8929e52392631d5aed04f499097376fde4783688a6782b17f19ddcef3963cdc5

Analysis

max time kernel
129s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2023, 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GoSignDesktop/GoSignDesktop.exe
Size

86.3MB
MD5

5165a59860fd0137e84f58c42b4168af
SHA1

5f8abd504355e7abb93614d3673a34635dcd72bd
SHA256

c5adb93332d6d760ae6d3fee3ac0d70a09fe1394dfd764276b6277593c7f7aca
SHA512

1149f0cffd8b5aa8048851805c0b339f3ffadf5b7a642908856f0e1c8e6ef030cd180b731ba483998712b71c9bb344199d5776dfd96f825949cf2c44a155685a
SSDEEP

1572864:Tn7i6Z93NnUVY7lac4WVEp+3BAP85RRijYgjUxfUGFGnhamO4eD99Q4n3Jg:fi6ZheGapoi+Riq/Q2Jg

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	GoSignDesktop.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	GoSignDesktop.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Local\Temp\GoSignDesktop\GoSignDesktop.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GoSignDesktop\\GoSignDesktop.exe --start-tray"	GoSignDesktop.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\diker	GoSignDesktop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\diker\URL Protocol	GoSignDesktop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\diker\ = "URL:diker"	GoSignDesktop.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\diker\shell\open\command	GoSignDesktop.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\diker\shell	GoSignDesktop.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\diker\shell\open	GoSignDesktop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\diker\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\GoSignDesktop\\GoSignDesktop.exe\" \"%1\""	GoSignDesktop.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3452	GoSignDesktop.exe
3452	GoSignDesktop.exe
1660	GoSignDesktop.exe
1660	GoSignDesktop.exe
1660	GoSignDesktop.exe
1968	GoSignDesktop.exe
1968	GoSignDesktop.exe
1660	GoSignDesktop.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1660	GoSignDesktop.exe
1660	GoSignDesktop.exe
1660	GoSignDesktop.exe
1660	GoSignDesktop.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1660	GoSignDesktop.exe
1660	GoSignDesktop.exe
1660	GoSignDesktop.exe
1660	GoSignDesktop.exe
1660	GoSignDesktop.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 1508	1660	GoSignDesktop.exe	90
PID 1660 wrote to memory of 1508	1660	GoSignDesktop.exe	90
PID 1660 wrote to memory of 1508	1660	GoSignDesktop.exe	90
PID 1508 wrote to memory of 4804	1508	rundll32.exe	91
PID 1508 wrote to memory of 4804	1508	rundll32.exe	91
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3628	1660	GoSignDesktop.exe	96
PID 1660 wrote to memory of 3452	1660	GoSignDesktop.exe	97
PID 1660 wrote to memory of 3452	1660	GoSignDesktop.exe	97
PID 1660 wrote to memory of 3452	1660	GoSignDesktop.exe	97
PID 1660 wrote to memory of 1968	1660	GoSignDesktop.exe	98
PID 1660 wrote to memory of 1968	1660	GoSignDesktop.exe	98
PID 1660 wrote to memory of 1968	1660	GoSignDesktop.exe	98

C:\Users\Admin\AppData\Local\Temp\GoSignDesktop\GoSignDesktop.exe
"C:\Users\Admin\AppData\Local\Temp\GoSignDesktop\GoSignDesktop.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 service.log, #9
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\system32\rundll32.exe
    rundll32 service.log, #9
    3⤵
    PID:4804
- C:\Users\Admin\AppData\Local\Temp\GoSignDesktop\GoSignDesktop.exe
  "C:\Users\Admin\AppData\Local\Temp\GoSignDesktop\GoSignDesktop.exe" --type=gpu-process --field-trial-handle=2300,4012082595833092761,4934976756390425230,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --gpu-preferences=KAAAAAAAAADgAAAwAAAAAAAAYAAAAAAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --mojo-platform-channel-handle=2296 --ignored=" --type=renderer " /prefetch:2
  2⤵
  PID:3628
- C:\Users\Admin\AppData\Local\Temp\GoSignDesktop\GoSignDesktop.exe
  "C:\Users\Admin\AppData\Local\Temp\GoSignDesktop\GoSignDesktop.exe" --type=utility --field-trial-handle=2300,4012082595833092761,4934976756390425230,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --standard-schemes=file --secure-schemes=file --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --mojo-platform-channel-handle=2800 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3452
- C:\Users\Admin\AppData\Local\Temp\GoSignDesktop\GoSignDesktop.exe
  "C:\Users\Admin\AppData\Local\Temp\GoSignDesktop\GoSignDesktop.exe" --type=renderer --field-trial-handle=2300,4012082595833092761,4934976756390425230,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --lang=en-US --standard-schemes=file --secure-schemes=file --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --app-user-model-id="C:\Users\Admin\AppData\Local\Temp\GoSignDesktop\GoSignDesktop.exe" --app-path="C:\Users\Admin\AppData\Local\Temp\GoSignDesktop\resources\app.asar" --node-integration-in-worker --no-sandbox --no-zygote --preload="C:\Users\Admin\AppData\Local\Temp\GoSignDesktop\resources\app.asar\preload.js" --context-isolation --background-color=#fff --enable-websql --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3040 /prefetch:1
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:1968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.gosign\electron.log

