gh0strat | c81d91a97eb36d5eb006f8b0e5a3c04605366ed31a2d8ed755bfb226eb5ea2db

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/03/2024, 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-18_e0138f4585a43fdfede9203ffbbb66d2_icedid.exe
Size

2.7MB
MD5

e0138f4585a43fdfede9203ffbbb66d2
SHA1

876e1c2a1bcf43caae630ba7581f748dea7e778f
SHA256

c81d91a97eb36d5eb006f8b0e5a3c04605366ed31a2d8ed755bfb226eb5ea2db
SHA512

04512717f269b497bc9cb2f5755fbaf9c4f48df3d44f500786c3122430a5bb78b06febd6b18701e8b9de3e95da78f745fc907000cb89498560c1b705161d6b3e
SSDEEP

24576:yCwsbKgbQ5NANIvGTYwMHXA+wT1kfTw4SIuvB74fgt7ibhRM5QhKehFdMtRj7nHG:yCwsbCANnKXferL7Vwe/Gg0P+Wh

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 7 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/2512-22-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2512-21-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2748-40-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2416-48-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2416-51-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2512-34-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2416-53-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001445e-6.dat	family_gh0strat
behavioral1/files/0x000c00000001445e-11.dat	family_gh0strat
behavioral1/files/0x000c00000001445e-10.dat	family_gh0strat
behavioral1/memory/2512-22-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2512-21-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2748-40-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2416-48-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2416-51-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2512-34-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2416-53-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/files/0x000c00000001445e-59.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

UPX dump on OEP (original entry point) 8 IoCs

resource	yara_rule
behavioral1/memory/2512-18-0x0000000010000000-0x00000000101B6000-memory.dmp	UPX
behavioral1/memory/2512-22-0x0000000010000000-0x00000000101B6000-memory.dmp	UPX
behavioral1/memory/2512-21-0x0000000010000000-0x00000000101B6000-memory.dmp	UPX
behavioral1/memory/2748-40-0x0000000010000000-0x00000000101B6000-memory.dmp	UPX
behavioral1/memory/2416-48-0x0000000010000000-0x00000000101B6000-memory.dmp	UPX
behavioral1/memory/2416-51-0x0000000010000000-0x00000000101B6000-memory.dmp	UPX
behavioral1/memory/2512-34-0x0000000010000000-0x00000000101B6000-memory.dmp	UPX
behavioral1/memory/2416-53-0x0000000010000000-0x00000000101B6000-memory.dmp	UPX

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatfor.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\259423672.txt"	R.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatfor.exe

Executes dropped EXE 7 IoCs

pid	Process
2012	R.exe
2512	N.exe
2748	TXPlatfor.exe
2416	TXPlatfor.exe
2420	HD_2024-03-18_e0138f4585a43fdfede9203ffbbb66d2_icedid.exe
1364	Process not Found
1040	Remote Data.exe

