gozi | 2adca18a6ba459e5325ce934d473c08a411ae5b8049ca4c37ea9b300553b1f40

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2023 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

putty.exe
Size

293KB
MD5

01435632dca9afc151eec77862bfbc2b
SHA1

9bbb4ae83131fafcd14d580810b14f48d2d30837
SHA256

2adca18a6ba459e5325ce934d473c08a411ae5b8049ca4c37ea9b300553b1f40
SHA512

61e542b6413381f6c4d0f7e08154d7d6dbe44fe9879788b1b6a3d2b32c51ce93dc0a18ac5efb87a6a91292e95c97dd15eaf50c109f869f1acfee6087c10fd677
SSDEEP

3072:28g/bYYX0XH1anZAsaA6eRESzHxHH3zt8l7Mjd1i0ot:DyYa0XUZdaAnEqHxn3R82i0o

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

mifrutty.com

systemcheck.top

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation mshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1968 set thread context of 2636	1968	powershell.exe	Explorer.EXE
PID 2636 set thread context of 3612	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 set thread context of 3932	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 set thread context of 4868	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 set thread context of 3876	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 set thread context of 3160	2636	Explorer.EXE	cmd.exe
PID 2636 set thread context of 2204	2636	Explorer.EXE	cmd.exe
PID 3160 set thread context of 3068	3160	cmd.exe	PING.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3964 3568 WerFault.exe putty.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3068 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

3068 PING.EXE

pid	pid_target	process	target process
3964	3568	WerFault.exe	putty.exe

pid	process
3068	PING.EXE

pid	process
3068	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

putty.exepowershell.exeExplorer.EXE

pid	process
3568	putty.exe
3568	putty.exe
1968	powershell.exe
1968	powershell.exe
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2636 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

1968 powershell.exe
2636 Explorer.EXE
2636 Explorer.EXE
2636 Explorer.EXE
2636 Explorer.EXE
2636 Explorer.EXE
2636 Explorer.EXE
3160 cmd.exe

pid	process
2636	Explorer.EXE

pid	process
1968	powershell.exe
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
3160	cmd.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exeExplorer.EXERuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	3612	RuntimeBroker.exe
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

2636 Explorer.EXE
2636 Explorer.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

2636 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2636 Explorer.EXE

pid	process
2636	Explorer.EXE
2636	Explorer.EXE

pid	process
2636	Explorer.EXE

pid	process
2636	Explorer.EXE

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 5056 wrote to memory of 1968	5056	mshta.exe	powershell.exe
PID 5056 wrote to memory of 1968	5056	mshta.exe	powershell.exe
PID 1968 wrote to memory of 4524	1968	powershell.exe	csc.exe
PID 1968 wrote to memory of 4524	1968	powershell.exe	csc.exe
PID 4524 wrote to memory of 3564	4524	csc.exe	cvtres.exe
PID 4524 wrote to memory of 3564	4524	csc.exe	cvtres.exe
PID 1968 wrote to memory of 3304	1968	powershell.exe	csc.exe
PID 1968 wrote to memory of 3304	1968	powershell.exe	csc.exe
PID 3304 wrote to memory of 4552	3304	csc.exe	cvtres.exe
PID 3304 wrote to memory of 4552	3304	csc.exe	cvtres.exe
PID 1968 wrote to memory of 2636	1968	powershell.exe	Explorer.EXE
PID 1968 wrote to memory of 2636	1968	powershell.exe	Explorer.EXE
PID 1968 wrote to memory of 2636	1968	powershell.exe	Explorer.EXE
PID 1968 wrote to memory of 2636	1968	powershell.exe	Explorer.EXE
PID 2636 wrote to memory of 3612	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 3612	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 3612	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 3612	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 3932	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 3932	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 3932	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 3932	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 4868	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 4868	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 4868	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 4868	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 3876	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 3876	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 3876	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 3876	2636	Explorer.EXE	RuntimeBroker.exe
PID 2636 wrote to memory of 3160	2636	Explorer.EXE	cmd.exe
PID 2636 wrote to memory of 3160	2636	Explorer.EXE	cmd.exe
PID 2636 wrote to memory of 3160	2636	Explorer.EXE	cmd.exe
PID 2636 wrote to memory of 2204	2636	Explorer.EXE	cmd.exe
PID 2636 wrote to memory of 2204	2636	Explorer.EXE	cmd.exe
PID 2636 wrote to memory of 2204	2636	Explorer.EXE	cmd.exe
PID 2636 wrote to memory of 2204	2636	Explorer.EXE	cmd.exe
PID 2636 wrote to memory of 3160	2636	Explorer.EXE	cmd.exe
PID 2636 wrote to memory of 3160	2636	Explorer.EXE	cmd.exe
PID 2636 wrote to memory of 2204	2636	Explorer.EXE	cmd.exe
PID 2636 wrote to memory of 2204	2636	Explorer.EXE	cmd.exe
PID 3160 wrote to memory of 3068	3160	cmd.exe	PING.EXE
PID 3160 wrote to memory of 3068	3160	cmd.exe	PING.EXE
PID 3160 wrote to memory of 3068	3160	cmd.exe	PING.EXE
PID 3160 wrote to memory of 3068	3160	cmd.exe	PING.EXE
PID 3160 wrote to memory of 3068	3160	cmd.exe	PING.EXE