Filesize
4KB

MD5
dc00e2a25e364c56f138adf29dc1edba

SHA1
99144bd00655d7495f8936e38d6f65e52b9cecea

SHA256
cc66688517d920635368ead9231e547f23759f8493f1e86889140dc73904a9b0

SHA512
ab179ae689c22a686c6eeea228d4f5c229f23410d512d830b3a798cdd415db9cd53d39d82508c3b6478a66083b234ad0843bc342d1ec436c6a04d04070ef6e65

Download Submit
C:\Users\Admin\.gosign\electron.log

Filesize
4KB

MD5
dc00e2a25e364c56f138adf29dc1edba

SHA1
99144bd00655d7495f8936e38d6f65e52b9cecea

SHA256
cc66688517d920635368ead9231e547f23759f8493f1e86889140dc73904a9b0

SHA512
ab179ae689c22a686c6eeea228d4f5c229f23410d512d830b3a798cdd415db9cd53d39d82508c3b6478a66083b234ad0843bc342d1ec436c6a04d04070ef6e65

Download Submit
C:\Users\Admin\.gosign\options.db

Filesize
53B

MD5
4c1c34ae1701c550772e3848f25dff60

SHA1
ce0de33508c49e8510b7a675b28030d9323f8c48

SHA256
21e2d7cf5529f63b93ccb9100a34e65bec0e4943d1fd7459e6af94c049db9624

SHA512
88fb2d74d3a675005bb1764e553b6658d318d174d84233595e127f31a5fd3612b1d67e587015931788624219a40f3099f4bb1f22da65cac56d8fd6e8656bcbeb

Download Submit
C:\Users\Admin\.gosign\options.db~

Filesize
68B

MD5
a7c3e36d41b860d1603788c369bfc12d

SHA1
1f34fea8b2b0197a7d298dad28c7530435430d82

SHA256
f503e0166409c904c7e56f9d3a9e68961d5a4af63ce94a064f9e49ed469182aa

SHA512
ed68560b5b505c8c441abcd55198b5909e0ad4e00707e74247ad00cddd4cdd971e8b299de8d181f4c38eb243881af8436b68bf7b6b70fc0e2d218d6df512d6a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\15a35f7e-1722-4b96-a376-999bb85b03d1.tmp.ico

Filesize
37KB

MD5
139c94e5b25cb451e2475a9a08340ea5

SHA1
fa43fd9f31b5095bf6ee4017700a9b1d91edcc7a

SHA256
2b09700ffc258f25f5d86208c4c302fbd92e3c391c9ecb421c866706bf917b3d

SHA512
71fe1221b91525ea10ec260b818135b3fcf772a2bf8eadb7327785f21a757add79a3d6be2e2060bd54de1cb2c6f00da61b0afa2e13f37397890ce9318307a398

Download Submit
C:\Users\Admin\AppData\Local\Temp\dik9DE5.tmp

Filesize
35B

MD5
5bba81d7a56d0d881a79fa2ce51e0c74

SHA1
585323c9e5d9a50b15177e0459580ca596b15555

SHA256
4d2467491af09bae9d914b82c96ff6185014630a9b9f24df6d9d5ae3357e50cb

SHA512
2ea4e8d4a133ee61f63108c3e8de94ddb3b0ec663de41b233f2ad5dcf56065cd4b38c4c348040dbb11325fa5ec41e348b49ca58b471da35b099a9a61979c65f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dik9E14.tmp

