floxif | 7ff2c3acbb884ead411c8b9f0df5b0ca5038333bdf872cb37d5e7eec4ac96b6f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2025, 15:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

The-MALWARE-Repo-master.zip
Size

63.3MB
MD5

59cb533617e10ca74e8735ff41e5b823
SHA1

644468d5d6d8fab98268e219e8f2ce518b655ff4
SHA256

7ff2c3acbb884ead411c8b9f0df5b0ca5038333bdf872cb37d5e7eec4ac96b6f
SHA512

9b7e28bde79886ff479110b43380e73c4d1a95c547947abbb1825ed4f5078d3060a4390bf1dcead1d593abe0c0167c396e0aa47b3231eb577737c8c93efbe50b
SSDEEP

1572864:1bR+Nd33aius1Ckqujkhpgz2L9HBlHYSZ95hPfqL55r/XKAM:1ANl3aFs1C4SA2hlHf9Rfi5xjM

Score

10^/10

floxif backdoor bootkit discovery persistence trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x000900000001db5c-54.dat	floxif

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\spoclsv.exe	Gnil.exe
File created	C:\Windows\SysWOW64\drivers\spoclsv.exe	Gnil.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000900000001db5c-54.dat	acprotect

Drops startup file 10 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.a.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.a.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe

Executes dropped EXE 13 IoCs

pid	Process
3320	WinNuke.98.exe
4080	xpaj.exe
2112	Floxif.exe
4676	Gnil.exe
1368	spoclsv.exe
2172	Mabezat.exe
4188	Amus.exe
3656	Anap.a.exe
2540	Axam.a.exe
4900	Axam.exe
4332	Axam.exe
3064	Axam.exe
2184	Axam.exe

Loads dropped DLL 1 IoCs

pid	Process
2112	Floxif.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microzoft_Ofiz = "C:\\Windows\\KdzEregli.exe"	Amus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Axam.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Axam.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	xpaj.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2112-57-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/files/0x000900000001db5c-54.dat	upx
behavioral2/memory/2112-61-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/files/0x0003000000022eb2-212.dat	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Utilities.v3.5.resources.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\sqmapi.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\d3dcompiler_47.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_nn.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\mip_protection_sdk.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\AdobeHunspellPlugin.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pe.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\playreadycdm.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WindowsFormsIntegration.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	xpaj.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\System.Speech.resources.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msxactps.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_eu.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\Microsoft.PowerShell.PackageManagement.resources.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ScCore.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Resources.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\WindowsFormsIntegration.resources.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.resources.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\onnxruntime.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_ug.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_pt-PT.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\tifffilt.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudt.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateSetup.exe	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	xpaj.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Conversion.v3.5.resources.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationBuildTasks.resources.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationProvider.resources.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\libsmartscreen.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\psmachine_64.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_fil.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClient.resources.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_mr.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\mpvis.DLL	xpaj.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Speech.resources.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\wab32.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe	xpaj.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Royale.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	xpaj.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.Design.resources.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\msdaremr.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_gu.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_te.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PackageManagement.ArchiverProviders.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msader15.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdate.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_am.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_ml.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\WMPMediaSharing.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mshwgst.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msdaosp.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_it.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_pt-BR.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe	xpaj.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.Client.resources.dll	xpaj.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Ankara.exe	Amus.exe
File opened for modification	C:\Windows\Adapazari.exe	Amus.exe
File opened for modification	C:\Windows\KdzEregli.exe	Amus.exe
File created	C:\Windows\My_Pictures.exe	Amus.exe
File created	C:\Windows\Meydanbasi.exe	Amus.exe
File opened for modification	C:\Windows\Pide.exe	Amus.exe
File opened for modification	C:\Windows\Cekirge.exe	Amus.exe
File created	C:\Windows\KdzEregli.exe	Amus.exe
File created	C:\Windows\Pire.exe	Amus.exe
File created	C:\Windows\Cekirge.exe	Amus.exe
File created	C:\Windows\Adapazari.exe	Amus.exe
File opened for modification	C:\Windows\Anti_Virus.exe	Amus.exe
File created	C:\Windows\Messenger.exe	Amus.exe
File opened for modification	C:\Windows\My_Pictures.exe	Amus.exe
File opened for modification	C:\Windows\Meydanbasi.exe	Amus.exe
File created	C:\Windows\Pide.exe	Amus.exe
File created	C:\Windows\Anti_Virus.exe	Amus.exe
File opened for modification	C:\Windows\Messenger.exe	Amus.exe
File opened for modification	C:\Windows\Pire.exe	Amus.exe
File created	C:\Windows\Ankara.exe	Amus.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3648	2112	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mabezat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anap.a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Axam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Axam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Floxif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Axam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Axam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinNuke.98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Axam.a.exe

