redline | c64dacc0f9d08f1d2eef9a299b99658351a68112584590e25521df796b63c9c3

Analysis

max time kernel
323s
max time network
337s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
29-02-2024 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GhostRat.zip
Size

519.2MB
MD5

053313b5bcade5af41229397b5eaa696
SHA1

a5ff75290f50455e8ec839dec6fd8c1cade417c8
SHA256

c64dacc0f9d08f1d2eef9a299b99658351a68112584590e25521df796b63c9c3
SHA512

57e291667ac6cb1b29b5542db47b9289d209dca88ea63bf548c13de5ef9442c60bd63653f5ff10a8abcff09fd948352e0222762801d30e5d53c30172b62d41a2
SSDEEP

12582912:iriTSjybeUc1q+zC7sHlxg6+vPA6uRrVJ:inUV+m7ulxg6+nA6u3

Score

10^/10

redline sectoprat cheat infostealer pyinstaller rat trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

138.2.103.61:19345

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\upgrade.exe	family_redline
behavioral1/memory/3352-15-0x0000000000D60000-0x0000000000D7E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\upgrade.exe	family_sectoprat
behavioral1/memory/3352-15-0x0000000000D60000-0x0000000000D7E000-memory.dmp	family_sectoprat
behavioral1/memory/3352-19-0x00000000058C0000-0x00000000058D0000-memory.dmp	family_sectoprat

Executes dropped EXE 4 IoCs

Processes:

upgrade.exeghostRat.exeghostRat.exe.temp.exe

pid process

3352 upgrade.exe
4756 ghostRat.exe
3356 ghostRat.exe
3220 .temp.exe

pid	process
3352	upgrade.exe
4756	ghostRat.exe
3356	ghostRat.exe
3220	.temp.exe

Loads dropped DLL 14 IoCs

Processes:

ghostRat.exe

pid	process
3356	ghostRat.exe
3356	ghostRat.exe
3356	ghostRat.exe
3356	ghostRat.exe
3356	ghostRat.exe
3356	ghostRat.exe
3356	ghostRat.exe
3356	ghostRat.exe
3356	ghostRat.exe
3356	ghostRat.exe
3356	ghostRat.exe
3356	ghostRat.exe
3356	ghostRat.exe
3356	ghostRat.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

4 pastebin.com
5 pastebin.com
3 pastebin.com

flow	ioc
4	pastebin.com
5	pastebin.com
3	pastebin.com

Detects Pyinstaller 4 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ghostRat.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\ghostRat.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\ghostRat.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\ghostRat.exe	pyinstaller

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

.temp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Internet Explorer\TypedURLs	.temp.exe

Modifies registry class 3 IoCs

Processes:

.temp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.apk\DefaultIcon	.temp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.apk	.temp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.apk\DefaultIcon\ = "C:\\Users\\Admin\\Documents\\GhostRat\\GhostRat\\res\\Icons\\apk.ico"	.temp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

.temp.exe

pid	process
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe
3220	.temp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

upgrade.exe.temp.exe

description pid process

Token: SeDebugPrivilege 3352 upgrade.exe
Token: SeDebugPrivilege 3220 .temp.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

.temp.exe

pid process

3220 .temp.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

.temp.exe

pid process

3220 .temp.exe

description	pid	process
Token: SeDebugPrivilege	3352	upgrade.exe
Token: SeDebugPrivilege	3220	.temp.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