Loads dropped DLL 8 IoCs

pid	Process
2248	2024-03-18_e0138f4585a43fdfede9203ffbbb66d2_icedid.exe
2012	R.exe
2052	svchost.exe
2248	2024-03-18_e0138f4585a43fdfede9203ffbbb66d2_icedid.exe
2748	TXPlatfor.exe
2248	2024-03-18_e0138f4585a43fdfede9203ffbbb66d2_icedid.exe
2052	svchost.exe
1040	Remote Data.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2512-18-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2512-22-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2512-21-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2748-40-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2416-48-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2416-51-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2512-34-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2416-53-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File created	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe
File created	C:\Windows\SysWOW64\259423672.txt	R.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	R.exe
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2668	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2248	2024-03-18_e0138f4585a43fdfede9203ffbbb66d2_icedid.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2416	TXPlatfor.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2512	N.exe
Token: SeLoadDriverPrivilege	2416	TXPlatfor.exe
Token: 33	2416	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	2416	TXPlatfor.exe
Token: 33	2416	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	2416	TXPlatfor.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2248	2024-03-18_e0138f4585a43fdfede9203ffbbb66d2_icedid.exe
2248	2024-03-18_e0138f4585a43fdfede9203ffbbb66d2_icedid.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2012	2248	2024-03-18_e0138f4585a43fdfede9203ffbbb66d2_icedid.exe	28
PID 2248 wrote to memory of 2012	2248	2024-03-18_e0138f4585a43fdfede9203ffbbb66d2_icedid.exe	28
PID 2248 wrote to memory of 2012	2248	2024-03-18_e0138f4585a43fdfede9203ffbbb66d2_icedid.exe	28
PID 2248 wrote to memory of 2012	2248	2024-03-18_e0138f4585a43fdfede9203ffbbb66d2_icedid.exe	28
PID 2248 wrote to memory of 2512	2248	2024-03-18_e0138f4585a43fdfede9203ffbbb66d2_icedid.exe	31
PID 2248 wrote to memory of 2512	2248	2024-03-18_e0138f4585a43fdfede9203ffbbb66d2_icedid.exe	31
PID 2248 wrote to memory of 2512	2248	2024-03-18_e0138f4585a43fdfede9203ffbbb66d2_icedid.exe	31
PID 2248 wrote to memory of 2512	2248	2024-03-18_e0138f4585a43fdfede9203ffbbb66d2_icedid.exe	31
PID 2248 wrote to memory of 2512	2248	2024-03-18_e0138f4585a43fdfede9203ffbbb66d2_icedid.exe	31
PID 2248 wrote to memory of 2512	2248	2024-03-18_e0138f4585a43fdfede9203ffbbb66d2_icedid.exe	31
PID 2248 wrote to memory of 2512	2248	2024-03-18_e0138f4585a43fdfede9203ffbbb66d2_icedid.exe	31
PID 2512 wrote to memory of 2156	2512	N.exe	33
PID 2512 wrote to memory of 2156	2512	N.exe	33
PID 2512 wrote to memory of 2156	2512	N.exe	33
PID 2512 wrote to memory of 2156	2512	N.exe	33
PID 2748 wrote to memory of 2416	2748	TXPlatfor.exe	34
PID 2748 wrote to memory of 2416	2748	TXPlatfor.exe	34
PID 2748 wrote to memory of 2416	2748	TXPlatfor.exe	34
PID 2748 wrote to memory of 2416	2748	TXPlatfor.exe	34
PID 2748 wrote to memory of 2416	2748	TXPlatfor.exe	34
PID 2748 wrote to memory of 2416	2748	TXPlatfor.exe	34
PID 2748 wrote to memory of 2416	2748	TXPlatfor.exe	34
PID 2248 wrote to memory of 2420	2248	2024-03-18_e0138f4585a43fdfede9203ffbbb66d2_icedid.exe	36
PID 2248 wrote to memory of 2420	2248	2024-03-18_e0138f4585a43fdfede9203ffbbb66d2_icedid.exe	36
PID 2248 wrote to memory of 2420	2248	2024-03-18_e0138f4585a43fdfede9203ffbbb66d2_icedid.exe	36
PID 2248 wrote to memory of 2420	2248	2024-03-18_e0138f4585a43fdfede9203ffbbb66d2_icedid.exe	36
PID 2156 wrote to memory of 2668	2156	cmd.exe	37
PID 2156 wrote to memory of 2668	2156	cmd.exe	37
PID 2156 wrote to memory of 2668	2156	cmd.exe	37
PID 2156 wrote to memory of 2668	2156	cmd.exe	37
PID 2052 wrote to memory of 1040	2052	svchost.exe	38
PID 2052 wrote to memory of 1040	2052	svchost.exe	38
PID 2052 wrote to memory of 1040	2052	svchost.exe	38
PID 2052 wrote to memory of 1040	2052	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\2024-03-18_e0138f4585a43fdfede9203ffbbb66d2_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-18_e0138f4585a43fdfede9203ffbbb66d2_icedid.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Local\Temp\R.exe
  C:\Users\Admin\AppData\Local\Temp\\R.exe
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:2012
- C:\Users\Admin\AppData\Local\Temp\N.exe
  C:\Users\Admin\AppData\Local\Temp\\N.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2668
- C:\Users\Admin\AppData\Local\Temp\HD_2024-03-18_e0138f4585a43fdfede9203ffbbb66d2_icedid.exe
  C:\Users\Admin\AppData\Local\Temp\HD_2024-03-18_e0138f4585a43fdfede9203ffbbb66d2_icedid.exe
  2⤵
  - Executes dropped EXE
  PID:2420

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
PID:2908

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\SysWOW64\Remote Data.exe
  "C:\Windows\system32\Remote Data.exe" "c:\windows\system32\259423672.txt",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1040

