floxif | 012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075aff

Analysis

max time kernel
118s
max time network
94s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
10-11-2024 07:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Size

5.8MB
MD5

5881184e8a0254680de7a6044c5e0470
SHA1

61af39637a7f12aa7254e2c92922cd320c830811
SHA256

012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075aff
SHA512

b5260dcf235724572da8e9f99803af38c9664ced977c58b0166dde44bb8c9fc87193908c61eae65b5c6c4c6dd1908b73eea4d234671f2771a29675d6fd8d6b3c
SSDEEP

98304:XYvIlp+8z1cwOKN3P4R18frP3wbzWFimaI7dlo5:qIlo8zC4N5gbzWFimaI7dlG

Score

10^/10

floxif adware backdoor discovery persistence phishing spyware stealer trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x000b000000012280-1.dat	floxif

A potential corporate email address has been identified in the URL: [email protected]
phishing

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b000000012280-1.dat	acprotect

Loads dropped DLL 4 IoCs

pid	Process
2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe /onboot"	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2580-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/files/0x000b000000012280-1.dat	upx
behavioral1/memory/2580-15-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2580-14-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2580-32-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2580-216-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2580-236-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2580-242-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2580-255-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	\??\c:\program files\mozilla firefox\maintenanceservice_installer.exe.tmp	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
File opened for modification	\??\c:\program files\mozilla firefox\uninstall\helper.exe	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
File created	\??\c:\program files\mozilla firefox\uninstall\helper.exe.tmp	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
File opened for modification	\??\c:\program files\mozilla firefox\maintenanceservice_installer.exe	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies Internet Explorer settings 1 TTPs 22 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe"	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm"	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe"	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243"	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe

Modifies registry class 18 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter"	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Wow6432Node	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}\Therad = "1"	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}\Model = "314"	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe"	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User"	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan"	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1"	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Wow6432Node\CLSID	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Token: SeRestorePrivilege	2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
Token: SeDebugPrivilege	2800	firefox.exe
Token: SeDebugPrivilege	2800	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2800	firefox.exe
2800	firefox.exe
2800	firefox.exe
2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2804	2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe	32
PID 2580 wrote to memory of 2804	2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe	32
PID 2580 wrote to memory of 2804	2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe	32
PID 2580 wrote to memory of 2804	2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe	32
PID 2580 wrote to memory of 2804	2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe	32
PID 2580 wrote to memory of 2804	2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe	32
PID 2580 wrote to memory of 2804	2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe	32
PID 2580 wrote to memory of 2844	2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe	34
PID 2580 wrote to memory of 2844	2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe	34
PID 2580 wrote to memory of 2844	2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe	34
PID 2580 wrote to memory of 2844	2580	012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe	34
PID 2844 wrote to memory of 2800	2844	firefox.exe	35
PID 2844 wrote to memory of 2800	2844	firefox.exe	35
PID 2844 wrote to memory of 2800	2844	firefox.exe	35
PID 2844 wrote to memory of 2800	2844	firefox.exe	35
PID 2844 wrote to memory of 2800	2844	firefox.exe	35
PID 2844 wrote to memory of 2800	2844	firefox.exe	35
PID 2844 wrote to memory of 2800	2844	firefox.exe	35
PID 2844 wrote to memory of 2800	2844	firefox.exe	35
PID 2844 wrote to memory of 2800	2844	firefox.exe	35
PID 2844 wrote to memory of 2800	2844	firefox.exe	35
PID 2844 wrote to memory of 2800	2844	firefox.exe	35
PID 2844 wrote to memory of 2800	2844	firefox.exe	35
PID 2800 wrote to memory of 1128	2800	firefox.exe	36
PID 2800 wrote to memory of 1128	2800	firefox.exe	36
PID 2800 wrote to memory of 1128	2800	firefox.exe	36
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37
PID 2800 wrote to memory of 1484	2800	firefox.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe
"C:\Users\Admin\AppData\Local\Temp\012424a394a9058782613a0425b1afd884fc46de36e70089f668095721075affN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2804
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.0.1908262475\1068789729" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1208 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e46ee6de-a452-415b-965d-4612c3ecb040} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 1292 8ef1258 gpu
      4⤵
      PID:1128
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.1.479719085\1463440122" -parentBuildID 20221007134813 -prefsHandle 1496 -prefMapHandle 1492 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae5345c8-5bfa-473b-aaaf-018df5f8186f} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 1508 49f9558 socket
      4⤵
      PID:1484
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.2.891424295\1040376412" -childID 1 -isForBrowser -prefsHandle 2120 -prefMapHandle 2116 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bb9f24f-87e3-445d-b94d-41b77f6be6ef} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 2132 19b69558 tab
      4⤵
      PID:1988
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.3.1137865864\909796402" -childID 2 -isForBrowser -prefsHandle 2636 -prefMapHandle 2632 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {67a503a1-e2ed-4207-b68a-deb5fca26c79} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 2648 e68458 tab
      4⤵
      PID:1972
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.4.1625594624\510861594" -childID 3 -isForBrowser -prefsHandle 3740 -prefMapHandle 3736 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {edca02fb-a978-4e17-95ac-90a7e60fd4f6} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 3752 1b7fc958 tab
      4⤵
      PID:868
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.5.2080768575\2029473291" -childID 4 -isForBrowser -prefsHandle 3864 -prefMapHandle 3868 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {512d9941-8bed-489a-bfeb-ea97a20c7269} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 3852 1f89f258 tab
      4⤵
      PID:2768
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.6.1892443691\1890340940" -childID 5 -isForBrowser -prefsHandle 4040 -prefMapHandle 4044 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {25120adf-3f4a-4121-a373-a7bd9ee9c72c} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 4028 1f89f558 tab
      4⤵
      PID:2848
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.7.1153929100\1817344915" -childID 6 -isForBrowser -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7613e782-e593-469a-9256-8567168d07db} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 2228 e6a258 tab
      4⤵
      PID:2452
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2996
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2724
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2484
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3l10m6w.default-release\activity-stream.discovery_stream.json.tmp