ghostRat.exeghostRat.exeghostRat.execmd.exe

description	pid	process	target process
PID 1956 wrote to memory of 3352	1956	ghostRat.exe	upgrade.exe
PID 1956 wrote to memory of 3352	1956	ghostRat.exe	upgrade.exe
PID 1956 wrote to memory of 3352	1956	ghostRat.exe	upgrade.exe
PID 1956 wrote to memory of 4756	1956	ghostRat.exe	ghostRat.exe
PID 1956 wrote to memory of 4756	1956	ghostRat.exe	ghostRat.exe
PID 4756 wrote to memory of 3356	4756	ghostRat.exe	ghostRat.exe
PID 4756 wrote to memory of 3356	4756	ghostRat.exe	ghostRat.exe
PID 3356 wrote to memory of 3740	3356	ghostRat.exe	cmd.exe
PID 3356 wrote to memory of 3740	3356	ghostRat.exe	cmd.exe
PID 3740 wrote to memory of 2408	3740	cmd.exe	attrib.exe
PID 3740 wrote to memory of 2408	3740	cmd.exe	attrib.exe
PID 3356 wrote to memory of 3220	3356	ghostRat.exe	.temp.exe
PID 3356 wrote to memory of 3220	3356	ghostRat.exe	.temp.exe
PID 3356 wrote to memory of 3220	3356	ghostRat.exe	.temp.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2408 attrib.exe

pid	process
2408	attrib.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\GhostRat.zip
1⤵
PID:3884

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1768

C:\Users\Admin\Documents\GhostRat\GhostRat\ghostRat.exe
"C:\Users\Admin\Documents\GhostRat\GhostRat\ghostRat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Local\Temp\upgrade.exe
"C:\Users\Admin\AppData\Local\Temp\upgrade.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\Users\Admin\AppData\Local\Temp\ghostRat.exe
"C:\Users\Admin\AppData\Local\Temp\ghostRat.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756

C:\Users\Admin\AppData\Local\Temp\ghostRat.exe
"C:\Users\Admin\AppData\Local\Temp\ghostRat.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s C:\Users\Admin\Documents\GhostRat\GhostRat\.temp.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3740

C:\Windows\system32\attrib.exe
attrib +h +s C:\Users\Admin\Documents\GhostRat\GhostRat\.temp.exe
5⤵
- Views/modifies file attributes
PID:2408

C:\Users\Admin\Documents\GhostRat\GhostRat\.temp.exe
C:\Users\Admin\Documents\GhostRat\GhostRat\.temp.exe
4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3220

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI47562\VCRUNTIME140.dll
Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\_bz2.pyd
Filesize
82KB

MD5
90f58f625a6655f80c35532a087a0319

SHA1
d4a7834201bd796dc786b0eb923f8ec5d60f719b

SHA256
bd8621fcc901fa1de3961d93184f61ea71068c436794af2a4449738ccf949946

SHA512
b5bb1ecc195700ad7bea5b025503edd3770b1f845f9beee4b067235c4e63496d6e0b19bdd2a42a1b6591d1131a2dc9f627b2ae8036e294300bb6983ecd644dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\_decimal.pyd
Filesize
247KB

MD5
f78f9855d2a7ca940b6be51d68b80bf2

SHA1
fd8af3dbd7b0ea3de2274517c74186cb7cd81a05

SHA256
d4ae192bbd4627fc9487a2c1cd9869d1b461c20cfd338194e87f5cf882bbed12

SHA512
6b68c434a6f8c436d890d3c1229d332bd878e5777c421799f84d79679e998b95d2d4a013b09f50c5de4c6a85fcceb796f3c486e36a10cbac509a0da8d8102b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\_hashlib.pyd
Filesize
64KB

MD5
8baeb2bd6e52ba38f445ef71ef43a6b8

SHA1
4132f9cd06343ef8b5b60dc8a62be049aa3270c2

SHA256
6c50c9801a5caf0bb52b384f9a0d5a4aa182ca835f293a39e8999cf6edf2f087

SHA512
804a4e19ea622646cea9e0f8c1e284b7f2d02f3620199fa6930dbdadc654fa137c1e12757f87c3a1a71ceff9244aa2f598ee70d345469ca32a0400563fe3aa65