Modifies registry class 34 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open	Axam.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe \"%1\" %*"	Axam.a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "Spitmaxa"	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe \"%1\" %*"	Axam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "Spitmaxa"	Axam.a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell	Axam.a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon	Axam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon\ = "%1"	Axam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	Axam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "Spitmaxa"	Axam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	Axam.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon\ = "%1"	Axam.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "Spitmaxa"	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe \"%1\" %*"	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon\ = "%1"	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe \"%1\" %*"	Axam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command	Axam.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon\ = "%1"	Axam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command	Axam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon	Axam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "Spitmaxa"	Axam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa	Axam.a.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	7zFM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon\ = "%1"	Axam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command	Axam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon	Axam.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe \"%1\" %*"	Axam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	Axam.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4164	7zFM.exe
4164	7zFM.exe
4164	7zFM.exe
4164	7zFM.exe
4676	Gnil.exe
4676	Gnil.exe
4676	Gnil.exe
4676	Gnil.exe
4676	Gnil.exe
4676	Gnil.exe
1368	spoclsv.exe
1368	spoclsv.exe
4164	7zFM.exe
4164	7zFM.exe
4164	7zFM.exe
4164	7zFM.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe
2540	Axam.a.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4164	7zFM.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeRestorePrivilege	4164	7zFM.exe
Token: 35	4164	7zFM.exe
Token: SeSecurityPrivilege	4164	7zFM.exe
Token: SeSecurityPrivilege	4164	7zFM.exe
Token: SeSecurityPrivilege	4164	7zFM.exe
Token: SeSecurityPrivilege	4164	7zFM.exe
Token: SeSecurityPrivilege	4164	7zFM.exe
Token: SeDebugPrivilege	2112	Floxif.exe
Token: SeSecurityPrivilege	4164	7zFM.exe
Token: SeSecurityPrivilege	4164	7zFM.exe
Token: SeSecurityPrivilege	4164	7zFM.exe
Token: 33	4372	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4372	AUDIODG.EXE
Token: SeSecurityPrivilege	4164	7zFM.exe
Token: SeSecurityPrivilege	4164	7zFM.exe
Token: SeSecurityPrivilege	4164	7zFM.exe
Token: SeSecurityPrivilege	4164	7zFM.exe
Token: SeSecurityPrivilege	4164	7zFM.exe
Token: SeSecurityPrivilege	4164	7zFM.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
4164	7zFM.exe
4164	7zFM.exe
4164	7zFM.exe
4164	7zFM.exe
4164	7zFM.exe
4164	7zFM.exe
4164	7zFM.exe
4164	7zFM.exe
4164	7zFM.exe
4164	7zFM.exe
4164	7zFM.exe
4164	7zFM.exe
4164	7zFM.exe
4164	7zFM.exe
4164	7zFM.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4164	7zFM.exe
4164	7zFM.exe
4080	xpaj.exe
4188	Amus.exe
2540	Axam.a.exe
4900	Axam.exe
4332	Axam.exe
3064	Axam.exe
2184	Axam.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 3320	4164	7zFM.exe	91
PID 4164 wrote to memory of 3320	4164	7zFM.exe	91
PID 4164 wrote to memory of 3320	4164	7zFM.exe	91
PID 4164 wrote to memory of 4080	4164	7zFM.exe	93
PID 4164 wrote to memory of 4080	4164	7zFM.exe	93
PID 4164 wrote to memory of 4080	4164	7zFM.exe	93
PID 4164 wrote to memory of 2112	4164	7zFM.exe	94
PID 4164 wrote to memory of 2112	4164	7zFM.exe	94
PID 4164 wrote to memory of 2112	4164	7zFM.exe	94
PID 4164 wrote to memory of 4676	4164	7zFM.exe	98
PID 4164 wrote to memory of 4676	4164	7zFM.exe	98
PID 4164 wrote to memory of 4676	4164	7zFM.exe	98
PID 4676 wrote to memory of 1368	4676	Gnil.exe	99
PID 4676 wrote to memory of 1368	4676	Gnil.exe	99
PID 4676 wrote to memory of 1368	4676	Gnil.exe	99
PID 4164 wrote to memory of 2172	4164	7zFM.exe	100
PID 4164 wrote to memory of 2172	4164	7zFM.exe	100
PID 4164 wrote to memory of 2172	4164	7zFM.exe	100
PID 4164 wrote to memory of 4188	4164	7zFM.exe	101
PID 4164 wrote to memory of 4188	4164	7zFM.exe	101
PID 4164 wrote to memory of 4188	4164	7zFM.exe	101
PID 4164 wrote to memory of 3656	4164	7zFM.exe	103
PID 4164 wrote to memory of 3656	4164	7zFM.exe	103
PID 4164 wrote to memory of 3656	4164	7zFM.exe	103
PID 4164 wrote to memory of 2540	4164	7zFM.exe	104
PID 4164 wrote to memory of 2540	4164	7zFM.exe	104
PID 4164 wrote to memory of 2540	4164	7zFM.exe	104
PID 4164 wrote to memory of 4900	4164	7zFM.exe	105
PID 4164 wrote to memory of 4900	4164	7zFM.exe	105
PID 4164 wrote to memory of 4900	4164	7zFM.exe	105
PID 4164 wrote to memory of 4332	4164	7zFM.exe	106
PID 4164 wrote to memory of 4332	4164	7zFM.exe	106
PID 4164 wrote to memory of 4332	4164	7zFM.exe	106
PID 4164 wrote to memory of 3064	4164	7zFM.exe	107
PID 4164 wrote to memory of 3064	4164	7zFM.exe	107
PID 4164 wrote to memory of 3064	4164	7zFM.exe	107
PID 4164 wrote to memory of 2184	4164	7zFM.exe	108
PID 4164 wrote to memory of 2184	4164	7zFM.exe	108
PID 4164 wrote to memory of 2184	4164	7zFM.exe	108