Filesize
120B

MD5
62d54c6c99fdebb3860e84ab3030d20f

SHA1
0989f39251ab140a5d3c1009ed5d2cd834374609

SHA256
3fb4696a9deb6fc7df9ead48d4c99f8274827e35c1971256855707466d680e7a

SHA512
c8c96c5153a9d82ef5c8485098210f0e9e1ccfa67af7b9799b052f0abd5a1582d106c1670389ff49f48cd8af59c580d8e8c827a7c24ba922a9682bc4e480f935

Download Submit
C:\Users\Admin\AppData\Local\Temp\dik9E15.tmp

Filesize
113B

MD5
9917066b7445097317e981eae7e7b0ea

SHA1
9262b0f297a8659fa484db3a4f469e471cfa1b98

SHA256
91579a0a2f7678af9e7244ce98d2015d23f7b9a4cbf31e8565c8cd5d643f7b63

SHA512
74899753fc27c1f29d649d0db0945f7455b06d86a8f68fc3ce03686cb6d0a5b69ed2375aa5c7bf8b0a1ff9db457217500e037d6bca6eb7e7e6e780ff6836ffac

Download Submit
C:\Users\Admin\AppData\Local\Temp\dik9E2E.tmp

Filesize
227B

MD5
7707984ecbfe7fa66882c3168ab2e65b

SHA1
cd35b773d27fc641e7696985f5721098f8d24dd0

SHA256
24b2b6400a9ec210e1c8af0df8ae08ae272b7e1c3c7e829c37cfb374cabd547e

SHA512
a36d13c53fef0d14420616ef6b1c503782e598c29d4a89d739da2bf4df0ab247e3e689add6109ef23dac1c09f21ceeee5a383e038b483e735a90ff99b87d3263

Download Submit
C:\Users\Admin\AppData\Local\Temp\dik9E6F.tmp

Filesize
46B

MD5
8b4cd9f738da0e64d0ea57fcd689a72a

SHA1
29498b2d05d0282fe61ee8a8d99bca4032b7956d

SHA256
6604df1d79a5a2fa548ad1fc6d6cb76caad2b567342d5cd7851d45b50b6e304f

SHA512
04b693fd670377bf0b0d54f2fac968879ffc8ad2ae8b2d24f7345a3d3c0de030f725efa0c9be75b3e1046a7e72f14207f78ba3f199bec1f7312ee53b7d533760

Download Submit
C:\Users\Admin\AppData\Local\Temp\dik9E76.tmp

Filesize
17B

MD5
0e61bfa6fc2a8ff53d5cfb1b798435c2

SHA1
9a9605813029b7201279ab388c208506e601e88b

SHA256
1d521294cb781d6ba547d91796b29748551d8ec9fd56762604f2addf1dda00be

SHA512
a9cf7564a12d2d6fcc8e7e3363788223ba1c862ccbbf92b5de530ac43695105d8b243b9ede8d9fb226516f8def805ea33b5d373ac675231dc9e6ca55f58da5d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\dik9E7B.tmp

Filesize
44B

MD5
860bba0f2146a401d57cadc3c68f5119

SHA1
18f785319a82a7ecfd97940b8cd3cc347eb7dc72

SHA256
8967d0cb4768f67ee9b995cfe68fa2ff14385003ead0befa069dbc1651e24b90

SHA512
ba0fc99b6662456884bd89932cd9ef71f6f630261bc69f7090eafc4ddcad98ffb0cd1e70f5219945b0848a84346a153061cfce3765cb565fcd2a2947954fb9ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\dik9E8F.tmp

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
C:\Users\Admin\AppData\Local\Temp\dik9E95.tmp

Filesize
169B

MD5
cb191326162e4d03cf36f70d17fcfc52

SHA1
c91a5759b3ee243e7f3c9c36f2359ae1c28ff898

SHA256
5702b70463305739850a73ee325c02e25ac2e3c8d03559f090c241e17f8e1383

SHA512
8cb28d35f132ef5527e15efed5ac3b1f28dd97311b9c1d3402109f5daa924d4b02e661c86b88a306c9dfa665b0853e2421bc92728c40c3a0566c0dd611cd991e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dik9E96.tmp

