floxif | bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
Size

850KB
MD5

30bb2523df5773ef3f8136376d2606a9
SHA1

1d1751705d24c3ada623edf6e4a9db4799ff56bd
SHA256

bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c
SHA512

cb939b117c7275e1077bb2c151db882828dbf6200f1c93edca1a2c1084ba2cf88ab9dd0552f3f8af9495c1371e6dfadf27b62c8c33a2713cf24837d692f66959
SSDEEP

12288:RozGdX0M4ornOI7ZIzfMwHHQmRROXKuHc1wClr94a7U/VrnkHNjD53NtwH1YKj4n:R4GHnJIzOaIc+Qx4awNyNFsbZrEH7pN

Score

10^/10

floxif backdoor discovery trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x0008000000023caa-2.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0008000000023caa-2.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
1832	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1832-49-0x0000000000D60000-0x0000000000F10000-memory.dmp	autoit_exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1832-0-0x0000000000D60000-0x0000000000F10000-memory.dmp	upx
behavioral2/files/0x0008000000023caa-2.dat	upx
behavioral2/memory/1832-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1832-49-0x0000000000D60000-0x0000000000F10000-memory.dmp	upx
behavioral2/memory/1832-50-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1832-52-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1832-58-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1832-64-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1832-66-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1832-77-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1832-79-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1832-85-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1832	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
1832	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
1832	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
1832	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
1832	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
1832	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
1832	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
1832	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
1832	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
1832	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
1832	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
1832	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1832	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1832	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 1980	1832	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	83
PID 1832 wrote to memory of 1980	1832	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	83
PID 1832 wrote to memory of 1980	1832	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	83
PID 1980 wrote to memory of 3792	1980	cmd.exe	85
PID 1980 wrote to memory of 3792	1980	cmd.exe	85
PID 1980 wrote to memory of 3792	1980	cmd.exe	85
PID 1832 wrote to memory of 720	1832	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	89
PID 1832 wrote to memory of 720	1832	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	89
PID 1832 wrote to memory of 720	1832	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	89
PID 720 wrote to memory of 1688	720	cmd.exe	91
PID 720 wrote to memory of 1688	720	cmd.exe	91
PID 720 wrote to memory of 1688	720	cmd.exe	91
PID 1832 wrote to memory of 3824	1832	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	92
PID 1832 wrote to memory of 3824	1832	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	92
PID 1832 wrote to memory of 3824	1832	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	92
PID 3824 wrote to memory of 4276	3824	cmd.exe	94
PID 3824 wrote to memory of 4276	3824	cmd.exe	94
PID 3824 wrote to memory of 4276	3824	cmd.exe	94
PID 1832 wrote to memory of 2880	1832	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	95
PID 1832 wrote to memory of 2880	1832	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	95
PID 1832 wrote to memory of 2880	1832	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	95
PID 2880 wrote to memory of 2204	2880	cmd.exe	97
PID 2880 wrote to memory of 2204	2880	cmd.exe	97
PID 2880 wrote to memory of 2204	2880	cmd.exe	97
PID 1832 wrote to memory of 2216	1832	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	98
PID 1832 wrote to memory of 2216	1832	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	98
PID 1832 wrote to memory of 2216	1832	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	98
PID 2216 wrote to memory of 3864	2216	cmd.exe	100
PID 2216 wrote to memory of 3864	2216	cmd.exe	100
PID 2216 wrote to memory of 3864	2216	cmd.exe	100
PID 1832 wrote to memory of 4404	1832	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	101
PID 1832 wrote to memory of 4404	1832	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	101
PID 1832 wrote to memory of 4404	1832	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	101
PID 4404 wrote to memory of 4128	4404	cmd.exe	103
PID 4404 wrote to memory of 4128	4404	cmd.exe	103
PID 4404 wrote to memory of 4128	4404	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
"C:\Users\Admin\AppData\Local\Temp\bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt > C:\Users\Admin\AppData\Local\Temp\partitionrst.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\diskpart.exe
    diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c diskpart /s C:\Users\Admin\AppData\Local\Temp\diskmodel.txt > C:\Users\Admin\AppData\Local\Temp\partitionrst.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:720
- - C:\Windows\SysWOW64\diskpart.exe
    diskpart /s C:\Users\Admin\AppData\Local\Temp\diskmodel.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt > C:\Users\Admin\AppData\Local\Temp\partitionrst.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3824
- - C:\Windows\SysWOW64\diskpart.exe
    diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt > C:\Users\Admin\AppData\Local\Temp\partitionrst.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\diskpart.exe
    diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt > C:\Users\Admin\AppData\Local\Temp\partitionrst.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\diskpart.exe
    diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt > C:\Users\Admin\AppData\Local\Temp\partitionrst.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Windows\SysWOW64\diskpart.exe
    diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4128

