floxif | bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c

Analysis

max time kernel
145s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-12-2024 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
Size

850KB
MD5

30bb2523df5773ef3f8136376d2606a9
SHA1

1d1751705d24c3ada623edf6e4a9db4799ff56bd
SHA256

bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c
SHA512

cb939b117c7275e1077bb2c151db882828dbf6200f1c93edca1a2c1084ba2cf88ab9dd0552f3f8af9495c1371e6dfadf27b62c8c33a2713cf24837d692f66959
SSDEEP

12288:RozGdX0M4ornOI7ZIzfMwHHQmRROXKuHc1wClr94a7U/VrnkHNjD53NtwH1YKj4n:R4GHnJIzOaIc+Qx4awNyNFsbZrEH7pN

Score

10^/10

floxif backdoor discovery trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x00080000000120f4-1.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00080000000120f4-1.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
2084	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2084-47-0x0000000000FA0000-0x0000000001150000-memory.dmp	autoit_exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2084-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2084-3-0x0000000000FA0000-0x0000000001150000-memory.dmp	upx
behavioral1/files/0x00080000000120f4-1.dat	upx
behavioral1/memory/2084-47-0x0000000000FA0000-0x0000000001150000-memory.dmp	upx
behavioral1/memory/2084-48-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2084-50-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2084-54-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2084-58-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2084-62-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2084-66-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2084-70-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2084-74-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2084-80-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2084	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
2084	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
2084	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
2084	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
2084	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2084	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 1620	2084	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	30
PID 2084 wrote to memory of 1620	2084	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	30
PID 2084 wrote to memory of 1620	2084	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	30
PID 2084 wrote to memory of 1620	2084	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	30
PID 1620 wrote to memory of 2984	1620	cmd.exe	32
PID 1620 wrote to memory of 2984	1620	cmd.exe	32
PID 1620 wrote to memory of 2984	1620	cmd.exe	32
PID 1620 wrote to memory of 2984	1620	cmd.exe	32
PID 2084 wrote to memory of 2884	2084	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	35
PID 2084 wrote to memory of 2884	2084	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	35
PID 2084 wrote to memory of 2884	2084	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	35
PID 2084 wrote to memory of 2884	2084	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	35
PID 2884 wrote to memory of 2580	2884	cmd.exe	37
PID 2884 wrote to memory of 2580	2884	cmd.exe	37
PID 2884 wrote to memory of 2580	2884	cmd.exe	37
PID 2884 wrote to memory of 2580	2884	cmd.exe	37
PID 2084 wrote to memory of 2292	2084	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	38
PID 2084 wrote to memory of 2292	2084	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	38
PID 2084 wrote to memory of 2292	2084	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	38
PID 2084 wrote to memory of 2292	2084	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	38
PID 2292 wrote to memory of 2200	2292	cmd.exe	40
PID 2292 wrote to memory of 2200	2292	cmd.exe	40
PID 2292 wrote to memory of 2200	2292	cmd.exe	40
PID 2292 wrote to memory of 2200	2292	cmd.exe	40
PID 2084 wrote to memory of 1664	2084	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	41
PID 2084 wrote to memory of 1664	2084	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	41
PID 2084 wrote to memory of 1664	2084	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	41
PID 2084 wrote to memory of 1664	2084	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	41
PID 1664 wrote to memory of 1320	1664	cmd.exe	43
PID 1664 wrote to memory of 1320	1664	cmd.exe	43
PID 1664 wrote to memory of 1320	1664	cmd.exe	43
PID 1664 wrote to memory of 1320	1664	cmd.exe	43
PID 2084 wrote to memory of 304	2084	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	44
PID 2084 wrote to memory of 304	2084	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	44
PID 2084 wrote to memory of 304	2084	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	44
PID 2084 wrote to memory of 304	2084	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	44
PID 304 wrote to memory of 2420	304	cmd.exe	46
PID 304 wrote to memory of 2420	304	cmd.exe	46
PID 304 wrote to memory of 2420	304	cmd.exe	46
PID 304 wrote to memory of 2420	304	cmd.exe	46
PID 2084 wrote to memory of 1020	2084	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	47
PID 2084 wrote to memory of 1020	2084	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	47
PID 2084 wrote to memory of 1020	2084	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	47
PID 2084 wrote to memory of 1020	2084	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	47
PID 1020 wrote to memory of 1660	1020	cmd.exe	49
PID 1020 wrote to memory of 1660	1020	cmd.exe	49
PID 1020 wrote to memory of 1660	1020	cmd.exe	49
PID 1020 wrote to memory of 1660	1020	cmd.exe	49

