gozi | 40bbc905f9521a2892abf91df0ed1678caf43be3c05f2aaf4192707d84f94665

Analysis

max time kernel
185s
max time network
197s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
13-10-2023 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

url/sistema.url
Size

206B
MD5

8d42f868af378fdaaf0fe40c29e52bbc
SHA1

1429d147f20ffed0505a47bea4a614deeda3e60c
SHA256

aeea621a727c1236ef86287c0733a97346621dfc74dbba858710a258449c0619
SHA512

aa296bd043daead87bdb2a2f895c8490635e87cbdacee4c11cd26e78913955a434506a449d91ddc90cb3b640e2d006fc04b18070cb5418d24080d4df842ef10a

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

fotexion.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

fotexion.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

10 196 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

196 rundll32.exe

flow	pid	process
10	196	rundll32.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

rundll32.execontrol.exeExplorer.EXE

description	pid	process	target process
PID 196 set thread context of 2920	196	rundll32.exe	control.exe
PID 2920 set thread context of 3232	2920	control.exe	Explorer.EXE
PID 2920 set thread context of 4036	2920	control.exe	rundll32.exe
PID 3232 set thread context of 3804	3232	Explorer.EXE	RuntimeBroker.exe
PID 3232 set thread context of 1476	3232	Explorer.EXE	WinMail.exe
PID 3232 set thread context of 1016	3232	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exepowershell.exeExplorer.EXE

pid	process
196	rundll32.exe
196	rundll32.exe
1120	powershell.exe
1120	powershell.exe
1120	powershell.exe
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3232 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

rundll32.execontrol.exeExplorer.EXE

pid process

196 rundll32.exe
2920 control.exe
2920 control.exe
3232 Explorer.EXE
3232 Explorer.EXE
3232 Explorer.EXE

pid	process
3232	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeShutdownPrivilege	3232	Explorer.EXE
Token: SeCreatePagefilePrivilege	3232	Explorer.EXE
Token: SeShutdownPrivilege	3232	Explorer.EXE
Token: SeCreatePagefilePrivilege	3232	Explorer.EXE
Token: SeShutdownPrivilege	3232	Explorer.EXE
Token: SeCreatePagefilePrivilege	3232	Explorer.EXE
Token: SeShutdownPrivilege	3232	Explorer.EXE
Token: SeCreatePagefilePrivilege	3232	Explorer.EXE
Token: SeShutdownPrivilege	3232	Explorer.EXE
Token: SeCreatePagefilePrivilege	3232	Explorer.EXE
Token: SeShutdownPrivilege	3232	Explorer.EXE
Token: SeCreatePagefilePrivilege	3232	Explorer.EXE
Token: SeShutdownPrivilege	3232	Explorer.EXE
Token: SeCreatePagefilePrivilege	3232	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

2980 rundll32.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3232 Explorer.EXE

pid	process
2980	rundll32.exe

pid	process
3232	Explorer.EXE

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

rundll32.execontrol.exerundll32.exemshta.exerundll32.execontrol.exeExplorer.EXEpowershell.execsc.execsc.exe