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1076

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\diskmodel.txt

Filesize
25B

MD5
67661bfae3e5d5e2814f38c791ae1f13

SHA1
af63858cf1bacaac1742d04f97df4c3b94964e5f

SHA256
00dd94ce409aa21164cfb080cdc5c467961622e32d0c7f76662343986306e121

SHA512
6f16d35cb79de125b159a35417328878cd89ac03910ef843051191235a6eacaf0723264ecaf485233acd5de6e30b4975c200ef6bd66121d24ec8bf335ff8541e

Download Submit
C:\Users\Admin\AppData\Local\Temp\partition.txt

Filesize
11B

MD5
66e1cfbc5c9185251ff5a869d5b1a545

SHA1
94b1a6e9b6be538f595f9049365604dc45af9bda

SHA256
9644150875d4825f8e823f22c4103115ed26e8fecc1c1bf54da77f976d6eda44

SHA512
137197e17a26df0dec8dd1cb15e7a723b8e74cc888912820dc6dac518a0c4becc277d67c5e2c069d5dd9ea1e33f1970080a717fca63697483d1795d988d4554f

Download Submit
C:\Users\Admin\AppData\Local\Temp\partition.txt

Filesize
23B

MD5
453aef926ff583c0fc9b312bc5b35f66

SHA1
f064d1f2be70b82372f8a52c69cc77640244a864

SHA256
745b113174ac67f569e26f49af7dc3fd7e07e899ddf96e67ad6234cde48dc6b6

SHA512
b3d628dd300b8df01bf8eb5326b88cb44e775843478d5184d16e3a1cb8161acdc9413d529bb82137982f0cbffb18c9809716ea8c99e761679c9268a8851c4da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\partition.txt

Filesize
37B

MD5
ffc02845d569af860d1d780e3bc38731

SHA1
b6dc16900c792459aa2076dd8dcdf9df661b7f39

SHA256
20d30c299e8c3aa726ec7b443fdc4ce66e3e8d8463edea66152a01fbc1230007

SHA512
3f116546be42ef8b8f4d5920ba7ebe16695ba18e262b0ae5b25086627bab98d84b1b24a7814f2ecb239a8ec888636a130a23c20b9dfdbd23ee53c22d43005c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\partition.txt

Filesize
37B

MD5
ce86c4bdff08645eddd8b3b772280d41

SHA1
7010922686a15c50da321d57320ef12cfadcaf66

SHA256
1da128599ccc603e48bd67148caf46709ed34f236571f787b563a759c8a70a92

SHA512
a7bef53e198dc87d4ebb97c312b8182f3c82afaa99c81c886cec269e2f1ef89d097003976016cef76c1979e416243485ae32389eafb6b21c56ba2b9a4d018654

Download Submit
C:\Users\Admin\AppData\Local\Temp\partition.txt

Filesize
37B

MD5
1317542fff4436205b703a647bb91264

SHA1
6f89fe2bfbbec0641d9253aae640ebe61f35a12f

SHA256
a444d333d4bdb896445a988019c2c4e80d9882d44177ebb836cb6ee757943e71

SHA512
af57bd5ced7df601c341148b2eea32e761f99fd8b3457e3b02313f20c49d97a4d29481ff7f83fe087321ceb27d6e784ecbcfca687af06e70cb9d96abdd56c509