Filesize
47B

MD5
77d91acfcaaf6959f86dcc9b8b2abce3

SHA1
bb5e4232dbfdfc8ce2a39cdc3de8a99ffbcd8d9d

SHA256
33c13a433993a2d447c766216e85e28e6630fcebcf6929af40c59051ce8527c8

SHA512
7eb0ab395fb2e9bd4092f7d9d0dd865d1b81f63a0f4d8f16cd8a29ba838c259555418f8fd3928837847a2f72a99ed1cbbcfe96d6e3c45cb48b50fbdbc5cdc569

Download Submit
C:\Users\Admin\AppData\Local\Temp\dik9EB2.tmp

Filesize
78B

MD5
13d0c5bf8264491ad28f9b9805643894

SHA1
9980b5a6f009985a5dbaa1607b88eadaa6599676

SHA256
bb6dafd010cf2b71546525e3b03c2631abc316a0f04d482f3acb4908b62f8e95

SHA512
970a549836dff0118d9898702dc797b0c159c87de2271ae2026b4b87306a76628ae5b4282d657a02a23c7aa80149b7e5c5808e0579d46d7d0d213b21d07dbc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\dik9ED9.tmp

Filesize
233B

MD5
09db3c8b7f76fd1aeab3e70ffca03ed4

SHA1
7ce322437b102478d7243396f67c31ef54094933

SHA256
ffa35859301ceb13c5b99a0b8dba79bf35de14992e205e8ae1ffe88a4ca44ec3

SHA512
ddd486c749f93f05f77affadb36c35267477a9a84f0c336344a9ba9bf5140e6740aee6828efadb8bdd34198197f0f22de3abc2cd6c4c850de1572e4f96b6c6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\dik9EE3.tmp

Filesize
172B

MD5
f2db5eb540086e51a14927634615d308

SHA1
cd22e598c415875b1953bf9538b6ae6a196dfbb9

SHA256
e0785f86220d7ea90379762a20b87671a7e0a090d4972949779f25db4e7eb48b

SHA512
243f9a4731ae848ca88606977acc97f6384a06814a859e51883156e5d976aa7f1719d8cb02b46c49bee3d2a6309fc302a5f1199f0b561f860cbcbab45cec25aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\dik9F05.tmp

Filesize
172B

MD5
cb2347f4ef57cc707e173edc5a25939e

SHA1
b85df2ad9dab146d1a02cb257564888267c39f42

SHA256
0333036dc69890f43c4639574eeb82b853bb8d72490d113fc15999bf2fc96bd9

SHA512
a177a513e39f54030d9de0901cf8140557a879a8c48f1a956ffdb806cf0416d6762997646424aebc7647a383a5b9bc85e1e02c27fcc57c7cef9bf33dd9c86af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dik9F46.tmp

Filesize
90B

MD5
568a093591315ee34504eb81b59431ae

SHA1
7744ac563a77731dc866019f831ebfd10f7525ec

SHA256
ad513728f7a2d2446fb42771f0e7764af8c8f8319418af1988977ba42eda04ee

SHA512
7cb9ceaad0ed0072dcadc3de96877082405697b9c756785df830b1d16663a33c0737a81e37ffdf5e5e788915bfd243cfbc7c921247558ca9a5cedcf6c9af4db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dik9F67.tmp

Filesize
86B

MD5
229e4eb0d56ceda77a58a6a62d7698ba

SHA1
90b2c5fd2fb6f7695fe56fd175461ce80b47a850

SHA256
8dda91cd8df1b99d6231d1819b8cbc06255a2add4af5fdde6c1085332f799127

SHA512
bacc1997e0a4b1dc418163774d96a1683f6d7e5989e4ae03f3cfb533f4b0f7e57a571a492716b9efec6a0926b4f491693cdf1c3f326f3406430005af2fcd4b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\dik9F7E.tmp

Filesize
13B

MD5
61a79b38c3f2a76211d22496f820a618

SHA1
cb321f35bc98fb9dda39a9f9d0f6fa0b6146071e

SHA256
a072757a0fa736ba325748ffffd20a8b11476f5c8bf523c15da64d35b86f1dce

SHA512
9dbaa661cea87ec4e78a9947ecc5291a0c337c6fe09220d6df92cc6273cc1deecfca9ed1429ff630016d8f57bda34eebb36e4a15c2165f59af79411a3449cdbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dik9FA3.tmp

