88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6

Analysis

max time kernel
151s
max time network
137s
platform
windows7_x64
resource
win7v20201028
submitted
11-11-2020 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
Size

235KB
MD5

4337376d9ec4d6ed203a2b5cf5176e47
SHA1

e2d7ee39bfd8de8b6793b916543d9b7d4d0af43d
SHA256

88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6
SHA512

5bc818a8f46d46b30ac90833257ad65307a3adf2db8d6469bfb5e69d95498d3aaec1dca6b8bdaa9003bb49829d555d9a51eb308952849e2c9c35fe7d8a33e626

Score

8^/10

discovery persistence spyware

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ufaw.exe

pid process

1096 ufaw.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1464 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe

pid process

2028 88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1464	cmd.exe

pid	process
2028	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ufaw.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\Currentversion\Run	ufaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uhkyzua = "C:\\Users\\Admin\\AppData\\Roaming\\Gogas\\ufaw.exe"	ufaw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

Processes:

88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe

description	pid	process	target process
PID 2028 set thread context of 1464	2028	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Privacy	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\5F9D5855-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

ufaw.exe

pid	process
1096	ufaw.exe
1096	ufaw.exe
1096	ufaw.exe
1096	ufaw.exe
1096	ufaw.exe
1096	ufaw.exe
1096	ufaw.exe
1096	ufaw.exe
1096	ufaw.exe
1096	ufaw.exe
1096	ufaw.exe
1096	ufaw.exe
1096	ufaw.exe
1096	ufaw.exe
1096	ufaw.exe
1096	ufaw.exe
1096	ufaw.exe
1096	ufaw.exe
1096	ufaw.exe
1096	ufaw.exe
1096	ufaw.exe
1096	ufaw.exe
1096	ufaw.exe
1096	ufaw.exe
1096	ufaw.exe
1096	ufaw.exe
1096	ufaw.exe
1096	ufaw.exe
1096	ufaw.exe
1096	ufaw.exe
1096	ufaw.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exeWinMail.execmd.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	2028	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
Token: SeSecurityPrivilege	2028	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
Token: SeSecurityPrivilege	2028	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
Token: SeSecurityPrivilege	2028	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
Token: SeSecurityPrivilege	2028	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
Token: SeSecurityPrivilege	2028	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
Token: SeSecurityPrivilege	2028	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
Token: SeSecurityPrivilege	2028	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
Token: SeSecurityPrivilege	2028	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
Token: SeSecurityPrivilege	2028	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
Token: SeManageVolumePrivilege	552	WinMail.exe
Token: SeSecurityPrivilege	1464	cmd.exe
Token: SeSecurityPrivilege	1464	cmd.exe
Token: SeSecurityPrivilege	1464	cmd.exe
Token: SeSecurityPrivilege	1464	cmd.exe
Token: SeSecurityPrivilege	1464	cmd.exe
Token: SeSecurityPrivilege	1464	cmd.exe
Token: SeSecurityPrivilege	1464	cmd.exe
Token: SeManageVolumePrivilege	908	WinMail.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WinMail.exeWinMail.exe

pid process

552 WinMail.exe
908 WinMail.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

WinMail.exeWinMail.exe

pid process

552 WinMail.exe
908 WinMail.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WinMail.exeWinMail.exe

pid process

552 WinMail.exe
908 WinMail.exe

pid	process
552	WinMail.exe
908	WinMail.exe

pid	process
552	WinMail.exe
908	WinMail.exe

pid	process
552	WinMail.exe
908	WinMail.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exeufaw.exe