Download Submit
C:\Users\Admin\AppData\Local\Temp\partitionrst.txt

Filesize
274B

MD5
4fc63cab473e7936980be8d15f3323d8

SHA1
9422ed2b3762d6dd68fd23f1353d889447c016f1

SHA256
c3adb067976f478de74dbb3d3c195914ca481827bd84e6a4944a91ed13fe3d04

SHA512
195330b3af9b10e3ebc3836b3a930e015e6fb904dcadbd043038bb3d97f6f23d583a43f4feb1f234b84ce6e9d5d11c1c931a4cd6c7d6c43273611100d74219e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\partitionrst.txt

Filesize
867B

MD5
342cb3758c9ff68b6dcafa4183ee237a

SHA1
3b97ad8817a973a4ea310ef70ce2e126ded00cb4

SHA256
9ed741aebe4f2e764c820e3e24756f5308987c3782bfeba1b6e7c82c9f3be63c

SHA512
2fbaef34f3d80d75e05ba42f3ed055807489e8aab6877ed3ce4f849bebbb17dcc390e33a82cb35ff21d404750b12f70a0af882a851981f8ff7e223e9bbcfe8ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\partitionrst.txt

Filesize
410B

MD5
1db117e02118c5df9b5b6aae8a1aef6c

SHA1
5d7bc59437aca8be9b26a6707dc81764126e90be

SHA256
490b706eb987c24bc2955b9f9487fb9cde1ea8f2272959c4f7617016f22d7a72

SHA512
ad10d0710679249013a24eea8feb4ea3f23f885b5fb61dc989420f2583cfeb17dceb1625c120a5b91d14bb3d2cf4a7830bb752699606358863b882f5bc3b822b

Download Submit
C:\Users\Admin\AppData\Local\Temp\partitionrst.txt

Filesize
509B

MD5
4fc7a3a821aaf977c062dd8abf2554d7

SHA1
ed7235de9ac50a8c5a56dc0b9fc47f2c68742349

SHA256
f56b6acd327df2716b911b838e9cd9f570350770289a619a7a39d7f9a8943cfb

SHA512
e4ee2182047b9825f5afe6d75a09c7d5e9eb09c076ab9c10f5225a76bbf49491dc1e27e1d45da7b30d8cc418e41c47e1e1f497e1079a7a801bb68b194da9c4b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\partitionrst.txt

Filesize
510B

MD5
0bcf9d12569cabdb0aef45d6a4091022

SHA1
d44e0945c0da489800f6747c27fb444a41cf09fa

SHA256
e6a260b56f4a0cad29551a30db3bd5128e219c2e5747389d96911e164b209c4b

SHA512
7ef07b47f4c2c3c46a5566d569cce5eeb52d4903d4b96d059c6d0f144cf62223e5025d8f7c1f2074f42e0105e5055f7b8022f267006a0d4798d42f6e98849d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\partitionrst.txt

Filesize
513B

MD5
7764f0346f86cd9f4aa6042733297f9e

SHA1
45fadc6b2545f61a950f8d68747bd776fcffc3ad

SHA256
f30e31e66cd25e4b0bb28390c49488a65f768545ec7f83bcc4f08365f2274beb

SHA512
6bae2f4c17a61cac688fbac6819f78980cb60417d12d09264585112f5c5dba0ec477eb02ab59c9a9cd297f302fccc1b4eeef3e9b1b35ed9d1f139c636f0d0b91

Download Submit
memory/1832-0-0x0000000000D60000-0x0000000000F10000-memory.dmp

Filesize
1.7MB

Download
memory/1832-6-0x0000000000EA3000-0x0000000000EA4000-memory.dmp

Filesize
4KB

Download
memory/1832-49-0x0000000000D60000-0x0000000000F10000-memory.dmp

Filesize
1.7MB

Download
memory/1832-50-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1832-52-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1832-58-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1832-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1832-64-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1832-66-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1832-77-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1832-79-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1832-85-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download