floxif | bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
Size

850KB
MD5

30bb2523df5773ef3f8136376d2606a9
SHA1

1d1751705d24c3ada623edf6e4a9db4799ff56bd
SHA256

bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c
SHA512

cb939b117c7275e1077bb2c151db882828dbf6200f1c93edca1a2c1084ba2cf88ab9dd0552f3f8af9495c1371e6dfadf27b62c8c33a2713cf24837d692f66959
SSDEEP

12288:RozGdX0M4ornOI7ZIzfMwHHQmRROXKuHc1wClr94a7U/VrnkHNjD53NtwH1YKj4n:R4GHnJIzOaIc+Qx4awNyNFsbZrEH7pN

Score

10^/10

floxif backdoor discovery trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x000a000000023c12-2.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000a000000023c12-2.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
2060	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2060-49-0x0000000000240000-0x00000000003F0000-memory.dmp	autoit_exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2060-0-0x0000000000240000-0x00000000003F0000-memory.dmp	upx
behavioral2/files/0x000a000000023c12-2.dat	upx
behavioral2/memory/2060-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2060-49-0x0000000000240000-0x00000000003F0000-memory.dmp	upx
behavioral2/memory/2060-50-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2060-60-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2060-64-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2060-66-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2060-77-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2060-85-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2060	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
2060	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
2060	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
2060	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
2060	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
2060	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
2060	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
2060	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
2060	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
2060	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
2060	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
2060	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2060	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2060	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2432	2060	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	82
PID 2060 wrote to memory of 2432	2060	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	82
PID 2060 wrote to memory of 2432	2060	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	82
PID 2432 wrote to memory of 3944	2432	cmd.exe	84
PID 2432 wrote to memory of 3944	2432	cmd.exe	84
PID 2432 wrote to memory of 3944	2432	cmd.exe	84
PID 2060 wrote to memory of 1356	2060	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	88
PID 2060 wrote to memory of 1356	2060	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	88
PID 2060 wrote to memory of 1356	2060	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	88
PID 1356 wrote to memory of 3256	1356	cmd.exe	90
PID 1356 wrote to memory of 3256	1356	cmd.exe	90
PID 1356 wrote to memory of 3256	1356	cmd.exe	90
PID 2060 wrote to memory of 3956	2060	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	91
PID 2060 wrote to memory of 3956	2060	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	91
PID 2060 wrote to memory of 3956	2060	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	91
PID 3956 wrote to memory of 1856	3956	cmd.exe	93
PID 3956 wrote to memory of 1856	3956	cmd.exe	93
PID 3956 wrote to memory of 1856	3956	cmd.exe	93
PID 2060 wrote to memory of 1448	2060	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	94
PID 2060 wrote to memory of 1448	2060	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	94
PID 2060 wrote to memory of 1448	2060	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	94
PID 1448 wrote to memory of 4044	1448	cmd.exe	96
PID 1448 wrote to memory of 4044	1448	cmd.exe	96
PID 1448 wrote to memory of 4044	1448	cmd.exe	96
PID 2060 wrote to memory of 1492	2060	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	97
PID 2060 wrote to memory of 1492	2060	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	97
PID 2060 wrote to memory of 1492	2060	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	97
PID 1492 wrote to memory of 4292	1492	cmd.exe	99
PID 1492 wrote to memory of 4292	1492	cmd.exe	99
PID 1492 wrote to memory of 4292	1492	cmd.exe	99
PID 2060 wrote to memory of 5076	2060	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	100
PID 2060 wrote to memory of 5076	2060	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	100
PID 2060 wrote to memory of 5076	2060	bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe	100
PID 5076 wrote to memory of 4648	5076	cmd.exe	102
PID 5076 wrote to memory of 4648	5076	cmd.exe	102
PID 5076 wrote to memory of 4648	5076	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe
"C:\Users\Admin\AppData\Local\Temp\bf0c5ea8ec6aad054637d088c52912b54e1c65ae3429d41122f0eb7b3b93aa2c.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt > C:\Users\Admin\AppData\Local\Temp\partitionrst.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\SysWOW64\diskpart.exe
    diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c diskpart /s C:\Users\Admin\AppData\Local\Temp\diskmodel.txt > C:\Users\Admin\AppData\Local\Temp\partitionrst.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\SysWOW64\diskpart.exe
    diskpart /s C:\Users\Admin\AppData\Local\Temp\diskmodel.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt > C:\Users\Admin\AppData\Local\Temp\partitionrst.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Windows\SysWOW64\diskpart.exe
    diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt > C:\Users\Admin\AppData\Local\Temp\partitionrst.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\SysWOW64\diskpart.exe
    diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt > C:\Users\Admin\AppData\Local\Temp\partitionrst.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\SysWOW64\diskpart.exe
    diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt > C:\Users\Admin\AppData\Local\Temp\partitionrst.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Windows\SysWOW64\diskpart.exe
    diskpart /s C:\Users\Admin\AppData\Local\Temp\partition.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4648