description	pid	process	target process
PID 2028 wrote to memory of 1680	2028	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe	splwow64.exe
PID 2028 wrote to memory of 1680	2028	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe	splwow64.exe
PID 2028 wrote to memory of 1680	2028	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe	splwow64.exe
PID 2028 wrote to memory of 1680	2028	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe	splwow64.exe
PID 2028 wrote to memory of 1096	2028	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe	ufaw.exe
PID 2028 wrote to memory of 1096	2028	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe	ufaw.exe
PID 2028 wrote to memory of 1096	2028	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe	ufaw.exe
PID 2028 wrote to memory of 1096	2028	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe	ufaw.exe
PID 1096 wrote to memory of 1140	1096	ufaw.exe	taskhost.exe
PID 1096 wrote to memory of 1140	1096	ufaw.exe	taskhost.exe
PID 1096 wrote to memory of 1140	1096	ufaw.exe	taskhost.exe
PID 1096 wrote to memory of 1140	1096	ufaw.exe	taskhost.exe
PID 1096 wrote to memory of 1140	1096	ufaw.exe	taskhost.exe
PID 1096 wrote to memory of 1200	1096	ufaw.exe	Dwm.exe
PID 1096 wrote to memory of 1200	1096	ufaw.exe	Dwm.exe
PID 1096 wrote to memory of 1200	1096	ufaw.exe	Dwm.exe
PID 1096 wrote to memory of 1200	1096	ufaw.exe	Dwm.exe
PID 1096 wrote to memory of 1200	1096	ufaw.exe	Dwm.exe
PID 1096 wrote to memory of 1268	1096	ufaw.exe	Explorer.EXE
PID 1096 wrote to memory of 1268	1096	ufaw.exe	Explorer.EXE
PID 1096 wrote to memory of 1268	1096	ufaw.exe	Explorer.EXE
PID 1096 wrote to memory of 1268	1096	ufaw.exe	Explorer.EXE
PID 1096 wrote to memory of 1268	1096	ufaw.exe	Explorer.EXE
PID 1096 wrote to memory of 2028	1096	ufaw.exe	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
PID 1096 wrote to memory of 2028	1096	ufaw.exe	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
PID 1096 wrote to memory of 2028	1096	ufaw.exe	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
PID 1096 wrote to memory of 2028	1096	ufaw.exe	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
PID 1096 wrote to memory of 2028	1096	ufaw.exe	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
PID 1096 wrote to memory of 1680	1096	ufaw.exe	splwow64.exe
PID 1096 wrote to memory of 1680	1096	ufaw.exe	splwow64.exe
PID 1096 wrote to memory of 1680	1096	ufaw.exe	splwow64.exe
PID 1096 wrote to memory of 1680	1096	ufaw.exe	splwow64.exe
PID 1096 wrote to memory of 1680	1096	ufaw.exe	splwow64.exe
PID 1096 wrote to memory of 552	1096	ufaw.exe	WinMail.exe
PID 1096 wrote to memory of 552	1096	ufaw.exe	WinMail.exe
PID 1096 wrote to memory of 552	1096	ufaw.exe	WinMail.exe
PID 1096 wrote to memory of 552	1096	ufaw.exe	WinMail.exe
PID 1096 wrote to memory of 552	1096	ufaw.exe	WinMail.exe
PID 2028 wrote to memory of 1464	2028	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe	cmd.exe
PID 2028 wrote to memory of 1464	2028	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe	cmd.exe
PID 2028 wrote to memory of 1464	2028	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe	cmd.exe
PID 2028 wrote to memory of 1464	2028	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe	cmd.exe
PID 2028 wrote to memory of 1464	2028	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe	cmd.exe
PID 2028 wrote to memory of 1464	2028	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe	cmd.exe
PID 2028 wrote to memory of 1464	2028	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe	cmd.exe
PID 2028 wrote to memory of 1464	2028	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe	cmd.exe
PID 2028 wrote to memory of 1464	2028	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe	cmd.exe
PID 1096 wrote to memory of 1604	1096	ufaw.exe	DllHost.exe
PID 1096 wrote to memory of 1604	1096	ufaw.exe	DllHost.exe
PID 1096 wrote to memory of 1604	1096	ufaw.exe	DllHost.exe
PID 1096 wrote to memory of 1604	1096	ufaw.exe	DllHost.exe
PID 1096 wrote to memory of 1604	1096	ufaw.exe	DllHost.exe
PID 1096 wrote to memory of 892	1096	ufaw.exe	DllHost.exe
PID 1096 wrote to memory of 892	1096	ufaw.exe	DllHost.exe
PID 1096 wrote to memory of 892	1096	ufaw.exe	DllHost.exe
PID 1096 wrote to memory of 892	1096	ufaw.exe	DllHost.exe
PID 1096 wrote to memory of 892	1096	ufaw.exe	DllHost.exe
PID 1096 wrote to memory of 240	1096	ufaw.exe	DllHost.exe
PID 1096 wrote to memory of 240	1096	ufaw.exe	DllHost.exe
PID 1096 wrote to memory of 240	1096	ufaw.exe	DllHost.exe
PID 1096 wrote to memory of 240	1096	ufaw.exe	DllHost.exe
PID 1096 wrote to memory of 240	1096	ufaw.exe	DllHost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1140