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3876

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4868

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3932

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2636

C:\Users\Admin\AppData\Local\Temp\putty.exe
"C:\Users\Admin\AppData\Local\Temp\putty.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 476
3⤵
- Program crash
PID:3964

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ivon='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ivon).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\2B8EB0FA-8E4D-9577-F08F-A2992433F6DD\\\LinkActive'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name liemhpq -value gp; new-alias -name phtjfeiap -value iex; phtjfeiap ([System.Text.Encoding]::ASCII.GetString((liemhpq "HKCU:Software\AppDataLow\Software\Microsoft\2B8EB0FA-8E4D-9577-F08F-A2992433F6DD").PlayPlay))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\duldc4rb\duldc4rb.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4524

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9759.tmp" "c:\Users\Admin\AppData\Local\Temp\duldc4rb\CSC68E6487EAD9C4D94856F5D5366FF4436.TMP"
5⤵
PID:3564

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\my42yefn\my42yefn.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3304

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98A1.tmp" "c:\Users\Admin\AppData\Local\Temp\my42yefn\CSC43EEB7593FC64E9B84558CA4695A745.TMP"
5⤵
PID:4552

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\putty.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3160

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3068

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3568 -ip 3568
1⤵
PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9759.tmp
Filesize
1KB

MD5
d4df89869adf2f938219ca14a75b7d19

SHA1
cbab8f880de19aef5781343db4951247fbd6b1eb

SHA256
40c7f7cbba314afd9fe1bcda8503d1aed028b078db4034dbfde7637c149e3077

SHA512
51ac66c0ff73fa3824fb5ec60293824a61a2254350c0e270ea0381e5b971ad1faa7dec4c3a4992990aaf2f74ea9d5b323fafd2d525cf9ca69e2e67fbaeeab8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES98A1.tmp
Filesize
1KB

MD5
84dbc8f0b800e645318e7609179abe29

SHA1
4cb81dcaef1e6f4fdfea75e4fe28a142b0caf47f

SHA256
59699ff61d53f9f896e7d6fa9ab1705bcb3a6b249deec82daabad3456a282662

SHA512
50e68f42192c9f5649e9a654e24391e89cf0c0f936f52cc34f93997d2c90572670e2a16ead726cb382fac4b8d09e4f81213b810de02b58c36fc65a755e788665

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b0521ig2.myy.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\duldc4rb\duldc4rb.dll
Filesize
3KB