Filesize
30KB

MD5
ec0f154378e54cc987b813db6b99675a

SHA1
5ec50eeb593a0e52b40dd74bba6aa8216c19f7e4

SHA256
024aad113cd76a8b45fdf3ec04284a0a9efa414671fca2c52c38cf1ef75bf4c1

SHA512
ccb7c9b7090f950ac6999bef7fc9a611bff8d6678789cb1b79a6859bbd677d36ca3d48459b6ba7384ce99769351e26f643b74f3ca689c68afc8933daec09ae73

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3l10m6w.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
13KB

MD5
f99b4984bd93547ff4ab09d35b9ed6d5

SHA1
73bf4d313cb094bb6ead04460da9547106794007

SHA256
402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069

SHA512
cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
f7b445c7e68f35f9be444d900ac65695

SHA1
3f4be5c749ff65ef41ee7130e36b4bc80afe5b0e

SHA256
7cdf91661f55350a6f5bc6f3172470ca39429f9dcb89db7113ce3408729b4f27

SHA512
88905905ef7b735b7bf45d40110075d3cb4b317d9871fcea933dbb28392d2cc7bba5999cbd285103c165f3a4e3e66bfc77789e9c4504e01825661c1af8024014

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\datareporting\glean\pending_pings\26342c70-a2f3-447b-b46f-28a099dd928d

Filesize
11KB

MD5
7867e85343c25eec0c61183af0488c21

SHA1
5a7983fd1dd1ebb535016b0fd1c4e5aebadcc96e

SHA256
65788024d5e5dde84a8bd3285d519da9e58778fcbb5a16c923c5686060b5aaad

SHA512
34e33aeeacb279f3b9a510e9b49cfece72f2060eb340c4a458176b7528c91a12a58237b9cdb959ccb886b4f8876a91604555b3e39e06056020d9eff63fe0012e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\datareporting\glean\pending_pings\40f2c298-bd4c-4685-beb3-c19553608f1e

Filesize
745B

MD5
6b4c71540ab06ad30f747aa601e3ce2e

SHA1
53f4130f98aca0d940d7168794ab2ccaf093de02

SHA256
620212765e8f4fa74ee2e4577455272726bab4d703a9e5213b8d65a2c16d5ab5

SHA512
83f05818943dab01cbbde2d19e3dda72c804246b381b7727fdedfa4523e8638cce6c99a540bb09b231dd28d1469b8f053cdd36ad9d93864323ab76d921cdd827