C:\Windows\SysWOW64\TXPlatfor.exe
C:\Windows\SysWOW64\TXPlatfor.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\SysWOW64\TXPlatfor.exe
  C:\Windows\SysWOW64\TXPlatfor.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_2024-03-18_e0138f4585a43fdfede9203ffbbb66d2_icedid.exe

Filesize
64KB

MD5
058085fac48bed5082e1d33a446be333

SHA1
6992ae5d14bb5f6971b46fcf339b20127deea815

SHA256
c2456f10477277eea54da28b5a9bbe492edfa04afd931508044b69ff14abb136

SHA512
7b1381758bd37dcdc0af3445d3e5d29e67f8f2a088ba609a0daa903ef5dfa6112d62a14228f69d8c4db529ab1c4a45c56e6b8f2f625af10043452a288bda51aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
2.6MB

MD5
274fe01eb0f4cd402c3cfdeda4b30715

SHA1
72db93e86caaadf2f28e5265ebfbc2ea6ba9e705

SHA256
843743adaef60d2f490d2702487f7687ffa36524d11ad89feed31bbddfd21d40

SHA512
6d71d57566f436c6e1242421070bca8c62ba95a7ccfc73ae5efef54f93482b3e3b742bda361b7c713a5e5158f11310401341bd1ddd4f011ba33f77c5e9543798

Download Submit
C:\Users\Admin\AppData\Local\Temp\N.exe

Filesize
170KB

MD5
748de0c306da8c055a1b620e676d9a45

SHA1
9e653c29393e2e5ebf52ffcbd3a3483dcddac085

SHA256
f578643d3d8b9cef244d3381d9a4b3b54a181a6979db030f48bbaba28a3310d7

SHA512
04d9d1d122ca3003a3cb24e948ee7e9e26786c4ba739c112e392f9607a83c217424f9bc5ab3631a53dd9fb973b87f2332acccb28b757f2b50a43be25437f8447

Download Submit
C:\Users\Admin\AppData\Local\Temp\R.exe

Filesize
842KB

MD5
59f98b9ed21269f945e733206c03df69

SHA1
c3782940285fd2a7a4cc3103960c85f93a74147a

SHA256
f0bae6ba93aeeea130b416a0b8ba6196d395ade95a25c699eb7b08ea5250789f

SHA512
1e36e128d1e3790829578d92d84a7fcdfd91326bbf076fb25010b397862d623ddc7adb2556ad2cc5aeb9f492ac65b64279d8b3cc2d16bb02780ba601f1d15122

Download Submit
C:\Windows\SysWOW64\TXPlatfor.exe

Filesize
223KB

MD5
314f67b936b02cef57329d8241e3e641

SHA1
df9b7f0e65716d8bce0133dddd22d9abe2b1ef9e

SHA256
ba7fa722b23768f2732711f0b93986832195d92542b1776ba2e2d8f4e2a6908a

SHA512
364b5beb97bb8987295203a531361ab86416ef90c2d3e1bc5800287e0806b9e96baf40a5848905d61a91d18ff19ac003830cacf02e6808fa4cc785825bd159d0

Download Submit
C:\Windows\SysWOW64\TXPlatfor.exe

Filesize
234KB

MD5
45071b4ea0c63a34c4a2184b1a3538ee

SHA1
1e3c01608dbeda330e3e34f66280cdc777d67b67

SHA256
ee629464544830d9a6213fcd756eecbae2a587f8345cedf961a3f1713102db17

SHA512
61eaface3a3464b5132cf9d4f375e100c2046cf4615912e4905b91d710703faccf5a669081622ba037423941d6a4c90d68fd354897b9a7ac61df61237d2cb8f6

Download Submit
\??\c:\windows\SysWOW64\259423672.txt

Filesize
868KB

MD5
dc1e3b6e8912bd6ac5cbc9c20131cd44

SHA1
9c23c68e6966169365ddcd7aa33ee6a465e4c422

SHA256
444e060079fe2cbc06625c82aee661878aa8405714ef69765f67d71defa1556b

SHA512
500b8ef0a0018fe13eb2de9d6e18c3664aa8159426a59b6b85554c20c88c7d3864e4b40526906993162f493482b21679abf1b0dca4769e5bb8906a20eb9ad71a

Download Submit
\Users\Admin\AppData\Local\Temp\HD_2024-03-18_e0138f4585a43fdfede9203ffbbb66d2_icedid.exe