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master.zip"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Users\Admin\AppData\Local\Temp\7zO44099C29\WinNuke.98.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO44099C29\WinNuke.98.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3320
- C:\Users\Admin\AppData\Local\Temp\7zO44075539\xpaj.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO44075539\xpaj.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4080
- C:\Users\Admin\AppData\Local\Temp\7zO440862D9\Floxif.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO440862D9\Floxif.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 400
    3⤵
    - Program crash
    PID:3648
- C:\Users\Admin\AppData\Local\Temp\7zO440CB1E9\Gnil.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO440CB1E9\Gnil.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Windows\SysWOW64\drivers\spoclsv.exe
    C:\Windows\system32\drivers\spoclsv.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1368
- C:\Users\Admin\AppData\Local\Temp\7zO4403FDF9\Mabezat.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4403FDF9\Mabezat.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2172
- C:\Users\Admin\AppData\Local\Temp\7zO440AE389\Amus.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO440AE389\Amus.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4188
- C:\Users\Admin\AppData\Local\Temp\7zO44002789\Anap.a.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO44002789\Anap.a.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3656
- C:\Users\Admin\AppData\Local\Temp\7zO4401F899\Axam.a.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4401F899\Axam.a.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2540
- C:\Users\Admin\AppData\Roaming\Axam.exe
  "C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\AppData\Local\Temp\7zO440A6D99\Brontok.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4900
- C:\Users\Admin\AppData\Roaming\Axam.exe
  "C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\AppData\Local\Temp\7zO44079199\Bugsoft.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4332
- C:\Users\Admin\AppData\Roaming\Axam.exe
  "C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\AppData\Local\Temp\7zO44010AA9\Maldal.a.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3064
- C:\Users\Admin\AppData\Roaming\Axam.exe
  "C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\AppData\Local\Temp\7zO44053CA9\Lacon.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2112 -ip 2112
1⤵
PID:1268

