Analysis Overview
SHA256
db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990
Threat Level: Known bad
The file db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990 was found to be: Known bad.
Malicious Activity Summary
Gh0st RAT payload
Gh0strat
PurpleFox
Detect PurpleFox Rootkit
Sets service image path in registry
Drops file in Drivers directory
Sets DLL path for service in the registry
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Drops file in Program Files directory
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-23 05:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-23 05:59
Reported
2023-08-23 06:01
Platform
win7-20230712-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
PurpleFox
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\QAssist.sys | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Sets DLL path for service in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259422315.txt" | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HD_db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\259422315.txt | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| File created | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Local\Temp\db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\firefox.exe | C:\Users\Admin\AppData\Local\Temp\db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe | N/A |
| File created | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc.exe | C:\Users\Admin\AppData\Local\Temp\db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe
"C:\Users\Admin\AppData\Local\Temp\db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Users\Admin\AppData\Local\Temp\HD_db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe
C:\Users\Admin\AppData\Local\Temp\HD_db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259422315.txt",MainThread
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| N/A | 127.0.0.1:6066 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:6066 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:6066 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:6066 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| N/A | 127.0.0.1:8088 | tcp | |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:6066 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp |
Files
\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
memory/2968-58-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2968-61-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2968-60-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
memory/2968-62-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
memory/2912-70-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
memory/2968-76-0x0000000010000000-0x00000000101B6000-memory.dmp
\Users\Admin\AppData\Local\Temp\svchos.exe
| MD5 | 3b377ad877a942ec9f60ea285f7119a2 |
| SHA1 | 60b23987b20d913982f723ab375eef50fafa6c70 |
| SHA256 | 62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84 |
| SHA512 | af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f |
memory/2912-85-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchos.exe
| MD5 | 3b377ad877a942ec9f60ea285f7119a2 |
| SHA1 | 60b23987b20d913982f723ab375eef50fafa6c70 |
| SHA256 | 62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84 |
| SHA512 | af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f |
\Windows\SysWOW64\259422315.txt
| MD5 | fb82e07cb3a53c242a0cdb5ef98ac031 |
| SHA1 | e5014296741d987b542475a0447f76980f00ae34 |
| SHA256 | 8e8d0e73220e80394e41886dce54b03a21c049bc19e4fbe392c90ea37028527b |
| SHA512 | 1af7476c5ffac9c53ec2d7a6da03175ba624d1e33015d447b11c2d55a74ff0639c5ebd80529575dd034d4771e8c2af9ecd9f5da7e9cc74761b78caddce8ff6dd |
memory/2832-89-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2832-91-0x0000000010000000-0x00000000101B6000-memory.dmp
\Windows\SysWOW64\259422315.txt
| MD5 | fb82e07cb3a53c242a0cdb5ef98ac031 |
| SHA1 | e5014296741d987b542475a0447f76980f00ae34 |
| SHA256 | 8e8d0e73220e80394e41886dce54b03a21c049bc19e4fbe392c90ea37028527b |
| SHA512 | 1af7476c5ffac9c53ec2d7a6da03175ba624d1e33015d447b11c2d55a74ff0639c5ebd80529575dd034d4771e8c2af9ecd9f5da7e9cc74761b78caddce8ff6dd |
\??\c:\windows\SysWOW64\259422315.txt
| MD5 | fb82e07cb3a53c242a0cdb5ef98ac031 |