MD5
53bdda3a535e61236c6eb9a6b7bba7be

SHA1
fe31b34a519a591b9965861563661bda1395f4f5

SHA256
c46e55a6b52888e32965e31bd357e22d4f80297399076de09ddb1a20b76282e8

SHA512
32ec8b9b216f07501f17305c66e09cf83342ff30913fec2ef6cf5d5a2bfdbceaba777cfe7dc50a6bbb7aa6f0c84f53430e1c47c40602e5b5e8a813b6461d3d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\my42yefn\my42yefn.dll
Filesize
3KB

MD5
3db7c0d217d7f8128facfdfbd2b185ce

SHA1
d53e50c98e1fa39743e0dd86b0338257dde58e41

SHA256
15c8a214c011b75c5968e60131c7301bd16e08ded88a833ded35a49322229667

SHA512
a586715ae83831eb245d9f0c6e79ce5b6b1d93a4afad1e47343e0618c8fbf2d3d4209c5b08cb5c45c02bbb777e959207421cbe37eea61a3a6e45c4aeae756ddf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\duldc4rb\CSC68E6487EAD9C4D94856F5D5366FF4436.TMP
Filesize
652B

MD5
15699ca42a6091fb9b24a78fda1da010

SHA1
657bedc0f287f197008e60307ff52043d3402d20

SHA256
f0d828c411023e8dfb8204cccf9ce9a909e0df52d4f79672a6789fb7576b3e0e

SHA512
107a21a30339d2d3965e9d2fd3f089a29617674cacf170a212a66186916a761b686f764de8f5ddc640e10bfbf6b96177296486f48c4bbacac200d209a2b7329e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\duldc4rb\duldc4rb.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\duldc4rb\duldc4rb.cmdline
Filesize
369B

MD5
f077d29037a1f7344521a6b7f78776bb

SHA1
1eb607e217ae788d75e79134b13ad32dc4571cba

SHA256
8e959a58049538ff2e15a859703fc06053fd68ad5b848989469f095f01fc75f6

SHA512
6b19829970b2d92f8ad45b15b6d335a6bdbee4b8cee988c0cbbf4e9c849b5f59cf8576de4a47bcf440af1bd73a128be650343d25f952d05890493194cc07ded4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\my42yefn\CSC43EEB7593FC64E9B84558CA4695A745.TMP
Filesize
652B

MD5
7a1586333265afa56fc68f65c40aa3b5

SHA1
4786e5e3ce054114df7857da0700f089460eafa5

SHA256
6211d316749bc3746ff4f9b9bb0c849c2c315ce08cf0a78e9a571923ef489c87

SHA512
817bada9f8b8e1d59d97aee21e831591ea4e542d3ecfe7685983f12a9c645c84764dde574ea1e951bf77b1f3a0b99625e82cd284fb28d511ced8609575950305

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\my42yefn\my42yefn.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\my42yefn\my42yefn.cmdline
Filesize
369B

MD5
1ae962cae762399d735576defbe44a07

SHA1
8959bd56d9aa38e2a23ef9c45856edcc982bc526

SHA256
adaf3b3777b9b5c03a23246406038c1b2f39c31007a8bb72c5f119abd40cff0f

SHA512
68c4392b93129d01465439ccee1dfaabb4d1882bc8a34dd48ca9c507ff6e708f91b766286f59ebf2bad10e857f1c7aa77bd7a97bd2ccb9e4ffbdffb6bce60f67