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\prefs-1.js

Filesize
6KB

MD5
a703d50c7d73cf08cda018d2da7bb18a

SHA1
2d2c95043aece63fa7704013fd9081a9d470bd47

SHA256
895b4f57fcac15773125cc9b147d07c006cb48e25cb3e8b2df62883d5820c74a

SHA512
be35d4e2a2fa58849a78e9407f53819bae41b1b683ce6012c13c89397b88d4c5924cc8d1978f049aa26427cd3bf179881fec06a10bea1b275e3b238996677e08

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\prefs-1.js

Filesize
6KB

MD5
10636193ddaa0bdb5bf18f97ddae59ac

SHA1
98fbcaf932864d1bd5559b9d332dbf1d848df6c3

SHA256
7661cbf762c9d71c3c7c19a85fc5d1552bb5ab0ef8742caf1bd353460de16a7e

SHA512
e6507e84bb133cebca94cddc09408b3f79ddde0d63641e4cf37a810eabca44485ed4971bf7d4f168efcaab16d0236b8ad760b76fd2b7cff2ebe475dac2e6ed7f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\prefs.js

Filesize
6KB

MD5
4b0d0006fc216d18e5473c951fe190b2

SHA1
92b9aac386d667fcc5d802789c3dd74f5b0ffeac

SHA256
c60384fccc59a556151dd1f486cf16aa20e74f83267e577434363eeeae931993

SHA512
435eba8dd0dfe06856715877827dd14c63edee42505756df93183367c5eb949d4f764f8fd91dbf53bbe65300febedd83fe5c97231983e29535c18bc7669c41eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
dfe0197c6db5e33611c801221fc53b05

SHA1
e7c1d8d5c98939e0494a9e99d4225ef35d1bc623

SHA256
a0115d807b37a0e5fa1c132600c467c4bd33523f44b025c27016e6c607da553e

SHA512
461b512bf552ab39a5da22dd8e87d2cd72761836d3b2d7bf01a46456a15ffbd7d8c0d3da660537a4dac33e930a1112aff9778052bdebbc42f433ad5ea76d5a35

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Program Files\Mozilla Firefox\maintenanceservice_installer.exe.tmp

Filesize
261KB

MD5
8b99b94499bd3bf9c636cf9de02f48c9

SHA1
44abba88fe5b5bc0d4e0a27d0a2dc6e3d5795191

SHA256
7b9f13eb11ccc7e3708f9a76a9f081d6b3b7fe36f25dd26977ab117eae31a99f

SHA512
5b22e96148c340583b8462999e51e0d51d7499fb4b9685ed4f3c54a98fa88dcfdceff60277a5f38581511063f0873ececca33da26aa3d8f9a9573790a2ed00c2

Download Submit
\Program Files\Mozilla Firefox\uninstall\helper.exe.tmp

Filesize
1.3MB

MD5
89991b16705b1be33c44c1afd60e0723

SHA1
3ecf1513b197b1ccc870267bdfdcded2347c31cf

SHA256
ee3dd6de3e3f1009287e2086479062207a0ff906895218e3487d0d707482e671

SHA512
2fc0e0d507aa15f087951c183a3a9391fc7061df64c3957c5140f076ae192f759387a6d38523dd8b4e3fc7906b61c79443e95de42d67b3a0f31a9147b2b5f5d9

Download Submit
\Users\Admin\AppData\Local\Temp\A1D26E2\CCF0608A14.tmp

Filesize
5.8MB

MD5
a3044c3f2cf05db83a2e9eaee1ffe6a6

SHA1
67757f3f14db416151b2dea12e6a2bf4f566f5fd

SHA256
e8ce2dabc9045a9cf0c58c86306fe34ba7a134152e41c6caa28ccdef770f4a26

SHA512
8c3061c20e8f6ab8b77adee274505ef30940b7b7970a2264d8c602ef52f54b9b245d1ca6362b396b7002a889cf4ad09d51729937c337c5d89ace56d73f687212

Download Submit
memory/2580-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2580-13-0x0000000000100000-0x00000000006CB000-memory.dmp

Filesize
5.8MB

Download
memory/2580-15-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2580-216-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2580-31-0x0000000000100000-0x00000000006CB000-memory.dmp

Filesize
5.8MB

Download
memory/2580-236-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2580-235-0x0000000000100000-0x00000000006CB000-memory.dmp

Filesize
5.8MB

Download
memory/2580-14-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2580-242-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2580-32-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2580-255-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2580-292-0x0000000000100000-0x00000000006CB000-memory.dmp

Filesize
5.8MB

Download