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2268

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\diskmodel.txt

Filesize
25B

MD5
67661bfae3e5d5e2814f38c791ae1f13

SHA1
af63858cf1bacaac1742d04f97df4c3b94964e5f

SHA256
00dd94ce409aa21164cfb080cdc5c467961622e32d0c7f76662343986306e121

SHA512
6f16d35cb79de125b159a35417328878cd89ac03910ef843051191235a6eacaf0723264ecaf485233acd5de6e30b4975c200ef6bd66121d24ec8bf335ff8541e

Download Submit
C:\Users\Admin\AppData\Local\Temp\partition.txt

Filesize
11B

MD5
66e1cfbc5c9185251ff5a869d5b1a545

SHA1
94b1a6e9b6be538f595f9049365604dc45af9bda

SHA256
9644150875d4825f8e823f22c4103115ed26e8fecc1c1bf54da77f976d6eda44

SHA512
137197e17a26df0dec8dd1cb15e7a723b8e74cc888912820dc6dac518a0c4becc277d67c5e2c069d5dd9ea1e33f1970080a717fca63697483d1795d988d4554f

Download Submit
C:\Users\Admin\AppData\Local\Temp\partition.txt

Filesize
23B

MD5
453aef926ff583c0fc9b312bc5b35f66

SHA1
f064d1f2be70b82372f8a52c69cc77640244a864

SHA256
745b113174ac67f569e26f49af7dc3fd7e07e899ddf96e67ad6234cde48dc6b6

SHA512
b3d628dd300b8df01bf8eb5326b88cb44e775843478d5184d16e3a1cb8161acdc9413d529bb82137982f0cbffb18c9809716ea8c99e761679c9268a8851c4da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\partition.txt

Filesize
37B

MD5
ffc02845d569af860d1d780e3bc38731

SHA1
b6dc16900c792459aa2076dd8dcdf9df661b7f39

SHA256
20d30c299e8c3aa726ec7b443fdc4ce66e3e8d8463edea66152a01fbc1230007

SHA512
3f116546be42ef8b8f4d5920ba7ebe16695ba18e262b0ae5b25086627bab98d84b1b24a7814f2ecb239a8ec888636a130a23c20b9dfdbd23ee53c22d43005c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\partition.txt

Filesize
37B

MD5
ce86c4bdff08645eddd8b3b772280d41

SHA1
7010922686a15c50da321d57320ef12cfadcaf66

SHA256
1da128599ccc603e48bd67148caf46709ed34f236571f787b563a759c8a70a92

SHA512
a7bef53e198dc87d4ebb97c312b8182f3c82afaa99c81c886cec269e2f1ef89d097003976016cef76c1979e416243485ae32389eafb6b21c56ba2b9a4d018654

Download Submit
C:\Users\Admin\AppData\Local\Temp\partition.txt

Filesize
37B

MD5
1317542fff4436205b703a647bb91264

SHA1
6f89fe2bfbbec0641d9253aae640ebe61f35a12f

SHA256
a444d333d4bdb896445a988019c2c4e80d9882d44177ebb836cb6ee757943e71

SHA512
af57bd5ced7df601c341148b2eea32e761f99fd8b3457e3b02313f20c49d97a4d29481ff7f83fe087321ceb27d6e784ecbcfca687af06e70cb9d96abdd56c509

