floxif | a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-12-2024 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe
Size

3.8MB
MD5

8eca649f7af62e1aec1c09064da100df
SHA1

f20108f98b2a2bfecb8c365da01d08d71c00a3dc
SHA256

a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9
SHA512

1a77e97f1f18e9f9f6a212eb34951feb355aa6f47b071b6a6a10d82e2bb9e1545acadc5fccb2f118bd66b0eeb90c5be8f72e5cb1a834225203a2f85dc5a93f3a
SSDEEP

49152:VwYCFEJz3sKcA1990FW6drnq9QF/Fs454vn6puWV355FXw/+euWV355FXw/+AuW0:VwYzenA1990FW6drnq9QpFXmv8k

Score

10^/10

floxif backdoor discovery exploit trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x0007000000012118-1.dat	floxif

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
2816	takeown.exe
2068	icacls.exe
560	takeown.exe
592	icacls.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000012118-1.dat	acprotect

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe

Executes dropped EXE 1 IoCs

pid	Process
1368	bootsect.exe

Loads dropped DLL 1 IoCs

pid	Process
2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2816	takeown.exe
2068	icacls.exe
560	takeown.exe
592	icacls.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2232-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2232-3-0x0000000000400000-0x0000000000623000-memory.dmp	upx
behavioral1/files/0x0007000000012118-1.dat	upx
behavioral1/files/0x0007000000019268-72.dat	upx
behavioral1/memory/2232-83-0x0000000000400000-0x0000000000623000-memory.dmp	upx
behavioral1/memory/2232-86-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2232-87-0x0000000000400000-0x0000000000623000-memory.dmp	upx
behavioral1/memory/2232-103-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2232-104-0x0000000000400000-0x0000000000623000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bootsect.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	compact.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe
2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe
Token: 33	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe
Token: SeIncBasePriorityPrivilege	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe
Token: 33	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe
Token: SeIncBasePriorityPrivilege	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe
Token: SeTakeOwnershipPrivilege	2816	takeown.exe
Token: SeTakeOwnershipPrivilege	560	takeown.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 1692	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe	33
PID 2232 wrote to memory of 1692	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe	33
PID 2232 wrote to memory of 1692	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe	33
PID 2232 wrote to memory of 1692	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe	33
PID 1692 wrote to memory of 2752	1692	cmd.exe	35
PID 1692 wrote to memory of 2752	1692	cmd.exe	35
PID 1692 wrote to memory of 2752	1692	cmd.exe	35
PID 1692 wrote to memory of 2752	1692	cmd.exe	35
PID 2752 wrote to memory of 2816	2752	cmd.exe	36
PID 2752 wrote to memory of 2816	2752	cmd.exe	36
PID 2752 wrote to memory of 2816	2752	cmd.exe	36
PID 2752 wrote to memory of 2816	2752	cmd.exe	36
PID 2232 wrote to memory of 1748	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe	37
PID 2232 wrote to memory of 1748	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe	37
PID 2232 wrote to memory of 1748	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe	37
PID 2232 wrote to memory of 1748	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe	37
PID 1748 wrote to memory of 2068	1748	cmd.exe	39
PID 1748 wrote to memory of 2068	1748	cmd.exe	39
PID 1748 wrote to memory of 2068	1748	cmd.exe	39
PID 1748 wrote to memory of 2068	1748	cmd.exe	39
PID 2232 wrote to memory of 2096	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe	40
PID 2232 wrote to memory of 2096	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe	40
PID 2232 wrote to memory of 2096	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe	40
PID 2232 wrote to memory of 2096	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe	40
PID 2096 wrote to memory of 796	2096	cmd.exe	42
PID 2096 wrote to memory of 796	2096	cmd.exe	42
PID 2096 wrote to memory of 796	2096	cmd.exe	42
PID 2096 wrote to memory of 796	2096	cmd.exe	42
PID 796 wrote to memory of 560	796	cmd.exe	43
PID 796 wrote to memory of 560	796	cmd.exe	43
PID 796 wrote to memory of 560	796	cmd.exe	43
PID 796 wrote to memory of 560	796	cmd.exe	43
PID 2232 wrote to memory of 588	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe	44
PID 2232 wrote to memory of 588	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe	44
PID 2232 wrote to memory of 588	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe	44
PID 2232 wrote to memory of 588	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe	44
PID 588 wrote to memory of 592	588	cmd.exe	46
PID 588 wrote to memory of 592	588	cmd.exe	46
PID 588 wrote to memory of 592	588	cmd.exe	46
PID 588 wrote to memory of 592	588	cmd.exe	46
PID 2232 wrote to memory of 2216	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe	47
PID 2232 wrote to memory of 2216	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe	47
PID 2232 wrote to memory of 2216	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe	47
PID 2232 wrote to memory of 2216	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe	47
PID 2216 wrote to memory of 2368	2216	cmd.exe	49
PID 2216 wrote to memory of 2368	2216	cmd.exe	49
PID 2216 wrote to memory of 2368	2216	cmd.exe	49
PID 2232 wrote to memory of 2140	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe	50
PID 2232 wrote to memory of 2140	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe	50
PID 2232 wrote to memory of 2140	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe	50
PID 2232 wrote to memory of 2140	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe	50
PID 2140 wrote to memory of 1984	2140	cmd.exe	52
PID 2140 wrote to memory of 1984	2140	cmd.exe	52
PID 2140 wrote to memory of 1984	2140	cmd.exe	52
PID 2232 wrote to memory of 1764	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe	54
PID 2232 wrote to memory of 1764	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe	54
PID 2232 wrote to memory of 1764	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe	54
PID 2232 wrote to memory of 1764	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe	54
PID 1764 wrote to memory of 2952	1764	cmd.exe	56
PID 1764 wrote to memory of 2952	1764	cmd.exe	56
PID 1764 wrote to memory of 2952	1764	cmd.exe	56
PID 1764 wrote to memory of 2952	1764	cmd.exe	56
PID 2232 wrote to memory of 1932	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe	57
PID 2232 wrote to memory of 1932	2232	a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe	57