Filesize
5KB

MD5
b5814f9ff352c6a0c5f62ffca8b6a48c

SHA1
aac01ed162a6a983921dc40cf1f189fe04154e60

SHA256
ad31a2c98d4b2b336a193da3f855bf6cc534a38376541b0d9f9728ddc12e5b0f

SHA512
fa71537d894c4e469c5d3c08e48b63947d8498a6be00e6aa51dc06e28fb3d45c32590c8ad63e14a7381b5bf6eabbe962a349499a751a4a23d529cf65042d5cd2

Download Submit
\Users\Admin\AppData\Local\Temp\HD_2024-03-18_e0138f4585a43fdfede9203ffbbb66d2_icedid.exe

Filesize
97KB

MD5
0655a0af4a2ff9bf591f614ba8f5721f

SHA1
b10d53dccec179109aff61b86ecca65be816f3c4

SHA256
d1a473a0dd813bd3565b810dcb8ff8bc7907478a994c564d55200925894e0d32

SHA512
9051043e6711b1f1b73f4137a8e4c16362c6be5d6c01b15f0430920ce096adf0b9f6a344462aadc5c2847ab5c0d9682df13803351449462dc5dda6059319d45f

Download Submit
\Users\Admin\AppData\Local\Temp\N.exe

Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
\Users\Admin\AppData\Local\Temp\R.exe

Filesize
680KB

MD5
2a9292911841146ca35df06cdc7634d0

SHA1
c541e313151b42f4d5172b910bc70e70452c9131

SHA256
6245d390873ec925f812b8f4b170a03089b05e369232c0648c5e383b3dd9d848

SHA512
962ec722e0a7747dafb9d4ef3aa5050e37f6261d625a0734f896e0e7c37a9421b073317a8e571d32f902d917db0c56c880d783252cc5032aac7fd2101ff888e7

Download Submit
\Windows\SysWOW64\259423672.txt

Filesize
738KB

MD5
a222ee8f22ee13b0a60a692ff5e47b23

SHA1
2dadd11b3709e78317e214f5147de69a36389af3

SHA256
0028e4948ee8ebe6f5731deb6a699fceac97f0bba84f4563e3ef318cfbb250c9

SHA512
0aaa701da165884c0d48f959beeebdfe6f26e20cef807fabffbafd9e0112356a8e0dd2e256033bdae7413e6977fe437d2fc5f08247140133b59e32d99c5c3e8a

Download Submit
\Windows\SysWOW64\259423672.txt

Filesize
899KB

MD5
69c022c15985b52c53120fdd39a808de

SHA1
316414ab9183d972adeca58fc59f5f5395e620c4

SHA256
3ec21e06d707655aa0ac2c9b78a3e12a340eb69ca99488318a1827d88399425c

SHA512
d8f491985dfa9ec67bb1f8e628f1086f88f809c073cbe6284d1341c6a281db9c08cf9dc768262c41b6ba3952f6b53e9ac1c419e01762d34489e5c70d98d0a768

Download Submit
\Windows\SysWOW64\259423672.txt

Filesize
582KB

MD5
501e58eaff9c675aae7dccf2049eb750

SHA1
808e3bf036a7465ec834f012d77a75ab3ace485f

SHA256
9ba919123d348e3e47bfcfe29119c7911a6cce222115101af32d473f4eed3254

SHA512
7c16314f661ae0669c3aa551b195bc1c664ea04bebfe8edb394a5f5b25d99470854656c2179793081ee2cc2122b7c9ca4e43108023f5f5fd18fa83254e876a4c

Download Submit
\Windows\SysWOW64\Remote Data.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Windows\SysWOW64\TXPlatfor.exe

Filesize
167KB

MD5
8bb1d435ccbdb14c2d0c9b5b2fdd6311

SHA1
0db413df709fc4284d84803f74d181daf7557f8f

SHA256
cf9f3ea21e1f9a5407ba0f71611730106c55b6a47ed6786aae320996b709975b

SHA512
e2b89d62b2ed742c4de1f7bd947a68a7f88637f5c400e65c3726582972081bb72276d871385cbef31790c44acc6f88983a6cae6b74cecb7264c5b7c016d1f0c5

Download Submit
memory/2416-51-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2416-48-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2416-53-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2512-34-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2512-21-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2512-22-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2512-18-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2748-40-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download