description	pid	process	target process
PID 2980 wrote to memory of 5048	2980	rundll32.exe	control.exe
PID 2980 wrote to memory of 5048	2980	rundll32.exe	control.exe
PID 5048 wrote to memory of 208	5048	control.exe	rundll32.exe
PID 5048 wrote to memory of 208	5048	control.exe	rundll32.exe
PID 208 wrote to memory of 196	208	rundll32.exe	rundll32.exe
PID 208 wrote to memory of 196	208	rundll32.exe	rundll32.exe
PID 208 wrote to memory of 196	208	rundll32.exe	rundll32.exe
PID 2136 wrote to memory of 1120	2136	mshta.exe	powershell.exe
PID 2136 wrote to memory of 1120	2136	mshta.exe	powershell.exe
PID 196 wrote to memory of 2920	196	rundll32.exe	control.exe
PID 196 wrote to memory of 2920	196	rundll32.exe	control.exe
PID 196 wrote to memory of 2920	196	rundll32.exe	control.exe
PID 196 wrote to memory of 2920	196	rundll32.exe	control.exe
PID 196 wrote to memory of 2920	196	rundll32.exe	control.exe
PID 2920 wrote to memory of 3232	2920	control.exe	Explorer.EXE
PID 2920 wrote to memory of 3232	2920	control.exe	Explorer.EXE
PID 2920 wrote to memory of 3232	2920	control.exe	Explorer.EXE
PID 2920 wrote to memory of 3232	2920	control.exe	Explorer.EXE
PID 2920 wrote to memory of 4036	2920	control.exe	rundll32.exe
PID 2920 wrote to memory of 4036	2920	control.exe	rundll32.exe
PID 2920 wrote to memory of 4036	2920	control.exe	rundll32.exe
PID 3232 wrote to memory of 3804	3232	Explorer.EXE	RuntimeBroker.exe
PID 3232 wrote to memory of 3804	3232	Explorer.EXE	RuntimeBroker.exe
PID 2920 wrote to memory of 4036	2920	control.exe	rundll32.exe
PID 3232 wrote to memory of 3804	3232	Explorer.EXE	RuntimeBroker.exe
PID 2920 wrote to memory of 4036	2920	control.exe	rundll32.exe
PID 3232 wrote to memory of 3804	3232	Explorer.EXE	RuntimeBroker.exe
PID 3232 wrote to memory of 1476	3232	Explorer.EXE	WinMail.exe
PID 3232 wrote to memory of 1476	3232	Explorer.EXE	WinMail.exe
PID 3232 wrote to memory of 1476	3232	Explorer.EXE	WinMail.exe
PID 3232 wrote to memory of 1476	3232	Explorer.EXE	WinMail.exe
PID 3232 wrote to memory of 1476	3232	Explorer.EXE	WinMail.exe
PID 1120 wrote to memory of 3152	1120	powershell.exe	csc.exe
PID 1120 wrote to memory of 3152	1120	powershell.exe	csc.exe
PID 3232 wrote to memory of 1016	3232	Explorer.EXE	cmd.exe
PID 3232 wrote to memory of 1016	3232	Explorer.EXE	cmd.exe
PID 3232 wrote to memory of 1016	3232	Explorer.EXE	cmd.exe
PID 3232 wrote to memory of 1016	3232	Explorer.EXE	cmd.exe
PID 3232 wrote to memory of 1016	3232	Explorer.EXE	cmd.exe
PID 3232 wrote to memory of 1016	3232	Explorer.EXE	cmd.exe
PID 3152 wrote to memory of 4904	3152	csc.exe	cvtres.exe
PID 3152 wrote to memory of 4904	3152	csc.exe	cvtres.exe
PID 1120 wrote to memory of 632	1120	powershell.exe	csc.exe
PID 1120 wrote to memory of 632	1120	powershell.exe	csc.exe
PID 632 wrote to memory of 852	632	csc.exe	cvtres.exe
PID 632 wrote to memory of 852	632	csc.exe	cvtres.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\url\sistema.url
  2⤵
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DXFPCU0G\sistema[1].cpl",
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5048
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DXFPCU0G\sistema[1].cpl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:208
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DXFPCU0G\sistema[1].cpl",
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:196
      - C:\Windows\system32\control.exe
        
        C:\Windows\system32\control.exe -h
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
        7⤵
        
        PID:4036
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Vuxk='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Vuxk).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\7AF14A9C-91D2-BC6A-EB4E-55B04F6259E4\\\MaskStop'));if(!window.flag)close()</script>"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name qnggdlql -value gp; new-alias -name qqtdpyu -value iex; qqtdpyu ([System.Text.Encoding]::ASCII.GetString((qnggdlql "HKCU:Software\AppDataLow\Software\Microsoft\7AF14A9C-91D2-BC6A-EB4E-55B04F6259E4").AboutText))
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h24qrlng\h24qrlng.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3152
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES54D8.tmp" "c:\Users\Admin\AppData\Local\Temp\h24qrlng\CSCC69E8AEA4B384E9B9AA914BAAC724E89.TMP"
        5⤵
        
        PID:4904
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ao3wnyw4\ao3wnyw4.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:632
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6488.tmp" "c:\Users\Admin\AppData\Local\Temp\ao3wnyw4\CSC870724895493413A9B4068D958A587C1.TMP"
        5⤵
        
        PID:852
- C:\Program Files\Windows Mail\WinMail.exe
  "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
  2⤵
  PID:1476
- C:\Windows\syswow64\cmd.exe
  "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
  2⤵
  PID:1016

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DXFPCU0G\sistema[1].cpl

Filesize
206KB

MD5
72e2a5c797954e895a41be5b20f867b2

SHA1
419aacfb3ccea9b08277bcc9405054fa4238a597

SHA256
858d867cc62c0bf13b16ccdb9f6cd6022d61fc2ab98a7db60806a35c7da9b2e0

SHA512
77be53cf579f69ee728fafbe93568b8d4c462490ba3fe053db367798508abb0d7a838731d17e465f0a29b982eb49e1227d94c971823e1d375b2b761887e107b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES54D8.tmp

