floxif | bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c

Analysis

max time kernel
145s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-12-2024 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
Size

850KB
MD5

30bb2523df5773ef3f8136376d2606a9
SHA1

1d1751705d24c3ada623edf6e4a9db4799ff56bd
SHA256

bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c
SHA512

cb939b117c7275e1077bb2c151db882828dbf6200f1c93edca1a2c1084ba2cf88ab9dd0552f3f8af9495c1371e6dfadf27b62c8c33a2713cf24837d692f66959
SSDEEP

12288:RozGdX0M4ornOI7ZIzfMwHHQmRROXKuHc1wClr94a7U/VrnkHNjD53NtwH1YKj4n:R4GHnJIzOaIc+Qx4awNyNFsbZrEH7pN

Score

10^/10

floxif backdoor discovery trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x000d000000012262-1.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000d000000012262-1.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
2868	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2868-47-0x0000000000900000-0x0000000000AB0000-memory.dmp	autoit_exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000d000000012262-1.dat	upx
behavioral1/memory/2868-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2868-3-0x0000000000900000-0x0000000000AB0000-memory.dmp	upx
behavioral1/memory/2868-47-0x0000000000900000-0x0000000000AB0000-memory.dmp	upx
behavioral1/memory/2868-48-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2868-50-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2868-54-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2868-58-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2868-62-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2868-66-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2868-70-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2868-72-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2868	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
2868	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
2868	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
2868	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
2868	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2868	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2076	2868	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	28
PID 2868 wrote to memory of 2076	2868	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	28
PID 2868 wrote to memory of 2076	2868	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	28
PID 2868 wrote to memory of 2076	2868	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	28
PID 2076 wrote to memory of 1036	2076	cmd.exe	30
PID 2076 wrote to memory of 1036	2076	cmd.exe	30
PID 2076 wrote to memory of 1036	2076	cmd.exe	30
PID 2076 wrote to memory of 1036	2076	cmd.exe	30
PID 2868 wrote to memory of 2768	2868	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	34
PID 2868 wrote to memory of 2768	2868	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	34
PID 2868 wrote to memory of 2768	2868	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	34
PID 2868 wrote to memory of 2768	2868	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	34
PID 2768 wrote to memory of 2688	2768	cmd.exe	36
PID 2768 wrote to memory of 2688	2768	cmd.exe	36
PID 2768 wrote to memory of 2688	2768	cmd.exe	36
PID 2768 wrote to memory of 2688	2768	cmd.exe	36
PID 2868 wrote to memory of 2528	2868	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	37
PID 2868 wrote to memory of 2528	2868	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	37
PID 2868 wrote to memory of 2528	2868	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	37
PID 2868 wrote to memory of 2528	2868	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	37
PID 2528 wrote to memory of 2480	2528	cmd.exe	39
PID 2528 wrote to memory of 2480	2528	cmd.exe	39
PID 2528 wrote to memory of 2480	2528	cmd.exe	39
PID 2528 wrote to memory of 2480	2528	cmd.exe	39
PID 2868 wrote to memory of 2300	2868	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	40
PID 2868 wrote to memory of 2300	2868	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	40
PID 2868 wrote to memory of 2300	2868	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	40
PID 2868 wrote to memory of 2300	2868	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	40
PID 2300 wrote to memory of 2132	2300	cmd.exe	42
PID 2300 wrote to memory of 2132	2300	cmd.exe	42
PID 2300 wrote to memory of 2132	2300	cmd.exe	42
PID 2300 wrote to memory of 2132	2300	cmd.exe	42
PID 2868 wrote to memory of 1672	2868	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	43
PID 2868 wrote to memory of 1672	2868	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	43
PID 2868 wrote to memory of 1672	2868	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	43
PID 2868 wrote to memory of 1672	2868	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	43
PID 1672 wrote to memory of 1680	1672	cmd.exe	45
PID 1672 wrote to memory of 1680	1672	cmd.exe	45
PID 1672 wrote to memory of 1680	1672	cmd.exe	45
PID 1672 wrote to memory of 1680	1672	cmd.exe	45
PID 2868 wrote to memory of 1388	2868	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	46
PID 2868 wrote to memory of 1388	2868	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	46
PID 2868 wrote to memory of 1388	2868	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	46
PID 2868 wrote to memory of 1388	2868	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	46
PID 1388 wrote to memory of 1272	1388	cmd.exe	48
PID 1388 wrote to memory of 1272	1388	cmd.exe	48
PID 1388 wrote to memory of 1272	1388	cmd.exe	48
PID 1388 wrote to memory of 1272	1388	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
"C:\Users\Admin\AppData\Local\Temp\bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt > C:\Users\Admin\AppData\Local\Temp\partitionrst.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\diskpart.exe
    diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c diskpart /s C:\Users\Admin\AppData\Local\Temp\diskmodel.txt > C:\Users\Admin\AppData\Local\Temp\partitionrst.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\diskpart.exe
    diskpart /s C:\Users\Admin\AppData\Local\Temp\diskmodel.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt > C:\Users\Admin\AppData\Local\Temp\partitionrst.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\SysWOW64\diskpart.exe
    diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt > C:\Users\Admin\AppData\Local\Temp\partitionrst.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\diskpart.exe
    diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt > C:\Users\Admin\AppData\Local\Temp\partitionrst.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\SysWOW64\diskpart.exe
    diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt > C:\Users\Admin\AppData\Local\Temp\partitionrst.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\SysWOW64\diskpart.exe
    diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1272