C:\Users\Admin\AppData\Local\Temp\a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe
"C:\Users\Admin\AppData\Local\Temp\a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe"
1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c takeown /f C:\ldrscan\bootwin
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f C:\ldrscan\bootwin
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2816
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2068
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c takeown /f C:\ldrscan\bootwin
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:796
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f C:\ldrscan\bootwin
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:560
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:588
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:592
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\System32\cscript.exe
    C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS"
    3⤵
    PID:2368
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\System32\cscript.exe
    C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2
    3⤵
    PID:1984
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /A /C "compact /u \\?\Volume{c8ac9d43-69ed-11ef-93bf-806e6f6e6963}\KUQPH"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SysWOW64\compact.exe
    compact /u \\?\Volume{c8ac9d43-69ed-11ef-93bf-806e6f6e6963}\KUQPH
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2952
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1932
- - C:\bootsect.exe
    C:\bootsect.exe /nt60 SYS /force
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Acer.XRM-MS

Filesize
2KB

MD5
f25832af6a684360950dbb15589de34a

SHA1
17ff1d21005c1695ae3dcbdc3435017c895fff5d

SHA256
266d64637cf12ff961165a018f549ff41002dc59380605b36d65cf1b8127c96f

SHA512
e0cf23351c02f4afa85eedc72a86b9114f539595cbd6bcd220e8b8d70fa6a7379dcd947ea0d59332ba672f36ebda6bd98892d9b6b20eedafc8be168387a3dd5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1D26E2\4357A7C8B8.tmp

Filesize
3.7MB

MD5
e7be2c033c6ab0ba199b4717f98bc947

SHA1
6c964ec7100ad55922e186a157a445825998cfa4

SHA256
27c81c938edf0a2a06d8d80de7e852a61d8ff89ff17ab69b7818858edaa3c446

SHA512
ebec9d725a3c368329fb7c02eafefd69a412e2c871f693bfbdbf4ec5193ced4cb95e6de31e6e5b0ed56215b7bab7d6f851a2a3174314bec63204201848031b7a

Download Submit
C:\bootsect.exe

Filesize
95KB

MD5
952d40ae1ab389a15def901aedc6a422

SHA1
d8f96ece4b4205e0e23cabbbfdbfd2a6033e800e

SHA256
6e1f12f666051d6e1736c96f8ce58f036346d3885ce2c36102ab69c2d15d492e

SHA512
5ae8713ca7f963d33e667e330b77479b11216c107df4e3728fe39a90fbb8ea30fd6bb4bd5b755bea96c468b2e63ae2a5037b51e3dda681c92406ecd634d07856

Download Submit
\??\Volume{c8ac9d43-69ed-11ef-93bf-806e6f6e6963}\KUQPH

Filesize
357KB

MD5
389fa960c6b5d40df0321015362ba9a8

SHA1
d1532fbd688cb21446879cc8642b16a3d24ccd93

SHA256
c8f3d813baec8ba201e1a2433576d492e0195a0ec3c8cbf9aa212480e36d8a97

SHA512
e6e0cd753064d6bbfaa661c09d2133f47002180da6d656748c4cac6b329653720c184b5937a7ca019e177aaf191e88e610d0a7403ca119a8964f1ad2ab35ca3a

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
memory/1368-100-0x0000000001000000-0x000000000101B000-memory.dmp

Filesize
108KB

Download
memory/2232-21-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/2232-86-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2232-37-0x00000000007C0000-0x00000000007D1000-memory.dmp

Filesize
68KB

Download
memory/2232-29-0x00000000003D0000-0x00000000003F1000-memory.dmp

Filesize
132KB

Download
memory/2232-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2232-16-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/2232-53-0x00000000007F0000-0x0000000000800000-memory.dmp

Filesize
64KB

Download
memory/2232-83-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2232-61-0x0000000000A20000-0x0000000000A40000-memory.dmp

Filesize
128KB

Download
memory/2232-45-0x00000000007E0000-0x00000000007F0000-memory.dmp

Filesize
64KB

Download
memory/2232-87-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2232-89-0x0000000075C56000-0x0000000075C57000-memory.dmp

Filesize
4KB

Download
memory/2232-69-0x0000000003330000-0x00000000034C8000-memory.dmp

Filesize
1.6MB

Download
memory/2232-8-0x0000000000380000-0x0000000000393000-memory.dmp

Filesize
76KB

Download
memory/2232-3-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2232-103-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2232-104-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download