Analysis Overview
SHA256
03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40
Threat Level: Known bad
The file 03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40 was found to be: Known bad.
Malicious Activity Summary
Gh0strat
PurpleFox
Detect PurpleFox Rootkit
Gh0st RAT payload
Drops file in Drivers directory
Sets service image path in registry
Sets DLL path for service in the registry
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in System32 directory
Drops file in Program Files directory
Program crash
Unsigned PE
Enumerates physical storage devices
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-23 05:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-23 05:58
Reported
2023-08-23 06:01
Platform
win7-20230712-en
Max time kernel
151s
Max time network
148s
Command Line
Signatures
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
PurpleFox
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\QAssist.sys | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Sets DLL path for service in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259420770.txt" | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HD_03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\259420770.txt | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| File created | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Local\Temp\03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\firefox.exe | C:\Users\Admin\AppData\Local\Temp\03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe | N/A |
| File created | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc.exe | C:\Users\Admin\AppData\Local\Temp\03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe
"C:\Users\Admin\AppData\Local\Temp\03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Users\Admin\AppData\Local\Temp\HD_03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe
C:\Users\Admin\AppData\Local\Temp\HD_03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259420770.txt",MainThread
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| N/A | 127.0.0.1:6066 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:6066 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:6066 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:6066 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:6066 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp |
Files
\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
memory/2624-58-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2624-61-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2624-62-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
C:\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
C:\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
memory/2400-70-0x0000000010000000-0x00000000101B6000-memory.dmp
\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
\Users\Admin\AppData\Local\Temp\svchos.exe
| MD5 | 3b377ad877a942ec9f60ea285f7119a2 |
| SHA1 | 60b23987b20d913982f723ab375eef50fafa6c70 |
| SHA256 | 62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84 |
| SHA512 | af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f |
C:\Users\Admin\AppData\Local\Temp\svchos.exe
| MD5 | 3b377ad877a942ec9f60ea285f7119a2 |
| SHA1 | 60b23987b20d913982f723ab375eef50fafa6c70 |
| SHA256 | 62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84 |
| SHA512 | af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f |
C:\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
memory/2624-76-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
\Windows\SysWOW64\259420770.txt
| MD5 | fb82e07cb3a53c242a0cdb5ef98ac031 |
| SHA1 | e5014296741d987b542475a0447f76980f00ae34 |
| SHA256 | 8e8d0e73220e80394e41886dce54b03a21c049bc19e4fbe392c90ea37028527b |
| SHA512 | 1af7476c5ffac9c53ec2d7a6da03175ba624d1e33015d447b11c2d55a74ff0639c5ebd80529575dd034d4771e8c2af9ecd9f5da7e9cc74761b78caddce8ff6dd |
memory/2920-95-0x0000000010000000-0x00000000101B6000-memory.dmp
\??\c:\windows\SysWOW64\259420770.txt
| MD5 | fb82e07cb3a53c242a0cdb5ef98ac031 |
| SHA1 | e5014296741d987b542475a0447f76980f00ae34 |
| SHA256 | 8e8d0e73220e80394e41886dce54b03a21c049bc19e4fbe392c90ea37028527b |
| SHA512 | 1af7476c5ffac9c53ec2d7a6da03175ba624d1e33015d447b11c2d55a74ff0639c5ebd80529575dd034d4771e8c2af9ecd9f5da7e9cc74761b78caddce8ff6dd |
memory/2400-87-0x0000000010000000-0x00000000101B6000-memory.dmp