| SHA1 | e5014296741d987b542475a0447f76980f00ae34 |
| SHA256 | 8e8d0e73220e80394e41886dce54b03a21c049bc19e4fbe392c90ea37028527b |
| SHA512 | 1af7476c5ffac9c53ec2d7a6da03175ba624d1e33015d447b11c2d55a74ff0639c5ebd80529575dd034d4771e8c2af9ecd9f5da7e9cc74761b78caddce8ff6dd |
\Users\Admin\AppData\Local\Temp\HD_db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe
| MD5 | 9d5599e6ebd2fddc068bfa56b2117649 |
| SHA1 | 37613d93a85431bc74b6fbf123247c8f686a2a25 |
| SHA256 | 7fab28fb1682255b9b13d68e5987e8e2660bad8f1fc1e450d5b63564de77aae3 |
| SHA512 | 094f1b29b09668ecd34719fd62c682684e28c7f52d64aaa8472431f3a9792f74d72da03ad395a4ac2f4ff2205d2f10caf4cc3c8bd6478955a7121bf7d26b7742 |
C:\Users\Admin\AppData\Local\Temp\HD_db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe
| MD5 | 9d5599e6ebd2fddc068bfa56b2117649 |
| SHA1 | 37613d93a85431bc74b6fbf123247c8f686a2a25 |
| SHA256 | 7fab28fb1682255b9b13d68e5987e8e2660bad8f1fc1e450d5b63564de77aae3 |
| SHA512 | 094f1b29b09668ecd34719fd62c682684e28c7f52d64aaa8472431f3a9792f74d72da03ad395a4ac2f4ff2205d2f10caf4cc3c8bd6478955a7121bf7d26b7742 |
memory/2532-108-0x0000000002550000-0x0000000002696000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HD_db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe
| MD5 | 9d5599e6ebd2fddc068bfa56b2117649 |
| SHA1 | 37613d93a85431bc74b6fbf123247c8f686a2a25 |
| SHA256 | 7fab28fb1682255b9b13d68e5987e8e2660bad8f1fc1e450d5b63564de77aae3 |
| SHA512 | 094f1b29b09668ecd34719fd62c682684e28c7f52d64aaa8472431f3a9792f74d72da03ad395a4ac2f4ff2205d2f10caf4cc3c8bd6478955a7121bf7d26b7742 |
\Users\Admin\AppData\Local\Temp\HD_db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe
| MD5 | 9d5599e6ebd2fddc068bfa56b2117649 |
| SHA1 | 37613d93a85431bc74b6fbf123247c8f686a2a25 |
| SHA256 | 7fab28fb1682255b9b13d68e5987e8e2660bad8f1fc1e450d5b63564de77aae3 |
| SHA512 | 094f1b29b09668ecd34719fd62c682684e28c7f52d64aaa8472431f3a9792f74d72da03ad395a4ac2f4ff2205d2f10caf4cc3c8bd6478955a7121bf7d26b7742 |
memory/1992-110-0x0000000000400000-0x0000000000546000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
| MD5 | 5cedaff71e6e0bc0f5bff7aead2023ad |
| SHA1 | 2a0576b588d433ebf297ae148a8e162eeca88e43 |
| SHA256 | 39b2856c0f880da2e36f2e2ef8d6b5d1a18fef13385ee7b60fc2be159c3ec3bc |
| SHA512 | c580055258e8609a5fdb07d2d0167c9919f7e13af761549bf752074770853db4a7d84df13a51e268f610d917fe41b4232c6d4cf7bb5b8bd28860ba8ce4dfe20d |
memory/2832-143-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2532-144-0x0000000002550000-0x0000000002696000-memory.dmp
\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
| MD5 | 51138beea3e2c21ec44d0932c71762a8 |
| SHA1 | 8939cf35447b22dd2c6e6f443446acc1bf986d58 |
| SHA256 | 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124 |
| SHA512 | 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d |
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
| MD5 | 51138beea3e2c21ec44d0932c71762a8 |
| SHA1 | 8939cf35447b22dd2c6e6f443446acc1bf986d58 |
| SHA256 | 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124 |
| SHA512 | 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d |
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
| MD5 | 51138beea3e2c21ec44d0932c71762a8 |
| SHA1 | 8939cf35447b22dd2c6e6f443446acc1bf986d58 |
| SHA256 | 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124 |
| SHA512 | 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d |
\Windows\SysWOW64\259422315.txt
| MD5 | fb82e07cb3a53c242a0cdb5ef98ac031 |
| SHA1 | e5014296741d987b542475a0447f76980f00ae34 |
| SHA256 | 8e8d0e73220e80394e41886dce54b03a21c049bc19e4fbe392c90ea37028527b |
| SHA512 | 1af7476c5ffac9c53ec2d7a6da03175ba624d1e33015d447b11c2d55a74ff0639c5ebd80529575dd034d4771e8c2af9ecd9f5da7e9cc74761b78caddce8ff6dd |
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-23 05:59
Reported
2023-08-23 06:01
Platform
win10v2004-20230703-en
Max time kernel
152s
Max time network
157s
Command Line
Signatures
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
PurpleFox
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\QAssist.sys | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HD_db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\240612640.txt | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | C:\Users\Admin\AppData\Local\Temp\db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Local\Temp\db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\firefox.exe | C:\Users\Admin\AppData\Local\Temp\db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe | N/A |