Filesize
13B

MD5
65504280a56433c075a6ac309a3203d5

SHA1
b650f985726ed5dabe7c5d45a423a6371cace4d5

SHA256
4922f000cb9876858a829c845120217ca06149f4697904d9620727b9450d2bfa

SHA512
62063e508ce75f2c9713a7cdb3b93ba0b2e795802600dca3727f629243225667cf359322d754893f2d7e77bf947c562adbed74767fee63b98e1dd1d6842b5a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dik9FA8.tmp

Filesize
86B

MD5
9aa64e6831bed4f14499a55a36be3d7d

SHA1
a126884e9df707391ecdd41a7dc7f43913494fb8

SHA256
c239ebd79dd414ac5412e77b4012dda74580133bd8b47151240ffbad29fc1d51

SHA512
0c35cb4ab9e81876f1124edf3ac0df6d3399390ece90c1dbc9c3ad89db78e1ce70db5a0a02da81c9d6e7c9e935d14b7a3709836a249dada04c88beb41fb715f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dik9FCA.tmp

Filesize
82B

MD5
5e7169f4c208b48927ef9a7d56e7c9be

SHA1
86d10dd9f35c6e518924cd230a2bbadf52eeaf54

SHA256
52eaa4717fe7c3891fc9bc4478c89cef67e2c152cfece3ee93894d226e1b17ca

SHA512
e4284ee7d3a978d78201c350517dcb690b6e09bbe746d042825f13c6b4380109bf1ba137f5dce7287377d671043ea2a0fd1ab4343c5c73aec192921ae5fe205b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dik9FDF.tmp

Filesize
99B

MD5
109032e9dedd465d0e50ce9d5e666099

SHA1
cb055b8f6aa4ca64ea118999482d64990a4efcbf

SHA256
55cf1a7a522c3a88b33d06c71d76db6d308f6438b418785e9251a128f023afc8

SHA512
8c54ed2fd0827f8734d0bb1633249d8025e9756fefe0c0f1830d1e02730090210b7dbb49c9da4101af2df7ada1c0246bb7cb7f8b55b7529e054359fb40926807

Download Submit
C:\Users\Admin\AppData\Local\Temp\dik9FF5.tmp

Filesize
119B

MD5
c42dee5efa2e40d60b2affa2e6489baf

SHA1
1e4c68695a51e853a9d2c9e940a279160a421a76

SHA256
4692eb772516f6fdc3c7af22997169ba7e42f3df96b1cb72f53a0dad5b5c7e33

SHA512
6ee8a3a277ba7a52a353120877802fb851b56578bc388b2c88aac7e4ae9180d834c71a47724889b9913906253f6be2913e7b9c247d1152bf4d250a521f1b4d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dik9FFB.tmp

Filesize
123B

MD5
87884e6c2ce4d6f49af4352c78e8615b

SHA1
e46fb39ddbf9c0063918165f6eb964970562a0d8

SHA256
469525b0d37d30925b4f6582468b4ad8f74d51d433779f99dea32c1babd50bc9

SHA512
41fb9ca764d25b331136d1bf1b2cc8a6df770dc0739e882dd535225b4c4baad52fef452c3ba7f08ab71d240cf83f75849d56435c724e849f708e8753dd43fbd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dikA001.tmp

Filesize
148B

MD5
448d3b8e316467231ec2a49fadfd335f

SHA1
f2a6c3cdf4ac93a6f1178ed04bc4a0a18bffa0e9

SHA256
1cd7f7702acdd91b5eb2ab485908f1afb6e2356724d3a994210219140996e7db

SHA512
280c2314fd164012360a3edebb9620536157bf06924824c5126e57c707e5e492abb4fe2ddd2aca756e625b9d2b2159c52825c8448e028369b825e5112745c1f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\dikA02C.tmp

Filesize
227B

MD5
5fdc7a1d5c67f390edb88b8199a92fa3

SHA1
9e1c78c76e3df1d07271e634fd694ebf66d86ee8

SHA256
87687d91dc725210f91a02fcbc3e9c0eb508c952e671cdbb7b5636cd0519bd4b

SHA512
971b12f17239942d60bf3d82e82e066a198bb3dd1b48d1a46b4af2d90be46608d962fcf257e7d4dfa2fe79db8e9f626850b39fe33762f1130b88935b1bdd289a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dikA032.tmp