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x4b4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Autoexec.bat

Filesize
302B

MD5
3565a089a0f8b2b5afb04ec4379b44dc

SHA1
4075ac633db35b158e4142860a2fd4f331780f9c

SHA256
941689078f2ed21767fd0aa5ad330df33b8a0ac96acccb2020f307558d6087cb

SHA512
112538d7d1af9c02536db20acfc6cea3225341d0f1468ad49ab980a65c74c9111fbf2514776e4e40bd2fbb13d1703dc47cc647b780dc503be99f6fa712c925a5

Download Submit
C:\Autoexec.bat

Filesize
453B

MD5
3c134fc18e7bdaf02d63571d193799ad

SHA1
7e6f22569d16202195410f29e6c74d093f1fa930

SHA256
087f1acb6ed4d7563daaf6f0e1110dc7b3d5b4d6130ba19389cdf3eb90e9d347

SHA512
5b02fda689e01d570fced10841daea8f543467b9a0ea138149c486c6d9fd56a0684901af16cbf2b3ad7f1d0b6cf6b08bc36288afcec4d5552b5863ef854570d6

Download Submit
C:\Autoexec.bat

Filesize
604B

MD5
9ec5dcbc21f0309fc9c7c545063986b5

SHA1
eaea4f607aeefc9f6081d4b122ebaec421e7029b

SHA256
273c2c218dd1d27bca1ad23115deb50ee860332b724f7a1b1aa906e055d0d38d

SHA512
e2044e50dd09b7df76b76ae96f1fbfea85a73e5055891df4b464b8cf981f5ef623fa660f6b5c3beda289d4166cb39a38e3153a1ed6e4e74fda7ea0914a3ea935

Download Submit
C:\Autoexec.bat

Filesize
755B

MD5
c73f3203dbe2960f84a494e1662db2c9

SHA1
27835a0be12637153e54411bea70546c1de82770

SHA256
60683424722818828849fcd2e3893265de28c94d660d64b8cb1d1f31a20026c2

SHA512
4cbb057b8d9760f0e16bfc110405f2f239c52b0559a59759e310266fc6bf96e84fd5798a30bcbea56e748890ce335825845e0df1c269ca03501cf7f32e0cb1cc

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

Filesize
72KB

MD5
ccf7e487353602c57e2e743d047aca36

SHA1
99f66919152d67a882685a41b7130af5f7703888

SHA256
eaf76e5f1a438478ecf7b678744da34e9d9e5038b128f0c595672ee1dbbfd914

SHA512
dde0366658082b142faa6487245bfc8b8942605f0ede65d12f8c368ff3673ca18e416a4bf132c4bee5be43e94aef0531be2008746c24f1e6b2f294a63ab1486c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO44002789\Anap.a.exe