Download Submit
C:\Users\Admin\AppData\Local\Temp\partitionrst.txt

Filesize
274B

MD5
ae43787dcb4fbb03103faa7d2f93820c

SHA1
5aa415ad6a0c8ba3c5c4ef47350a351a76e76022

SHA256
3deeb3ba0e46cf2b7a3855aaa5dd9c81ffecdb1ee26e9cd177f213af100aa363

SHA512
dbcc71c1c2e52eff666327a080acd2ccbd9e7015d00ef6642904506774b92ba414a66e10567868cdea130be77112c7ad2ba9d892cdfcce0c1d4a67b0efdaba36

Download Submit
C:\Users\Admin\AppData\Local\Temp\partitionrst.txt

Filesize
867B

MD5
94c9daf1856d7a2cce933a9d0406f9f2

SHA1
0b13859cdb18a8458f416fc0793e11e6a745224d

SHA256
ec7338280fb3aa211a3dfaab6330c3a76d4a76514b9ddea4fc6c76058d9a9218

SHA512
b7a99ad18068adaf2a7482416cade9cd66899f92851894938161272d91e3d1a0e1598f4a3a7c5367e80aea4596c29cef3352aab7a57980f5f84c7de6664cd9fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\partitionrst.txt

Filesize
410B

MD5
873286f338bb0332df4994a89f73b0d7

SHA1
cfc685b8678ea3438a41b6b5ed6b683cc5d01d71

SHA256
70a5fd51ff57c055a92dd3d85b2020abfdd79157a9236d15e93b06bdc0b445f6

SHA512
1c2c113894cab0f03170c02d3dab2e290be387881e89208226d1260b5b28163eaeb85c283612c2c55f23d060fbf1a020ff19d9eacafd53018b950b3df45fc68a

Download Submit
C:\Users\Admin\AppData\Local\Temp\partitionrst.txt

Filesize
509B

MD5
e00d29eb1d09b6744f9352ab354388e0

SHA1
0db4151cd06fc7684d198f8847b08f70c9e5c6b2

SHA256
c54b40c3756104dd1c67c18cd7beb2645089e683f741cebf005b869e926c782e

SHA512
d225abca5b6815fb9c002099ce83e7bfe749c988b59e6c937993b81e6cc34ee1c4e6e96515af6e7ad6fc9cabcecd190eb5eec1de4a2e252b2bb3bb4b181d9252

Download Submit
C:\Users\Admin\AppData\Local\Temp\partitionrst.txt

Filesize
510B

MD5
71e83e376ac129056bc1732232cb8531

SHA1
054d34ceacd56feb87a227a38dabe394f6f4450b

SHA256
43fa11bd9c16ab70868f65f2e77e16e78d16eab5780af7047d7031636200e118

SHA512
930399baee83363114b7c27f61bae9e30f79f26df0eee93d4c284b4aa0a0e85f30d29a28d3ef547dead1fc851d3e411d11fd6a7eaf2e91d47556af44d0472006

Download Submit
C:\Users\Admin\AppData\Local\Temp\partitionrst.txt

Filesize
513B

MD5
56790440fcf32ed045953c907253d5d8

SHA1
909b2129a1f8f96cf25eddae5a5a21af1a516e46

SHA256
25a0f97a9e95bf315fb90f61cfec9d08da54d08c9806751b8520ecc7f753983d

SHA512
e1e4e50475a9b72e678ab91e470026bfe625ddc54bd0789d6cabdb1c965c42510a1fb903bcfab8256625154da2696557fb08827ed57faa40748a9c2add0d59be

Download Submit
memory/2060-66-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2060-6-0x0000000000383000-0x0000000000384000-memory.dmp

Filesize
4KB

Download
memory/2060-49-0x0000000000240000-0x00000000003F0000-memory.dmp

Filesize
1.7MB

Download
memory/2060-50-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2060-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2060-60-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2060-64-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2060-0-0x0000000000240000-0x00000000003F0000-memory.dmp

Filesize
1.7MB

Download
memory/2060-77-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2060-85-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download