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2112

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\diskmodel.txt

Filesize
25B

MD5
67661bfae3e5d5e2814f38c791ae1f13

SHA1
af63858cf1bacaac1742d04f97df4c3b94964e5f

SHA256
00dd94ce409aa21164cfb080cdc5c467961622e32d0c7f76662343986306e121

SHA512
6f16d35cb79de125b159a35417328878cd89ac03910ef843051191235a6eacaf0723264ecaf485233acd5de6e30b4975c200ef6bd66121d24ec8bf335ff8541e

Download Submit
C:\Users\Admin\AppData\Local\Temp\partition.txt

Filesize
11B

MD5
66e1cfbc5c9185251ff5a869d5b1a545

SHA1
94b1a6e9b6be538f595f9049365604dc45af9bda

SHA256
9644150875d4825f8e823f22c4103115ed26e8fecc1c1bf54da77f976d6eda44

SHA512
137197e17a26df0dec8dd1cb15e7a723b8e74cc888912820dc6dac518a0c4becc277d67c5e2c069d5dd9ea1e33f1970080a717fca63697483d1795d988d4554f

Download Submit
C:\Users\Admin\AppData\Local\Temp\partition.txt

Filesize
23B

MD5
453aef926ff583c0fc9b312bc5b35f66

SHA1
f064d1f2be70b82372f8a52c69cc77640244a864

SHA256
745b113174ac67f569e26f49af7dc3fd7e07e899ddf96e67ad6234cde48dc6b6

SHA512
b3d628dd300b8df01bf8eb5326b88cb44e775843478d5184d16e3a1cb8161acdc9413d529bb82137982f0cbffb18c9809716ea8c99e761679c9268a8851c4da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\partition.txt

Filesize
37B

MD5
ffc02845d569af860d1d780e3bc38731

SHA1
b6dc16900c792459aa2076dd8dcdf9df661b7f39

SHA256
20d30c299e8c3aa726ec7b443fdc4ce66e3e8d8463edea66152a01fbc1230007

SHA512
3f116546be42ef8b8f4d5920ba7ebe16695ba18e262b0ae5b25086627bab98d84b1b24a7814f2ecb239a8ec888636a130a23c20b9dfdbd23ee53c22d43005c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\partition.txt

Filesize
37B

MD5
ce86c4bdff08645eddd8b3b772280d41

SHA1
7010922686a15c50da321d57320ef12cfadcaf66

SHA256
1da128599ccc603e48bd67148caf46709ed34f236571f787b563a759c8a70a92

SHA512
a7bef53e198dc87d4ebb97c312b8182f3c82afaa99c81c886cec269e2f1ef89d097003976016cef76c1979e416243485ae32389eafb6b21c56ba2b9a4d018654