\Windows\SysWOW64\259420770.txt
| MD5 | fb82e07cb3a53c242a0cdb5ef98ac031 |
| SHA1 | e5014296741d987b542475a0447f76980f00ae34 |
| SHA256 | 8e8d0e73220e80394e41886dce54b03a21c049bc19e4fbe392c90ea37028527b |
| SHA512 | 1af7476c5ffac9c53ec2d7a6da03175ba624d1e33015d447b11c2d55a74ff0639c5ebd80529575dd034d4771e8c2af9ecd9f5da7e9cc74761b78caddce8ff6dd |
\Users\Admin\AppData\Local\Temp\HD_03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe
| MD5 | ff83181fdff4572e4d21d3273b02e9f2 |
| SHA1 | 04cba441a09e9cb3dbfbc80039bc7fad57bd4791 |
| SHA256 | a87637db46b2076a44ca7399eb4d87a2fe0113147aa403b3b9c8ac7d365432f1 |
| SHA512 | 6f290a48f56e13db394ddb4f59e452dabe18130b90281a220f3c25a0595b4cd898c92dfa8a4c11c442ce371f67f3d52aeaa188c39858979b33ff803f4b388291 |
C:\Users\Admin\AppData\Local\Temp\HD_03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe
| MD5 | ff83181fdff4572e4d21d3273b02e9f2 |
| SHA1 | 04cba441a09e9cb3dbfbc80039bc7fad57bd4791 |
| SHA256 | a87637db46b2076a44ca7399eb4d87a2fe0113147aa403b3b9c8ac7d365432f1 |
| SHA512 | 6f290a48f56e13db394ddb4f59e452dabe18130b90281a220f3c25a0595b4cd898c92dfa8a4c11c442ce371f67f3d52aeaa188c39858979b33ff803f4b388291 |
\Users\Admin\AppData\Local\Temp\HD_03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe
| MD5 | ff83181fdff4572e4d21d3273b02e9f2 |
| SHA1 | 04cba441a09e9cb3dbfbc80039bc7fad57bd4791 |
| SHA256 | a87637db46b2076a44ca7399eb4d87a2fe0113147aa403b3b9c8ac7d365432f1 |
| SHA512 | 6f290a48f56e13db394ddb4f59e452dabe18130b90281a220f3c25a0595b4cd898c92dfa8a4c11c442ce371f67f3d52aeaa188c39858979b33ff803f4b388291 |
memory/2920-104-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HD_03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe
| MD5 | ff83181fdff4572e4d21d3273b02e9f2 |
| SHA1 | 04cba441a09e9cb3dbfbc80039bc7fad57bd4791 |
| SHA256 | a87637db46b2076a44ca7399eb4d87a2fe0113147aa403b3b9c8ac7d365432f1 |
| SHA512 | 6f290a48f56e13db394ddb4f59e452dabe18130b90281a220f3c25a0595b4cd898c92dfa8a4c11c442ce371f67f3d52aeaa188c39858979b33ff803f4b388291 |
memory/2656-109-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2920-108-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\X.ico
| MD5 | fb44f7af2882d222b600539171f54c1d |
| SHA1 | 0c5a1a0b1620a55a0f194464227be25a2f0347e1 |
| SHA256 | f2a78e76259bc8fd4ab6af7b4e16dfb49a10643308aca3d14c09e61ac0ebd487 |
| SHA512 | 21e906473f64303c4c8d55213ccb84f4a803c11fb5eef34ce3194adfb391ccbcc91e7c399556c7a4e4f3d33b9b19524d4499ec771ee8e1a10df26ea7cc2dcb67 |
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
| MD5 | 5cedaff71e6e0bc0f5bff7aead2023ad |
| SHA1 | 2a0576b588d433ebf297ae148a8e162eeca88e43 |
| SHA256 | 39b2856c0f880da2e36f2e2ef8d6b5d1a18fef13385ee7b60fc2be159c3ec3bc |
| SHA512 | c580055258e8609a5fdb07d2d0167c9919f7e13af761549bf752074770853db4a7d84df13a51e268f610d917fe41b4232c6d4cf7bb5b8bd28860ba8ce4dfe20d |
\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
| MD5 | 51138beea3e2c21ec44d0932c71762a8 |
| SHA1 | 8939cf35447b22dd2c6e6f443446acc1bf986d58 |
| SHA256 | 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124 |
| SHA512 | 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d |
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
| MD5 | 51138beea3e2c21ec44d0932c71762a8 |
| SHA1 | 8939cf35447b22dd2c6e6f443446acc1bf986d58 |
| SHA256 | 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124 |
| SHA512 | 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d |
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
| MD5 | 51138beea3e2c21ec44d0932c71762a8 |
| SHA1 | 8939cf35447b22dd2c6e6f443446acc1bf986d58 |
| SHA256 | 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124 |
| SHA512 | 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d |
\Windows\SysWOW64\259420770.txt
| MD5 | fb82e07cb3a53c242a0cdb5ef98ac031 |
| SHA1 | e5014296741d987b542475a0447f76980f00ae34 |
| SHA256 | 8e8d0e73220e80394e41886dce54b03a21c049bc19e4fbe392c90ea37028527b |
| SHA512 | 1af7476c5ffac9c53ec2d7a6da03175ba624d1e33015d447b11c2d55a74ff0639c5ebd80529575dd034d4771e8c2af9ecd9f5da7e9cc74761b78caddce8ff6dd |
memory/2656-149-0x0000000000220000-0x0000000000221000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-23 05:58
Reported
2023-08-23 06:01
Platform
win10v2004-20230703-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
PurpleFox