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1200

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
"C:\Users\Admin\AppData\Local\Temp\88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1680

C:\Users\Admin\AppData\Roaming\Gogas\ufaw.exe
"C:\Users\Admin\AppData\Roaming\Gogas\ufaw.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpadfa82e9.bat"
3⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:552

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1604

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:908

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:892

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:240

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
MD5
3cc0012f96f8f44164c18d7de05023d9

SHA1
c8feb560d751fe720c8bdb53f5e78aa92abb9a9e

SHA256
2654c273c211ae1afc60a7736153a853142e3db028417206948576d1d57bf5d5

SHA512
626746176663e2460b18f1eb245306107060c172c4e65ad710dd75ec0b348d8f000342c0dd2f7ea3bb2e0796f61e1ddd2cd77c312d6a177ff2e70a10b68cc6af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
7b0f1db8a891b738b3b245edc3243ef6

SHA1
cc8dc19bdadc5092ee7220103ac860e8a4c2802c

SHA256
a01aa503236c14f12088f414993e2ba959851074292e0c5ce22229cef395b047

SHA512
2941fd5c050a3d851ce06565c304302ed21350b877a6d4439a54d1cb20df1c93891851b7dcaa30571c32c33fdb01dd65e440f8353800815d1b13b080e7a46b19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
MD5
cc9a37d579c1ede16104b8245b663313

SHA1
048a6d78beef5f58737636d03319367a7fd24b9d

SHA256
65ccb0a40c32494dd03801a5d1cbd0ce27836147c70b4c3cbe74bdb2031d1795

SHA512
3f942b2653c22aab9d736be71d36ea38b7b08d81e2720334f64a722b8b1c22d76a5a458b8af42cc5f7f552bca692b7a0a070281c00f9b86ee4bd8db6fc3e1eed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore
MD5
bf6136ae6ba71d5008f2044e4c9a6f60

SHA1
77625f2171f55a47d08dbc173262a07b91bc3284

SHA256
3d3a6274eaec0e1bdc466fd8aa11ab2e67de20d7971fe463651bfb49cc940245

SHA512
fbfde9523acc74e7a7a13e4fe035a06db37e82fb707c66036f6efeae1601cfae8b6f9c472f6b5f8d8b36d27ed4f5df6dfa10e31d3ac584b33ebcf7f1f066b160

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.chk
MD5
14ff6dc646be1ebdcaffeedf202b09cb

SHA1
df54271bb3b70e7fb769291ca823ec7e6b1db3c2

SHA256
0ddd2c5936bd0017f340450b611c7da00e76c90a1facd64d22a965f76ba32f9f

SHA512
1ffcd008f7b0285e23582c9af29136a44a45d6e4484b574435d3ee5474b9df8d75195cf74701d735928fea5cfa33ec10c58906e5b6fe3a61179a581eb478e31f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log
MD5
1c156f2a04e419cab19001494294e90b

SHA1
4a909ec76541409705f82edb63358ad9f6a24f44

SHA256
2d5abed4fb82b5217eb446541065df86f6c4977310b973de407d3680a0612c15

SHA512
1978976c63a07fc9ebdd409f6dcad4c3da34fb91caf50114744d9ecbbcb1fcc05ace5410b25d949bfb454302807df6d65040a37df01f3faf166f5dca008efcf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpadfa82e9.bat
MD5
f7864e4cb3fb233044cdca56e6436168

SHA1
97973fe75d3bd5f88309a0bc52b40c094a811fc6

SHA256
2056e8f7b08fb06f67be3d761dbecbc5e217b52da97e3f2dff28361ff2b7e508

SHA512
152ed5cb24596ca8759115f6028d5969e428d795c5af663d89f82b9fdfe6a6ca9f4f9e400ecd7386310000c7df3046b48a3397c3c414b8c459a85e0ef0cdb865

Download Submit
C:\Users\Admin\AppData\Roaming\Gogas\ufaw.exe
MD5
4a7d6b7d91b38861373f3e5b1bce4333

SHA1
13eddc9f29b3fb2e421d2507fb11a1d2be2b9f55

SHA256
903ebde2851cad77f1c4c3c0c1e232d6d65e475055545a1e550b286ea6ec1674

SHA512
6f0af7e56c4dbf449b6216fae75a71e540d2bb8bc7f3ff38b51a341ab28399a2cb804a207607a4e00bd2c1b3b5f3b307ff40c5ba6746a1f4ca989dfe20428a8a