C:\Users\Admin\AppData\Local\Temp\bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
"C:\Users\Admin\AppData\Local\Temp\bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt > C:\Users\Admin\AppData\Local\Temp\partitionrst.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SysWOW64\diskpart.exe
    diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c diskpart /s C:\Users\Admin\AppData\Local\Temp\diskmodel.txt > C:\Users\Admin\AppData\Local\Temp\partitionrst.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\SysWOW64\diskpart.exe
    diskpart /s C:\Users\Admin\AppData\Local\Temp\diskmodel.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt > C:\Users\Admin\AppData\Local\Temp\partitionrst.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\SysWOW64\diskpart.exe
    diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt > C:\Users\Admin\AppData\Local\Temp\partitionrst.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\diskpart.exe
    diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt > C:\Users\Admin\AppData\Local\Temp\partitionrst.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:304
- - C:\Windows\SysWOW64\diskpart.exe
    diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt > C:\Users\Admin\AppData\Local\Temp\partitionrst.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Windows\SysWOW64\diskpart.exe
    diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1660

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2176

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\diskmodel.txt

Filesize
25B

MD5
67661bfae3e5d5e2814f38c791ae1f13

SHA1
af63858cf1bacaac1742d04f97df4c3b94964e5f

SHA256
00dd94ce409aa21164cfb080cdc5c467961622e32d0c7f76662343986306e121

SHA512
6f16d35cb79de125b159a35417328878cd89ac03910ef843051191235a6eacaf0723264ecaf485233acd5de6e30b4975c200ef6bd66121d24ec8bf335ff8541e

Download Submit
C:\Users\Admin\AppData\Local\Temp\partition.txt

Filesize
11B

MD5
66e1cfbc5c9185251ff5a869d5b1a545

SHA1
94b1a6e9b6be538f595f9049365604dc45af9bda

SHA256
9644150875d4825f8e823f22c4103115ed26e8fecc1c1bf54da77f976d6eda44

SHA512
137197e17a26df0dec8dd1cb15e7a723b8e74cc888912820dc6dac518a0c4becc277d67c5e2c069d5dd9ea1e33f1970080a717fca63697483d1795d988d4554f

Download Submit
C:\Users\Admin\AppData\Local\Temp\partition.txt

Filesize
23B

MD5
453aef926ff583c0fc9b312bc5b35f66

SHA1
f064d1f2be70b82372f8a52c69cc77640244a864

SHA256
745b113174ac67f569e26f49af7dc3fd7e07e899ddf96e67ad6234cde48dc6b6

SHA512
b3d628dd300b8df01bf8eb5326b88cb44e775843478d5184d16e3a1cb8161acdc9413d529bb82137982f0cbffb18c9809716ea8c99e761679c9268a8851c4da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\partition.txt

Filesize
37B

MD5
ffc02845d569af860d1d780e3bc38731

SHA1
b6dc16900c792459aa2076dd8dcdf9df661b7f39

SHA256
20d30c299e8c3aa726ec7b443fdc4ce66e3e8d8463edea66152a01fbc1230007

SHA512
3f116546be42ef8b8f4d5920ba7ebe16695ba18e262b0ae5b25086627bab98d84b1b24a7814f2ecb239a8ec888636a130a23c20b9dfdbd23ee53c22d43005c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\partition.txt

Filesize
37B

MD5
ce86c4bdff08645eddd8b3b772280d41

SHA1
7010922686a15c50da321d57320ef12cfadcaf66

SHA256
1da128599ccc603e48bd67148caf46709ed34f236571f787b563a759c8a70a92

SHA512
a7bef53e198dc87d4ebb97c312b8182f3c82afaa99c81c886cec269e2f1ef89d097003976016cef76c1979e416243485ae32389eafb6b21c56ba2b9a4d018654