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\QAssist.sys | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HD_03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\240616562.txt | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | C:\Users\Admin\AppData\Local\Temp\03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Local\Temp\03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\firefox.exe | C:\Users\Admin\AppData\Local\Temp\03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe | N/A |
| File created | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc.exe | C:\Users\Admin\AppData\Local\Temp\03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\svchos.exe |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe
"C:\Users\Admin\AppData\Local\Temp\03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5064 -ip 5064
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 228
C:\Users\Admin\AppData\Local\Temp\HD_03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe
C:\Users\Admin\AppData\Local\Temp\HD_03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| N/A | 127.0.0.1:6066 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:6066 | tcp | |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| N/A | 127.0.0.1:6066 | tcp | |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:6066 | tcp | |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| N/A | 127.0.0.1:6066 | tcp | |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
memory/4468-137-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/4468-140-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/4468-139-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/4468-141-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
C:\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
memory/2896-146-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2896-149-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2896-150-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchos.exe
| MD5 | 3b377ad877a942ec9f60ea285f7119a2 |
| SHA1 | 60b23987b20d913982f723ab375eef50fafa6c70 |
| SHA256 | 62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84 |
| SHA512 | af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f |
C:\Users\Admin\AppData\Local\Temp\svchos.exe
| MD5 | 3b377ad877a942ec9f60ea285f7119a2 |
| SHA1 | 60b23987b20d913982f723ab375eef50fafa6c70 |
| SHA256 | 62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84 |
| SHA512 | af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f |
C:\Windows\SysWOW64\240616562.txt
| MD5 | fb82e07cb3a53c242a0cdb5ef98ac031 |
| SHA1 | e5014296741d987b542475a0447f76980f00ae34 |
| SHA256 | 8e8d0e73220e80394e41886dce54b03a21c049bc19e4fbe392c90ea37028527b |
| SHA512 | 1af7476c5ffac9c53ec2d7a6da03175ba624d1e33015d447b11c2d55a74ff0639c5ebd80529575dd034d4771e8c2af9ecd9f5da7e9cc74761b78caddce8ff6dd |
memory/4468-155-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2896-162-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
memory/2976-166-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2976-169-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2976-170-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HD_03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe
| MD5 | ff83181fdff4572e4d21d3273b02e9f2 |
| SHA1 | 04cba441a09e9cb3dbfbc80039bc7fad57bd4791 |
| SHA256 | a87637db46b2076a44ca7399eb4d87a2fe0113147aa403b3b9c8ac7d365432f1 |
| SHA512 | 6f290a48f56e13db394ddb4f59e452dabe18130b90281a220f3c25a0595b4cd898c92dfa8a4c11c442ce371f67f3d52aeaa188c39858979b33ff803f4b388291 |
C:\Users\Admin\AppData\Local\Temp\HD_03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe
| MD5 | ff83181fdff4572e4d21d3273b02e9f2 |
| SHA1 | 04cba441a09e9cb3dbfbc80039bc7fad57bd4791 |
| SHA256 | a87637db46b2076a44ca7399eb4d87a2fe0113147aa403b3b9c8ac7d365432f1 |
| SHA512 | 6f290a48f56e13db394ddb4f59e452dabe18130b90281a220f3c25a0595b4cd898c92dfa8a4c11c442ce371f67f3d52aeaa188c39858979b33ff803f4b388291 |
memory/3772-177-0x0000000000710000-0x0000000000711000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
| MD5 | 5cedaff71e6e0bc0f5bff7aead2023ad |
| SHA1 | 2a0576b588d433ebf297ae148a8e162eeca88e43 |
| SHA256 | 39b2856c0f880da2e36f2e2ef8d6b5d1a18fef13385ee7b60fc2be159c3ec3bc |
| SHA512 | c580055258e8609a5fdb07d2d0167c9919f7e13af761549bf752074770853db4a7d84df13a51e268f610d917fe41b4232c6d4cf7bb5b8bd28860ba8ce4dfe20d |
memory/3772-221-0x0000000000710000-0x0000000000711000-memory.dmp