Filesize
253B

MD5
7c3780b446261abac545cc66daf9b742

SHA1
8305f7b26ad45b8410f6e4130c6718b4014b4fdb

SHA256
6db51bf110b2a7a4452c173dfe623b2856ac5dfdb7c5fa848e9427b40b72ffff

SHA512
207fb0eb77611d09f3e450bc31e85ba67d66a657d8d87e6a5e3a7b4538dd352e16441515daa6cc81b5d41bc530079061eafdbf4f51b693f9849bcfcb86cb4e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\dikA048.tmp

Filesize
145B

MD5
c6822cb3dba9a5b033168e797c601d05

SHA1
e88a30e030e235271366d4239273023920e4b688

SHA256
12d01531b327db77071b4d617acd0f87228879cfbc4e8f636c25ecf6a19ac74f

SHA512
2d22b2f5f902d4ee1b0abfbec1fd76caf34d2f5d779188c7428276fbab28d12fc3f37536b7bcfc2991e9950c4c75659e556ad7f95c1b6ba35e495e668c614a3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dikA04E.tmp

Filesize
162B

MD5
9a203dd1b88be8d7952a286af0bd8606

SHA1
c92d9c6042227a44bc58fa089afc4edda6a69401

SHA256
c0d8f1829f44f3a24cd31de879c6075d3fc17cbafa730141a3995fa8e3b72e99

SHA512
4ad41c036e2c9d3b98d7c0b0baf450eafa7dccbcb2fb9c90b57b8f7d163dc84721935416ab6504af5f658ea1e2ad7d77bf1b6faf627686257fc5af1fa024019e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dikA054.tmp

Filesize
80B

MD5
5bdfeaf9d5e1794aa7aacb8161ac55cb

SHA1
7448e6a6f086bffc1bbc76cb2a0a84e0cc894d98

SHA256
3331350482ce0b3a285746f2745a6515951651a79767232575ef60caafae7be4

SHA512
e3125e035ea7873d83a3f950d1fd8ad8229591c9979d240bca2e9f3ee62d4cb6462cc9c0de5d7b66c138d1a58d43039a44244d014fc9783a3371ead4898c812e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dikA098.tmp

Filesize
90B

MD5
a4b7f1fc82bb8f59b9db4cb154a037bb

SHA1
8cc97c780e3000e6d4266c4aeb8cdcb8ea293c44

SHA256
f927553e56a420ea74178760d3ef0fb9cb1ff4f931e6b6b9f5cd0532a48abb76

SHA512
8c8b5379e798fdf850f4afca8f17af1942f18ef87ade85a78150be552259123ab2c59926826ac89d6aee61313aa4d775048bcabb380c8f4c2f7936438180f04b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dikA0AE.tmp

Filesize
129B

MD5
d28a5d30fad01c776c00f163dfcff65e

SHA1
1d882bcb219f82ff5b9518565919604cbc546b66

SHA256
148729e5e83e0a209996f40494239473fdc898c43e0264ba250295d5d8727fc1

SHA512
81e5d3ea39191b17ad87a2196a30cda7d10d2ea26228f198a33d8a35645e3b4acb9518aa4465183b5377342f1b033b6d6e391a127e07d4dbba08b70adf46cbac

Download Submit
C:\Users\Admin\AppData\Roaming\GoSign Desktop\Cache\data_1

Filesize
264KB

MD5
d27297773eb251df30b5b12baa5ff9be

SHA1
9b33d538d1804feeb3e96fa779b3872c069b8857

SHA256
b4178bd00b89ef4a21a41d1c3496b860863f8e2071ace853a2006554389ba995

SHA512
b57b3dc2ca4a95a0217b19f39d1ba17d4e18e8172fe1424293b227e080b6c8389088c21068f00d48dc7f3f589f0456f59dbd13834096cd305e6574564350b97e

Download Submit
C:\Users\Admin\AppData\Roaming\GoSign Desktop\Cache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\GoSign Desktop\Cache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\GoSign Desktop\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\GoSign Desktop\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
memory/1660-0-0x000000000CA80000-0x000000000CAAC000-memory.dmp

Filesize
176KB

Download