Filesize
16KB

MD5
0231c3a7d92ead1bad77819d5bda939d

SHA1
683523ae4b60ac43d62cac5dad05fd8b5b8b8ae0

SHA256
da1798c0a49b991fbda674f02007b0a3be4703e2b07ee540539db7e5bf983278

SHA512
e34af2a1bd8f17ddc994671db37b29728e933e62eded7aff93ab0194a813103cad9dba522388f9f67ba839196fb6ed54ce87e1bebcfd98957feb40b726a7e0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO44009D19\Walker.com

Filesize
4KB

MD5
93ceffafe7bb69ec3f9b4a90908ece46

SHA1
14c85fa8930f8bfbe1f9102a10f4b03d24a16d02

SHA256
b87b48dcbf779b06c6ca6491cd31328cf840578d29a6327b7a44f9043ce1eb07

SHA512
c1cb5f15e2487f42d57ae0fa340e29c677fe24b44c945615ef617d77c2737ce4227d5a571547714973d263ed0a69c8893b6c51e89409261cdbedff612339d144

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO44010AA9\Maldal.a.exe

Filesize
80KB

MD5
cbcd34a252a7cf61250b0f7f1cba3382

SHA1
152f224d66555dd49711754bf4e29a17f4706332

SHA256
abac285f290f0cfcd308071c9dfa9b7b4b48d10b4a3b4d75048804e59a447787

SHA512
09fdcb04707a3314e584f81db5210b2390f4c3f5efa173539f9d248db48ae26b3a8b240cf254561b0ecb764f6b04bb4c129832c6502d952d1960e443371ce2a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4401F899\Axam.a.exe

Filesize
11KB

MD5
0fbf8022619ba56c545b20d172bf3b87

SHA1
752e5ce51f0cf9192b8fa1d28a7663b46e3577ff

SHA256
4ae7d63ec497143c2acde1ba79f1d9eed80086a420b6f0a07b1e2917da0a6c74

SHA512
e8d44147609d04a1a158066d89b739c00b507c8ff208dac72fdc2a42702d336c057ae4b77c305f4ccdfe089665913098d84a3160a834aaebe41f95f4b4bfddeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4403FDF9\Mabezat.exe

Filesize
141KB

MD5
de8d08a3018dfe8fd04ed525d30bb612

SHA1
a65d97c20e777d04fb4f3c465b82e8c456edba24

SHA256
2ae0c4a5f1fedf964e2f8a486bf0ee5d1816aac30c889458a9ac113d13b50ceb

SHA512
cc4bbf71024732addda3a30a511ce33ce41cbed2d507dfc7391e8367ddf9a5c4906a57bf8310e3f6535646f6d365835c7e49b95584d1114faf2738dcb1eb451a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO44053CA9\Lacon.exe

Filesize
12KB

MD5
cb0f7b3fd927cf0d0ba36302e6f9af86

SHA1
32bdc349a35916e8991e69e9be1bd2596b6321cc

SHA256
9b3f73a12a793d1648f3209e1e3f10bbb548b1ec21d53b8ac060b7b95ae4ef1f

SHA512
e6152f3645d73c63f3f3aa9881fe8b404f9794b14a8ecaea659621828462baf042c13c88bb7f2c32277fa854ceda3056d09aa5603e92b107c6c8194464154252

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO44075539\xpaj.exe

Filesize
219KB

MD5
d5c12fcfeebbe63f74026601cd7f39b2

SHA1
50281de9abb1bec1b6a1f13ccd3ce3493dee8850

SHA256
9db7ef2d1495dba921f3084b05d95e418a16f4c5e8de93738abef2479ad5b0da

SHA512
132d8c08f40a578c1dc6ac029bf2a61535087ce949ff84dbec8577505c4462358a1d9ef6cd3f58078fdcae5261d7a87348a701c28ce2357f17ecc2bc9da15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO44079199\Bugsoft.exe

