e3055c1beacd242c697

SHA512
694059e811134ced3a073a1bb4e05618a090a924b88ee2448ccee0c33a1884eca400bd0f89aeb873caeb9725ac70b5b68d3d6e5a231d2b52c63a60c1b084ad5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6C7C.tmp
Filesize
1KB

MD5
e7b7d243da636cb8dc207a25bb27c0be

SHA1
a5ad7c8bf4381658c6e44938b059e7c1c659cd43

SHA256
8746fcd6a139e20f5569620abb35833ca9700ea8b81d810b86fe82b943bccd06

SHA512
6c51da4d4a544216e79ac87e1ce0cb5c7972cd39f00c41b075af87eafbc678344233b263cf410f00d4bd0ee80f49019b44d27c2b11f3027e9265a9743f700684

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6D47.tmp
Filesize
1KB

MD5
692ef9dbdd149ef183190e643aefda6f

SHA1
0433edb3b8997af0357a32b07fd44ea59d3c57ee

SHA256
034fdff5f96bdda0de5f9a26843ed608af71fb221a9ea46050b33ad180734b23

SHA512
e4ffb70f5c18c1ef95556c7ce301a88471fe21ca976b098c0171bf4aba84e8d23975dfa5d7a72a399f55e6b0a6aa7a1d32549447d321195f8adbc1e355f2f051

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sjwkbquo.ne0.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fgjaibby\fgjaibby.dll
Filesize
3KB

MD5
795e7b06fd6d79bd9649ac6b4c41515d

SHA1
d4251f33dc76f4c9fa347667b7f5f7ee8728602a

SHA256
1697c93dc67bd036bc6176d20160b5a62d58fd52ba2e2a27cb29ecb265735cc9

SHA512
34f791e0a125d2f791be3a4ff683c70ac7836a7100f6497e585d4992ba0c18e2ad1d223fea21d9245c142c323b3fcdb0617ebd876eec2e27972b59760f5f1675

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5c5secgh\5c5secgh.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5c5secgh\5c5secgh.cmdline
Filesize
369B

MD5
8da7166be8343afe0aadd2066e829a78

SHA1
8a571e152b09338e904f3bdd9bb5e0b6b51fbc92

SHA256
ae6c35cbd2c50e494a19afc0c5db4f1856e38195a5bb993f0c55f3179ccd863d

SHA512
de497c42023aca71db0948612a215c4eb378b6b676009072de750d11d7e4d2120ecbcd94be987edb9c058aec04e3c2aaa797b733e797d146ebd0e809d0b79761

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5c5secgh\CSC9D9ADB6485B5471D841058174FCA89.TMP
Filesize
652B

MD5
0c0bb3fffb68ac3c1aef927f8ca4abad

SHA1
e23b9eeae0a021328caaec9078f1f77e17215ccc

SHA256
90b399b74ff6f1be2869767005b78b6ba016f445a535fef444ce959bf2d7d269

SHA512
7f30e9759ad472ae6329e03ff3b58575a1cda293511dfb893ed9e1ce6a1343ed8e91cb9b8efa9ebcb9532d276d9caa6725c226b69a5537eecaa88d2a19631fe9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fgjaibby\CSC1189FC5924DF49E88BEBC6AC36569D13.TMP
Filesize
652B

MD5
1a990e207a46d84eaa25ca0c0c79826d

SHA1
ebabb0312935c506f76b3338616576357908c58d

SHA256
b411b92ffd48858ed7e2758a4f04e3e6215a975159cb44468eec6ad7f87a0350

SHA512
df837832646841d464020b1ab272c5392c9d34ae7a7bbe99323df00028eac5caf0f4dc067c214a6fa40f03ab3a51b66b665847db48f18908e2e0500e90b19250

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fgjaibby\fgjaibby.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fgjaibby\fgjaibby.cmdline
Filesize
369B

MD5
7083c380b853643ab3beb2616d5d3b75

SHA1
0d1cdc57e5f37c62373524c575c828e43c31298d

SHA256
7a08f760ad279214cd320d0befa0feab255ec027f76988ad43f9e73945daa4b2

SHA512
79c910fdd4556a0b73fa18308899b21b545cad4e15bda2d37e761637bc9084c171a92c8e95a53012c81d0c8a50bfb4108c6414113ef292c520e8285f867f442d