Download Submit
C:\Users\Admin\AppData\Local\Temp\partition.txt

Filesize
37B

MD5
1317542fff4436205b703a647bb91264

SHA1
6f89fe2bfbbec0641d9253aae640ebe61f35a12f

SHA256
a444d333d4bdb896445a988019c2c4e80d9882d44177ebb836cb6ee757943e71

SHA512
af57bd5ced7df601c341148b2eea32e761f99fd8b3457e3b02313f20c49d97a4d29481ff7f83fe087321ceb27d6e784ecbcfca687af06e70cb9d96abdd56c509

Download Submit
C:\Users\Admin\AppData\Local\Temp\partitionrst.txt

Filesize
276B

MD5
a8bc7b4b4fe29191155e93654595d120

SHA1
98a029fa534b08fbcfa930e062fad4e1c66f8c94

SHA256
0f4d641d25c6f6f274a6e8c7289cbb945661b25d0f02d9177ae06570766124f4

SHA512
0d21879f6d6a1a2d7a7a9e31385e87097ef5d4c684bbdd9850590e3bdb0c7d3402630f71571429af704ebf1c7a1d0348fc40951d957a8ca3c13f30c7022996c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\partitionrst.txt

Filesize
880B

MD5
9f02053146717349d11d3c2618b13f60

SHA1
6ca052339347fb8e76d520fe0865776b722215e7

SHA256
bbdab431da543b7d95562c2b4670b26e8603e265869e11500c330df56a9be9e2

SHA512
8190fdd7b22dead1d41aa1e02b1fd65e7a1f7a53b82429537518fda06f88147e5d3d039cd93f2b0940bdeb776e1a4f01e816a9571c804356680659c5649b51d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\partitionrst.txt

Filesize
412B

MD5
cd94f065cf2e0a1ce61ff6ef9f252b87

SHA1
98093632d1cba4fd1d85fbf5a0edc43b3db15288

SHA256
838a483ef0960f4a314c1f71d12c327bd480ff4f905b1a859747867912aa93dd

SHA512
fd2fede8aa5c74a0a5946e43101646f3b916a73f4a024aecaecfaf4cb9226039c3523aee0c9316d3971d2ca8ee91348d0f0b17017a6ff9ee6d2a2f606a25e4b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\partitionrst.txt

Filesize
512B

MD5
80d778a1efb425b823140cc0afe096d8

SHA1
50e6a680f0eb49a97491f3ee6408da93bd5dbcec

SHA256
2ae9734b68413245677f3e644aa65a3dbc37f5cc1a658574a389802f5d39cfb4

SHA512
8a8a77651bdb2deb404816b1c64aaef46dce355b1ee477f67ff5e3d4d4d88ef12c2377c008421d1f909b1326b451292e0d47d622bd7f1474481d3911bf4164b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\partitionrst.txt

Filesize
512B

MD5
eacbc771b72a7b31b99e2cd66e425963

SHA1
7b6330084458555c42c204280ac18311d0e1747c

SHA256
fab051e6b879bfc9c2ebc1290d6056a7274e32c24cf03a6bd6aa897e1ee0d8f1

SHA512
cf75248fe1ebf06dd714fa99bea5ac0a86b88bcb38678271ff49f307f9920effb663b5814552ebfbee45202211da675fe587063b25c2f56ce7b0d171b287ffc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\partitionrst.txt

Filesize
515B

MD5
d1d1a567dfe71b439fc0423db4b04a3e

SHA1
91eb8aa3e7a4812674f03ecf4667f7ce93f62117

SHA256
b02ea0ff35429d08d1fe513c401c2c697ee3a4222591a67aab4f5f25bb959560

SHA512
8a3d363edf8a7d8687cb9b99b6b128b59e47c6e5ddb4e8b3c296676b017a4ee53d43804309a24cb9467c286cd72a37454316ca31f00cc889c9089f4881ad78a6

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
memory/2868-47-0x0000000000900000-0x0000000000AB0000-memory.dmp

Filesize
1.7MB

Download
memory/2868-3-0x0000000000900000-0x0000000000AB0000-memory.dmp

Filesize
1.7MB

Download
memory/2868-6-0x0000000000A43000-0x0000000000A44000-memory.dmp

Filesize
4KB

Download
memory/2868-48-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2868-50-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2868-54-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2868-58-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2868-62-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2868-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2868-66-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2868-70-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2868-72-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download