Filesize
32KB

MD5
70f549ae7fafc425a4c5447293f04fdb

SHA1
af4b0ed0e0212aced62d40b24ad6861dbfd67b61

SHA256
96425ae53a5517b9f47e30f6b41fdc883831039e1faba02fe28b2d5f3efcdc29

SHA512
3f83e9e6d5bc080fb5c797617078aff9bc66efcd2ffac091a97255911c64995a2d83b5e93296f7a57ff3713d92952b30a06fc38cd574c5fe58f008593040b7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO440862D9\Floxif.exe

Filesize
532KB

MD5
00add4a97311b2b8b6264674335caab6

SHA1
3688de985909cc9f9fa6e0a4f2e43d986fe6d0ec

SHA256
812af0ec9e1dfd8f48b47fd148bafe6eecb42d0a304bc0e4539750dd23820a7f

SHA512
aaf5dae929e6b5809b77b6a79ab833e548b66fb628afeb20b554d678947494a6804cb3d59bf6bbcb2b14cede1a0609aa41f8e7fe8a7999d578e8b7af7144cb70

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO44099C29\WinNuke.98.exe

Filesize
32KB

MD5
eb9324121994e5e41f1738b5af8944b1

SHA1
aa63c521b64602fa9c3a73dadd412fdaf181b690

SHA256
2f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a

SHA512
7f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO440A6D99\Brontok.exe

Filesize
106KB

MD5
d7506150617460e34645025f1ca2c74b

SHA1
5e7d5daf73a72473795d591f831e8a2054947668

SHA256
941ebf1dc12321bbe430994a55f6e22a1b83cea2fa7d281484ea2dab06353112

SHA512
69e0bd07a8bdbfe066593cdd81acd530b3d12b21e637c1af511b8fee447831b8d822065c5a74a477fe6590962ceff8d64d83ae9c41efd930636921d4d6567f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO440A9909\MadMan.exe

Filesize
2KB

MD5
a56d479405b23976f162f3a4a74e48aa

SHA1
f4f433b3f56315e1d469148bdfd835469526262f

SHA256
17d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23

SHA512
f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO440AE389\Amus.exe

Filesize
50KB

MD5
47abd68080eee0ea1b95ae31968a3069

SHA1
ffbdf4b2224b92bd78779a7c5ac366ccb007c14d

SHA256
b5fc4fd50e4ba69f0c8c8e5c402813c107c605cab659960ac31b3c8356c4e0ec

SHA512
c9dfabffe582b29e810db8866f8997af1bd3339fa30e79575377bde970fcad3e3b6e9036b3a88d0c5f4fa3545eea8904d9faabf00142d5775ea5508adcd4dc0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO440CB1E9\Gnil.exe

Filesize
73KB

MD5
37e887b7a048ddb9013c8d2a26d5b740

SHA1
713b4678c05a76dbd22e6f8d738c9ef655e70226

SHA256
24c0638ff7571c7f4df5bcddd50bc478195823e934481fa3ee96eb1d1c4b4a1b

SHA512
99f74eb00c6f6d1cbecb4d88e1056222e236cb85cf2a421243b63cd481939d3c4693e08edde743722d3320c27573fbcc99bf749ff72b857831e4b6667374b8af

Download Submit
memory/1368-79-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2112-57-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2112-61-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2112-59-0x0000000000480000-0x00000000004F5000-memory.dmp

Filesize
468KB

Download
memory/2172-92-0x0000000001000000-0x0000000001026000-memory.dmp

Filesize
152KB

Download
memory/2172-94-0x0000000001000000-0x0000000001026000-memory.dmp

Filesize
152KB

Download
memory/2540-156-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4080-64-0x00000000021D0000-0x0000000002206000-memory.dmp

Filesize
216KB

Download
memory/4080-63-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4080-62-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/4080-40-0x00000000021D0000-0x0000000002206000-memory.dmp

Filesize
216KB

Download
memory/4080-37-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4080-39-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/4188-107-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4676-74-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4676-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download