Download Submit
memory/456-27-0x000001DF29CC0000-0x000001DF29CD0000-memory.dmp

Filesize
64KB

Download
memory/456-51-0x000001DF11730000-0x000001DF11738000-memory.dmp

Filesize
32KB

Download
memory/456-34-0x000001DF29CC0000-0x000001DF29CD0000-memory.dmp

Filesize
64KB

Download
memory/456-67-0x000001DF2A290000-0x000001DF2A2CD000-memory.dmp

Filesize
244KB

Download
memory/456-65-0x000001DF2A280000-0x000001DF2A288000-memory.dmp

Filesize
32KB

Download
memory/456-32-0x000001DF29CC0000-0x000001DF29CD0000-memory.dmp

Filesize
64KB

Download
memory/456-31-0x00007FFCB4A70000-0x00007FFCB5531000-memory.dmp

Filesize
10.8MB

Download
memory/456-28-0x000001DF29CC0000-0x000001DF29CD0000-memory.dmp

Filesize
64KB

Download
memory/456-26-0x000001DF29CC0000-0x000001DF29CD0000-memory.dmp

Filesize
64KB

Download
memory/456-33-0x000001DF29CC0000-0x000001DF29CD0000-memory.dmp

Filesize
64KB

Download
memory/456-108-0x000001DF2A290000-0x000001DF2A2CD000-memory.dmp

Filesize
244KB

Download
memory/456-25-0x00007FFCB4A70000-0x00007FFCB5531000-memory.dmp

Filesize
10.8MB

Download
memory/456-20-0x000001DF29D40000-0x000001DF29D62000-memory.dmp

Filesize
136KB

Download
memory/456-125-0x00007FFCB4A70000-0x00007FFCB5531000-memory.dmp

Filesize
10.8MB

Download
memory/456-126-0x000001DF2A290000-0x000001DF2A2CD000-memory.dmp

Filesize
244KB

Download
memory/3160-113-0x0000000008C50000-0x0000000008CF4000-memory.dmp

Filesize
656KB

Download
memory/3160-131-0x0000000008E00000-0x0000000008EA4000-memory.dmp

Filesize
656KB

Download
memory/3160-119-0x0000000008E00000-0x0000000008EA4000-memory.dmp

Filesize
656KB

Download
memory/3160-70-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/3160-69-0x0000000008C50000-0x0000000008CF4000-memory.dmp

Filesize
656KB

Download
memory/3524-105-0x00000209E2AB0000-0x00000209E2AB1000-memory.dmp

Filesize
4KB

Download
memory/3524-130-0x00000209E2A00000-0x00000209E2AA4000-memory.dmp

Filesize
656KB

Download
memory/3524-104-0x00000209E2A00000-0x00000209E2AA4000-memory.dmp

Filesize
656KB

Download
memory/3660-120-0x000001DDDD700000-0x000001DDDD7A4000-memory.dmp

Filesize
656KB

Download
memory/3660-81-0x000001DDDD370000-0x000001DDDD371000-memory.dmp

Filesize
4KB

Download
memory/3660-79-0x000001DDDD700000-0x000001DDDD7A4000-memory.dmp

Filesize
656KB

Download
memory/3904-88-0x000002624F940000-0x000002624F9E4000-memory.dmp

Filesize
656KB

Download
memory/3904-91-0x000002624F900000-0x000002624F901000-memory.dmp

Filesize
4KB

Download
memory/3904-128-0x000002624F940000-0x000002624F9E4000-memory.dmp

Filesize
656KB

Download
memory/4400-0-0x0000000001220000-0x000000000122F000-memory.dmp

Filesize
60KB

Download
memory/4400-5-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4400-11-0x0000000002F30000-0x0000000002F3D000-memory.dmp

Filesize
52KB

Download
memory/4400-1-0x0000000001210000-0x000000000121C000-memory.dmp

Filesize
48KB

Download
memory/4760-97-0x00000237E4B20000-0x00000237E4BC4000-memory.dmp

Filesize
656KB

Download
memory/4760-98-0x00000237E43C0000-0x00000237E43C1000-memory.dmp

Filesize
4KB

Download
memory/4760-129-0x00000237E4B20000-0x00000237E4BC4000-memory.dmp

Filesize
656KB

Download
memory/4980-115-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/4980-117-0x0000000000EF0000-0x0000000000F88000-memory.dmp

Filesize
608KB

Download
memory/4980-112-0x0000000000EF0000-0x0000000000F88000-memory.dmp

Filesize
608KB

Download
memory/4996-101-0x000001F3EF770000-0x000001F3EF814000-memory.dmp

Filesize
656KB

Download
memory/4996-82-0x000001F3EF770000-0x000001F3EF814000-memory.dmp

Filesize
656KB

Download
memory/4996-85-0x000001F3EF820000-0x000001F3EF821000-memory.dmp

Filesize
4KB

Download
memory/5016-36-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/5016-37-0x00000000006B0000-0x0000000000754000-memory.dmp

Filesize
656KB

Download
memory/5016-94-0x00000000006B0000-0x0000000000754000-memory.dmp

Filesize
656KB

Download