Download Submit
C:\Users\Admin\AppData\Roaming\Gogas\ufaw.exe
MD5
4a7d6b7d91b38861373f3e5b1bce4333

SHA1
13eddc9f29b3fb2e421d2507fb11a1d2be2b9f55

SHA256
903ebde2851cad77f1c4c3c0c1e232d6d65e475055545a1e550b286ea6ec1674

SHA512
6f0af7e56c4dbf449b6216fae75a71e540d2bb8bc7f3ff38b51a341ab28399a2cb804a207607a4e00bd2c1b3b5f3b307ff40c5ba6746a1f4ca989dfe20428a8a

Download Submit
C:\Users\Admin\AppData\Roaming\Yrih\ohut.goi
MD5
0f5c147c12fb9acd005416a0b65d366a

SHA1
05002cee53a5c22a19c0b2807d1c8e0d0054d06e

SHA256
d1ba8135bda184b9b29f1736be8733604da7a4a4dd9baf771375f2b04775f0e1

SHA512
8c3b0ca9c38e1d16e4cfc0dfc887aee6cd5b92ac3ae87348e8009ccb36185dd4dadf07ea5845f41c9154f313075742037cf155495477d814b6b8322a47206ec1

Download Submit
\Users\Admin\AppData\Roaming\Gogas\ufaw.exe
MD5
4a7d6b7d91b38861373f3e5b1bce4333

SHA1
13eddc9f29b3fb2e421d2507fb11a1d2be2b9f55

SHA256
903ebde2851cad77f1c4c3c0c1e232d6d65e475055545a1e550b286ea6ec1674

SHA512
6f0af7e56c4dbf449b6216fae75a71e540d2bb8bc7f3ff38b51a341ab28399a2cb804a207607a4e00bd2c1b3b5f3b307ff40c5ba6746a1f4ca989dfe20428a8a