| File created | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc.exe | C:\Users\Admin\AppData\Local\Temp\db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\svchos.exe |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe
"C:\Users\Admin\AppData\Local\Temp\db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1204 -ip 1204
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 464
C:\Users\Admin\AppData\Local\Temp\HD_db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe
C:\Users\Admin\AppData\Local\Temp\HD_db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 127.0.0.1:6066 | tcp | |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.154.241.8.in-addr.arpa | udp |
| N/A | 127.0.0.1:6066 | tcp | |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| N/A | 127.0.0.1:6066 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| N/A | 127.0.0.1:6066 | tcp | |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:6066 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
memory/2172-137-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2172-140-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2172-139-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2172-141-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
C:\Users\Admin\AppData\Local\Temp\svchos.exe
| MD5 | 3b377ad877a942ec9f60ea285f7119a2 |
| SHA1 | 60b23987b20d913982f723ab375eef50fafa6c70 |
| SHA256 | 62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84 |
| SHA512 | af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f |
C:\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
C:\Users\Admin\AppData\Local\Temp\svchos.exe
| MD5 | 3b377ad877a942ec9f60ea285f7119a2 |
| SHA1 | 60b23987b20d913982f723ab375eef50fafa6c70 |
| SHA256 | 62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84 |
| SHA512 | af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f |
C:\Users\Admin\AppData\Local\Temp\HD_db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe
| MD5 | 9d5599e6ebd2fddc068bfa56b2117649 |
| SHA1 | 37613d93a85431bc74b6fbf123247c8f686a2a25 |
| SHA256 | 7fab28fb1682255b9b13d68e5987e8e2660bad8f1fc1e450d5b63564de77aae3 |
| SHA512 | 094f1b29b09668ecd34719fd62c682684e28c7f52d64aaa8472431f3a9792f74d72da03ad395a4ac2f4ff2205d2f10caf4cc3c8bd6478955a7121bf7d26b7742 |
C:\Windows\SysWOW64\240612640.txt
| MD5 | fb82e07cb3a53c242a0cdb5ef98ac031 |
| SHA1 | e5014296741d987b542475a0447f76980f00ae34 |
| SHA256 | 8e8d0e73220e80394e41886dce54b03a21c049bc19e4fbe392c90ea37028527b |
| SHA512 | 1af7476c5ffac9c53ec2d7a6da03175ba624d1e33015d447b11c2d55a74ff0639c5ebd80529575dd034d4771e8c2af9ecd9f5da7e9cc74761b78caddce8ff6dd |
memory/216-161-0x0000000000400000-0x0000000000546000-memory.dmp
memory/4240-162-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/4240-163-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/2172-164-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
memory/4240-171-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HD_db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe
| MD5 | 9d5599e6ebd2fddc068bfa56b2117649 |
| SHA1 | 37613d93a85431bc74b6fbf123247c8f686a2a25 |
| SHA256 | 7fab28fb1682255b9b13d68e5987e8e2660bad8f1fc1e450d5b63564de77aae3 |
| SHA512 | 094f1b29b09668ecd34719fd62c682684e28c7f52d64aaa8472431f3a9792f74d72da03ad395a4ac2f4ff2205d2f10caf4cc3c8bd6478955a7121bf7d26b7742 |
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
| MD5 | 5cedaff71e6e0bc0f5bff7aead2023ad |
| SHA1 | 2a0576b588d433ebf297ae148a8e162eeca88e43 |
| SHA256 | 39b2856c0f880da2e36f2e2ef8d6b5d1a18fef13385ee7b60fc2be159c3ec3bc |
| SHA512 | c580055258e8609a5fdb07d2d0167c9919f7e13af761549bf752074770853db4a7d84df13a51e268f610d917fe41b4232c6d4cf7bb5b8bd28860ba8ce4dfe20d |
memory/216-214-0x0000000000400000-0x0000000000546000-memory.dmp
memory/4240-150-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/4200-215-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/4200-218-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/4200-220-0x0000000010000000-0x00000000101B6000-memory.dmp