Filesize
1KB

MD5
3255193caa0e9ff3a9340fcd03425862

SHA1
b260b00b4c4ed0ebea65633671b97106fbc59529

SHA256
512ee31b92a5717356dc03a82079a9f3542ba51cb5ed15d6a6c0928f710bf114

SHA512
5b8dff95e0c8d8e9828f908a5fc57214a4a561f7dc653185c1a254031207be0a1cc54e94174bce3f20bf01aa7b9aa582483cc085dace878d297d79a146097d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6488.tmp

Filesize
1KB

MD5
c8d98f7c3eb9cb834048d7e5a497216c

SHA1
43fef480f6a37b061c3b6e5f23d7289d6c25c2a1

SHA256
bd1a72b563096143f7ea1de3b25a61cffbd9c199894ad2c7ebd45888fe025ffd

SHA512
b3eea0eaa24c09434aacc7cd70f75217429f20d69f55dd4a6b4855344d8be6521c632585c83347d5d27e9f3d02fd40d2c122267b294ba591f7ccb94081ab0256

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2kr4qvzm.ujx.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ao3wnyw4\ao3wnyw4.dll

Filesize
3KB

MD5
26d26714ab5c2d1f9cb24a21daaf780b

SHA1
65ab3a8d0b9804b22945d82c6bac5ee7a329a0ed

SHA256
eebbfce05171c490e6573722c95714049c2abb801e0d0d70d2150aef7c1b2e76

SHA512
b70a6f849b9c1a84ba6012b964b7b1a23c9f7c073d6438565f4f0ceff93d605916db1232e79bb45df861fec4c1b7cc1aef0db656cde4ec442e2a362c95d951e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\h24qrlng\h24qrlng.dll

Filesize
3KB

MD5
de312e7a223542388068fce99b1ff9a8

SHA1
569cc71c507a830e19de84a03c8340586cf94505

SHA256
82f1854a14221c8f4a8d993e572013bf28240785dc1bb50918030fc961628ac6

SHA512
baaec3e4dbd8a3cf56a5b73ac7a6ef56eecefbb28982d8b3f2c7d5c71f6cd1778d292693595aa423e0309610ca4dd9510c43b867342a787c275e4f62b2965b90

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ao3wnyw4\CSC870724895493413A9B4068D958A587C1.TMP

Filesize
652B

MD5
4e625ebde4e951fa159e0fa8ddafe21f

SHA1
59072a3f60fbbe23733f0dcb9be54144a87a0e9b

SHA256
651226638c3e20f31bb6b34e6505807c67345bf077e9c1e8da51600d47b46577

SHA512
bb4d691dbb495f1e4b544055c8ec46c3564f48f0d1f886e0c02de7a2e31d18d8b39897e8cc57c05119c159117edd25bbdbaae52bb91a949a9be62a3f34be5079

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ao3wnyw4\ao3wnyw4.0.cs

Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ao3wnyw4\ao3wnyw4.cmdline

Filesize
369B

MD5
559a958225f500ab1fedddf6d1366b77

SHA1
4e06b2ab106bafe90a0ae29d05c903a8b776ac8b

SHA256
30e15dae7d4905d40b00296078fb07ab38ba4630ba0db396842704c2360ffc9e

SHA512
11b1208c6120118b1f608f26e49372bc83bcfa61b18d9714c15eb4ecdc1b4717673165e1dd03fd8dd2f07efb39c43ff5fe6bf11998cd4bd9999fe4925eb38d1b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h24qrlng\CSCC69E8AEA4B384E9B9AA914BAAC724E89.TMP

Filesize
652B

MD5
88a29e86e1cbc4e797f0ed95aca276f0

SHA1
98aec487c7bb06a32419e6aeaacdf00d769dc4dc

SHA256
b254130dee92c6a3cc57b498e995b79b6017eafa30e5cec7a6a6ad3df9e5819b

SHA512
dddff1adc061033857529a45239430eed41969377a7fcfee86c1947c8630e61866c1688f2aafb7445f87331eaecfb7f1a6c1636efe882a8a21aeb202d5ebcb71

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h24qrlng\h24qrlng.0.cs

Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h24qrlng\h24qrlng.cmdline

Filesize
369B

MD5
2f649c188aac320dba0e978b34095d8c

SHA1
c2a07b3e57a52d4f668a40c4fb31e078c8ad5674

SHA256
783aa5ea280cc16d945ce6bde2171df2686b2193e2b15905a1835800654397f2

SHA512
a55fc5e096f0cc1dbd5f8fe0557ac594e4f4929507356099a853a307a20ac59be699cb4ca971d9e9243f7d0b35661fe491a5b943cffb2de2580e6fb1af4aa85c