Download Submit
memory/1968-28-0x00000198F7060000-0x00000198F7070000-memory.dmp

Filesize
64KB

Download
memory/1968-30-0x00000198F7060000-0x00000198F7070000-memory.dmp

Filesize
64KB

Download
memory/1968-29-0x00000198F7060000-0x00000198F7070000-memory.dmp

Filesize
64KB

Download
memory/1968-27-0x00007FFCCCC00000-0x00007FFCCD6C1000-memory.dmp

Filesize
10.8MB

Download
memory/1968-17-0x00000198F7070000-0x00000198F7092000-memory.dmp

Filesize
136KB

Download
memory/1968-59-0x00000198F7210000-0x00000198F724D000-memory.dmp

Filesize
244KB

Download
memory/1968-72-0x00007FFCCCC00000-0x00007FFCCD6C1000-memory.dmp

Filesize
10.8MB

Download
memory/1968-43-0x00000198DEB20000-0x00000198DEB28000-memory.dmp

Filesize
32KB

Download
memory/1968-73-0x00000198F7210000-0x00000198F724D000-memory.dmp

Filesize
244KB

Download
memory/1968-57-0x00000198F71B0000-0x00000198F71B8000-memory.dmp

Filesize
32KB

Download
memory/2204-106-0x00000000011C0000-0x0000000001258000-memory.dmp

Filesize
608KB

Download
memory/2204-111-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/2204-112-0x00000000011C0000-0x0000000001258000-memory.dmp

Filesize
608KB

Download
memory/2636-62-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download
memory/2636-101-0x0000000009430000-0x00000000094D4000-memory.dmp

Filesize
656KB

Download
memory/2636-61-0x0000000009430000-0x00000000094D4000-memory.dmp

Filesize
656KB

Download
memory/3068-114-0x000001E7465F0000-0x000001E746694000-memory.dmp

Filesize
656KB

Download
memory/3068-123-0x000001E7465F0000-0x000001E746694000-memory.dmp

Filesize
656KB

Download
memory/3068-117-0x000001E746480000-0x000001E746481000-memory.dmp

Filesize
4KB

Download
memory/3160-103-0x000002077B180000-0x000002077B181000-memory.dmp

Filesize
4KB

Download
memory/3160-100-0x000002077B2F0000-0x000002077B394000-memory.dmp

Filesize
656KB

Download
memory/3160-124-0x000002077B2F0000-0x000002077B394000-memory.dmp

Filesize
656KB

Download
memory/3568-8-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/3568-2-0x0000000002430000-0x000000000243B000-memory.dmp

Filesize
44KB

Download
memory/3568-9-0x0000000002430000-0x000000000243B000-memory.dmp

Filesize
44KB

Download
memory/3568-3-0x0000000000400000-0x000000000228F000-memory.dmp

Filesize
30.6MB

Download
memory/3568-4-0x0000000002450000-0x000000000245D000-memory.dmp

Filesize
52KB

Download
memory/3568-7-0x0000000002460000-0x0000000002560000-memory.dmp

Filesize
1024KB

Download
memory/3568-1-0x0000000002460000-0x0000000002560000-memory.dmp

Filesize
1024KB

Download
memory/3612-110-0x000001E7B6330000-0x000001E7B63D4000-memory.dmp

Filesize
656KB

Download
memory/3612-76-0x000001E7B5E40000-0x000001E7B5E41000-memory.dmp

Filesize
4KB

Download
memory/3612-75-0x000001E7B6330000-0x000001E7B63D4000-memory.dmp

Filesize
656KB

Download
memory/3876-94-0x00000241C6180000-0x00000241C6181000-memory.dmp

Filesize
4KB

Download
memory/3876-93-0x00000241C60D0000-0x00000241C6174000-memory.dmp

Filesize
656KB

Download
memory/3876-122-0x00000241C60D0000-0x00000241C6174000-memory.dmp

Filesize
656KB

Download
memory/3932-115-0x000001922A490000-0x000001922A534000-memory.dmp

Filesize
656KB

Download
memory/3932-81-0x000001922A490000-0x000001922A534000-memory.dmp

Filesize
656KB

Download
memory/3932-82-0x000001922A450000-0x000001922A451000-memory.dmp

Filesize
4KB

Download
memory/4868-87-0x00000229F75D0000-0x00000229F7674000-memory.dmp

Filesize
656KB

Download
memory/4868-88-0x00000229F53D0000-0x00000229F53D1000-memory.dmp

Filesize
4KB

Download
memory/4868-121-0x00000229F75D0000-0x00000229F7674000-memory.dmp

Filesize
656KB

Download