Download Submit
C:\Users\Admin\AppData\Local\Temp\partition.txt

Filesize
37B

MD5
1317542fff4436205b703a647bb91264

SHA1
6f89fe2bfbbec0641d9253aae640ebe61f35a12f

SHA256
a444d333d4bdb896445a988019c2c4e80d9882d44177ebb836cb6ee757943e71

SHA512
af57bd5ced7df601c341148b2eea32e761f99fd8b3457e3b02313f20c49d97a4d29481ff7f83fe087321ceb27d6e784ecbcfca687af06e70cb9d96abdd56c509

Download Submit
C:\Users\Admin\AppData\Local\Temp\partitionrst.txt

Filesize
276B

MD5
16925b93c1d2573d40a6f4ea6b686927

SHA1
a2a68a28fae282f49419356fc5d078c403276938

SHA256
4e890b0feedf6970b768f2922b5b305a7031d5cb075398c318d1f3a0833edb4d

SHA512
b157f35575a126e67cb9b1fa97a7a8405bed3ae4959ff99af586e8313c870f9c3e46481a39f50c60e0846b95750545c5d3da913976c8b9f86114cd7df70ad221

Download Submit
C:\Users\Admin\AppData\Local\Temp\partitionrst.txt

Filesize
880B

MD5
e40ce8bc98f77d519f84fa5255dd58a2

SHA1
1b1a331806da992b95c9211ae0525eb085936064

SHA256
a3ebbf67a2e21419b4ba757921971ce3bd2c38dcb18efc1846cdd64549e7407d

SHA512
80a7ed79c0f123ad81076db012b9f6036029a7c3aebe1979a3b09dacfa5c6dea90a217c9afa1f6f6cb161bb68f639188766c232e23c8c7c644fa843dd294b27f

Download Submit
C:\Users\Admin\AppData\Local\Temp\partitionrst.txt

Filesize
412B

MD5
b57cbe3a7abcf4eb009742c2b89adffe

SHA1
4e335250365cec5d6ce91518f439eaac25f0bb7a

SHA256
4d0597aea252e9328b8c23d34d719a3b627e086e9746b7276994fb1ea0cdcacb

SHA512
1df2d61be9df9ef629c890fcf5f031798be7a9fb6b5e4a6064717f9f92187b44c7b1e2ed24fe47b3e0b6a6966a1f13bbbdb55808c66180b6a13224b1a76953a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\partitionrst.txt

Filesize
512B

MD5
3a283737b60dbd3127d565ae5e5b222d

SHA1
7517954b40746f17f9457d15bc0552258c460f2e

SHA256
01c582f56d685d4548dda54eec95d58c49710ad844fdc6e035992f259a22375e

SHA512
76854e02a6afa04d8b38a21deced4fa9a70ab930d69897c7f7f4dc87caef4729b3bcd8ef6db1079973c37571a98dad851771ca417cff20fce907d56245781a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\partitionrst.txt

Filesize
512B

MD5
e62c4139b0e86f38232169e8abbc1e5e

SHA1
23d19c597f3772c41c9ac17fba4625f9e906d794

SHA256
89e3606cf8124ca2d3290ea8e9507702859b0873483d9b81a5cbe0d48623398e

SHA512
99d7b911cf70782c678f6a48579a0c75baafde3f6dd12a35da4d50921a44976e5b93a95b9149cdcf9c6ac7170592a474dc4352e8d5f5fb56382734bcc5451aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\partitionrst.txt

Filesize
515B

MD5
bade703257693ba37264872be16e2bd7

SHA1
621f074fd7cb01b16f3a2e9b40b3629778f2a9f1

SHA256
9ab236a35dd5f7dcd9e2f4ab2922c98558e4553c8215f0a76e37a0fb22f315de

SHA512
29a0d8f415e56428ce779df172e767a76d34684c198517e5f8705f8c342c3beb7e63f7b003cb35e84e47c89aefe0c51994c2e3736eddc0122e98a6b44603d296

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
memory/2084-47-0x0000000000FA0000-0x0000000001150000-memory.dmp

Filesize
1.7MB

Download
memory/2084-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2084-6-0x00000000010E3000-0x00000000010E4000-memory.dmp

Filesize
4KB

Download
memory/2084-48-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2084-50-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2084-54-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2084-58-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2084-62-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2084-3-0x0000000000FA0000-0x0000000001150000-memory.dmp

Filesize
1.7MB

Download
memory/2084-66-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2084-70-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2084-74-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2084-80-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download