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DXFPCU0G\sistema[1].cpl

Filesize
206KB

MD5
72e2a5c797954e895a41be5b20f867b2

SHA1
419aacfb3ccea9b08277bcc9405054fa4238a597

SHA256
858d867cc62c0bf13b16ccdb9f6cd6022d61fc2ab98a7db60806a35c7da9b2e0

SHA512
77be53cf579f69ee728fafbe93568b8d4c462490ba3fe053db367798508abb0d7a838731d17e465f0a29b982eb49e1227d94c971823e1d375b2b761887e107b3

Download Submit
memory/196-11-0x0000000001190000-0x000000000119E000-memory.dmp

Filesize
56KB

Download
memory/196-91-0x0000000001190000-0x000000000119E000-memory.dmp

Filesize
56KB

Download
memory/196-8-0x00000000012B0000-0x00000000012BD000-memory.dmp

Filesize
52KB

Download
memory/196-7-0x0000000001190000-0x000000000119E000-memory.dmp

Filesize
56KB

Download
memory/196-6-0x0000000000CD0000-0x0000000000CF9000-memory.dmp

Filesize
164KB

Download
memory/1016-120-0x0000000002950000-0x00000000029E8000-memory.dmp

Filesize
608KB

Download
memory/1016-114-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1016-113-0x0000000002950000-0x00000000029E8000-memory.dmp

Filesize
608KB

Download
memory/1120-36-0x00007FF9F52C0000-0x00007FF9F5CAC000-memory.dmp

Filesize
9.9MB

Download
memory/1120-38-0x000001665A1C0000-0x000001665A1D0000-memory.dmp

Filesize
64KB

Download
memory/1120-148-0x00007FF9F52C0000-0x00007FF9F5CAC000-memory.dmp

Filesize
9.9MB

Download
memory/1120-147-0x000001665A640000-0x000001665A67D000-memory.dmp

Filesize
244KB

Download
memory/1120-143-0x000001665A640000-0x000001665A67D000-memory.dmp

Filesize
244KB

Download
memory/1120-141-0x000001665A1C0000-0x000001665A1D0000-memory.dmp

Filesize
64KB

Download
memory/1120-139-0x000001665A4A0000-0x000001665A4A8000-memory.dmp

Filesize
32KB

Download
memory/1120-19-0x000001665A170000-0x000001665A192000-memory.dmp

Filesize
136KB

Download
memory/1120-20-0x00007FF9F52C0000-0x00007FF9F5CAC000-memory.dmp

Filesize
9.9MB

Download
memory/1120-21-0x000001665A1C0000-0x000001665A1D0000-memory.dmp

Filesize
64KB

Download
memory/1120-22-0x000001665A1C0000-0x000001665A1D0000-memory.dmp

Filesize
64KB

Download
memory/1120-25-0x000001665A4C0000-0x000001665A536000-memory.dmp

Filesize
472KB

Download
memory/1120-125-0x000001665A480000-0x000001665A488000-memory.dmp

Filesize
32KB

Download
memory/1120-37-0x000001665A1C0000-0x000001665A1D0000-memory.dmp

Filesize
64KB

Download
memory/1476-96-0x000002C9072E0000-0x000002C9072E1000-memory.dmp

Filesize
4KB

Download
memory/1476-102-0x000002C907520000-0x000002C9075C4000-memory.dmp

Filesize
656KB

Download
memory/1476-95-0x000002C907520000-0x000002C9075C4000-memory.dmp

Filesize
656KB

Download
memory/2920-50-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2920-88-0x00000000004D0000-0x0000000000574000-memory.dmp

Filesize
656KB

Download
memory/2920-51-0x00000000004D0000-0x0000000000574000-memory.dmp

Filesize
656KB

Download
memory/3232-60-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/3232-89-0x0000000002C90000-0x0000000002D34000-memory.dmp

Filesize
656KB

Download
memory/3232-59-0x0000000002C90000-0x0000000002D34000-memory.dmp

Filesize
656KB

Download
memory/3804-73-0x0000015DB7C30000-0x0000015DB7CD4000-memory.dmp

Filesize
656KB

Download
memory/3804-75-0x0000015DB55F0000-0x0000015DB55F1000-memory.dmp

Filesize
4KB

Download
memory/3804-90-0x0000015DB7C30000-0x0000015DB7CD4000-memory.dmp

Filesize
656KB

Download
memory/4036-74-0x000001ECEB9A0000-0x000001ECEBA44000-memory.dmp

Filesize
656KB

Download
memory/4036-78-0x000001ECEB6E0000-0x000001ECEB6E1000-memory.dmp

Filesize
4KB

Download
memory/4036-87-0x000001ECEB9A0000-0x000001ECEBA44000-memory.dmp

Filesize
656KB

Download