Download Submit
memory/552-41-0x0000000004650000-0x0000000004652000-memory.dmp

Filesize
8KB

Download
memory/552-47-0x0000000003AE0000-0x0000000003AE2000-memory.dmp

Filesize
8KB

Download
memory/552-18-0x0000000003AE0000-0x0000000003AE2000-memory.dmp

Filesize
8KB

Download
memory/552-19-0x0000000003AD0000-0x0000000003AD2000-memory.dmp

Filesize
8KB

Download
memory/552-20-0x0000000003AF0000-0x0000000003AF2000-memory.dmp

Filesize
8KB

Download
memory/552-21-0x0000000003AF0000-0x0000000003AF2000-memory.dmp

Filesize
8KB

Download
memory/552-22-0x00000000040A0000-0x00000000040A2000-memory.dmp

Filesize
8KB

Download
memory/552-23-0x00000000040D0000-0x00000000040D2000-memory.dmp

Filesize
8KB

Download
memory/552-24-0x0000000003D60000-0x0000000003D62000-memory.dmp

Filesize
8KB

Download
memory/552-25-0x0000000003AF0000-0x0000000003AF2000-memory.dmp

Filesize
8KB

Download
memory/552-26-0x0000000003CD0000-0x0000000003CD2000-memory.dmp

Filesize
8KB

Download
memory/552-27-0x0000000003AF0000-0x0000000003AF2000-memory.dmp

Filesize
8KB

Download
memory/552-29-0x0000000003D80000-0x0000000003D82000-memory.dmp

Filesize
8KB

Download
memory/552-28-0x0000000003D10000-0x0000000003D12000-memory.dmp

Filesize
8KB

Download
memory/552-31-0x0000000004490000-0x0000000004492000-memory.dmp

Filesize
8KB

Download
memory/552-32-0x00000000044A0000-0x00000000044A2000-memory.dmp

Filesize
8KB

Download
memory/552-33-0x00000000044B0000-0x00000000044B2000-memory.dmp

Filesize
8KB

Download
memory/552-34-0x00000000056E0000-0x00000000056E2000-memory.dmp

Filesize
8KB

Download
memory/552-30-0x00000000042A0000-0x00000000042A2000-memory.dmp

Filesize
8KB

Download
memory/552-36-0x00000000056D0000-0x00000000056D2000-memory.dmp

Filesize
8KB

Download
memory/552-35-0x00000000044C0000-0x00000000044C2000-memory.dmp

Filesize
8KB

Download
memory/552-37-0x00000000044D0000-0x00000000044D2000-memory.dmp

Filesize
8KB

Download
memory/552-38-0x00000000056C0000-0x00000000056C2000-memory.dmp

Filesize
8KB

Download
memory/552-39-0x0000000004BF0000-0x0000000004BF2000-memory.dmp

Filesize
8KB

Download
memory/552-40-0x0000000004660000-0x0000000004662000-memory.dmp

Filesize
8KB

Download
memory/552-7-0x000007FEF6510000-0x000007FEF678A000-memory.dmp

Filesize
2.5MB

Download
memory/552-42-0x0000000004640000-0x0000000004642000-memory.dmp

Filesize
8KB

Download
memory/552-43-0x0000000004630000-0x0000000004632000-memory.dmp

Filesize
8KB

Download
memory/552-44-0x0000000004620000-0x0000000004622000-memory.dmp

Filesize
8KB

Download
memory/552-45-0x0000000004610000-0x0000000004612000-memory.dmp

Filesize
8KB

Download
memory/552-46-0x00000000044E0000-0x00000000044E2000-memory.dmp

Filesize
8KB

Download
memory/552-14-0x0000000003980000-0x0000000003A80000-memory.dmp

Filesize
1024KB

Download
memory/552-48-0x0000000003E50000-0x0000000003E52000-memory.dmp

Filesize
8KB

Download
memory/552-49-0x0000000004380000-0x0000000004382000-memory.dmp

Filesize
8KB

Download
memory/552-50-0x0000000004390000-0x0000000004392000-memory.dmp

Filesize
8KB

Download
memory/552-52-0x00000000043B0000-0x00000000043B2000-memory.dmp

Filesize
8KB

Download
memory/552-51-0x00000000043A0000-0x00000000043A2000-memory.dmp

Filesize
8KB

Download
memory/552-53-0x00000000043C0000-0x00000000043C2000-memory.dmp

Filesize
8KB

Download
memory/552-54-0x0000000003880000-0x0000000003A80000-memory.dmp

Filesize
2.0MB

Download
memory/552-55-0x0000000003980000-0x0000000003A80000-memory.dmp

Filesize
1024KB

Download
memory/552-56-0x0000000002140000-0x0000000002150000-memory.dmp

Filesize
64KB

Download
memory/552-8-0x0000000003880000-0x0000000003980000-memory.dmp

Filesize
1024KB

Download
memory/552-13-0x0000000003880000-0x0000000003A80000-memory.dmp

Filesize
2.0MB

Download
memory/552-10-0x0000000003880000-0x0000000003A80000-memory.dmp

Filesize
2.0MB

Download
memory/552-65-0x00000000020E0000-0x00000000020F0000-memory.dmp

Filesize
64KB

Download
memory/552-12-0x0000000003880000-0x0000000003980000-memory.dmp

Filesize
1024KB

Download
memory/908-90-0x0000000003EC0000-0x0000000003EC2000-memory.dmp

Filesize
8KB

Download
memory/908-73-0x000007FEF6510000-0x000007FEF678A000-memory.dmp

Filesize
2.5MB

Download
memory/908-95-0x0000000003950000-0x0000000003A50000-memory.dmp

Filesize
1024KB

Download
memory/908-94-0x0000000003850000-0x0000000003A50000-memory.dmp

Filesize
2.0MB

Download
memory/908-81-0x0000000003850000-0x0000000003950000-memory.dmp

Filesize
1024KB

Download
memory/908-82-0x0000000003850000-0x0000000003A50000-memory.dmp

Filesize
2.0MB

Download
memory/908-83-0x0000000003950000-0x0000000003A50000-memory.dmp

Filesize
1024KB

Download
memory/1096-2-0x0000000000000000-mapping.dmp

Download
memory/1464-61-0x00000000000BEA5B-mapping.dmp

Download
memory/1464-59-0x00000000000B0000-0x00000000000EB000-memory.dmp

Filesize
236KB

Download
memory/1464-72-0x0000000073F80000-0x0000000074123000-memory.dmp

Filesize
1.6MB

Download
memory/1604-71-0x000007FEF6510000-0x000007FEF678A000-memory.dmp

Filesize
2.5MB

Download
memory/1680-0-0x0000000000000000-mapping.dmp

Download
memory/2028-6-0x0000000073F70000-0x0000000074113000-memory.dmp

Filesize
1.6MB

Download
memory/2028-5-0x0000000000070000-0x00000000000AB000-memory.dmp

Filesize
236KB

Download