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\_lzma.pyd
Filesize
155KB

MD5
cf8de1137f36141afd9ff7c52a3264ee

SHA1
afde95a1d7a545d913387624ef48c60f23cf4a3f

SHA256
22d10e2d6ad3e3ed3c49eb79ab69a81aaa9d16aeca7f948da2fe80877f106c16

SHA512
821985ff5bc421bd16b2fa5f77f1f4bf8472d0d1564bc5768e4dbe866ec52865a98356bb3ef23a380058acd0a25cd5a40a1e0dae479f15863e48c4482c89a03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\_queue.pyd
Filesize
31KB

MD5
5aa4b057ba2331eed6b4b30f4b3e0d52

SHA1
6b9db113c2882743984c3d8b70ec49fc4a136c23

SHA256
d43dca0e00c3c11329b68177e967cf5240495c4786f5afa76ac4f267c3a5cdb9

SHA512
aa5aa3285ea5c177eca055949c5f550dbd2d2699202a29efe2077213cbc95fff2a36d99eecce249ac04d95baf149b3d8c557a67fc39ead3229f0b329e83447b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\_socket.pyd
Filesize
81KB

MD5
439b3ad279befa65bb40ecebddd6228b

SHA1
d3ea91ae7cad9e1ebec11c5d0517132bbc14491e

SHA256
24017d664af20ee3b89514539345caac83eca34825fcf066a23e8a4c99f73e6d

SHA512
a335e1963bb21b34b21aef6b0b14ba8908a5343b88f65294618e029e3d4d0143ea978a5fd76d2df13a918ffab1e2d7143f5a1a91a35e0cc1145809b15af273bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\_ssl.pyd
Filesize
173KB

MD5
6774d6fb8b9e7025254148dc32c49f47

SHA1
212e232da95ec8473eb0304cf89a5baf29020137

SHA256
2b6f1b1ac47cb7878b62e8d6bb587052f86ca8145b05a261e855305b9ca3d36c

SHA512
5d9247dce96599160045962af86fc9e5439f66a7e8d15d1d00726ec1b3b49d9dd172d667380d644d05cb18e45a5419c2594b4bcf5a16ea01542ae4d7d9a05c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\base_library.zip
Filesize
1.3MB

MD5
ccee0ea5ba04aa4fcb1d5a19e976b54f

SHA1
f7a31b2223f1579da1418f8bfe679ad5cb8a58f5

SHA256
eeb7f0b3e56b03454868411d5f62f23c1832c27270cee551b9ca7d9d10106b29

SHA512
4f29ac5df211fef941bd953c2d34cb0c769fb78475494746cb584790d9497c02be35322b0c8f5c14fe88d4dd722733eda12496db7a1200224a014043f7d59166

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\certifi\cacert.pem
Filesize
283KB

MD5
302b49c5f476c0ae35571430bb2e4aa0

SHA1
35a7837a3f1b960807bf46b1c95ec22792262846

SHA256
cf9d37fa81407afe11dcc0d70fe602561422aa2344708c324e4504db8c6c5748

SHA512
1345af52984b570b1ff223032575feb36cdfb4f38e75e0bd3b998bc46e9c646f7ac5c583d23a70460219299b9c04875ef672bf5a0d614618731df9b7a5637d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\charset_normalizer\md.cp312-win_amd64.pyd
Filesize
10KB

MD5
d9e0217a89d9b9d1d778f7e197e0c191

SHA1
ec692661fcc0b89e0c3bde1773a6168d285b4f0d

SHA256
ecf12e2c0a00c0ed4e2343ea956d78eed55e5a36ba49773633b2dfe7b04335c0

SHA512
3b788ac88c1f2d682c1721c61d223a529697c7e43280686b914467b3b39e7d6debaff4c0e2f42e9dddb28b522f37cb5a3011e91c66d911609c63509f9228133d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\charset_normalizer\md__mypyc.cp312-win_amd64.pyd
Filesize
120KB

MD5
bf9a9da1cf3c98346002648c3eae6dcf

SHA1
db16c09fdc1722631a7a9c465bfe173d94eb5d8b

SHA256
4107b1d6f11d842074a9f21323290bbe97e8eed4aa778fbc348ee09cc4fa4637

SHA512
7371407d12e632fc8fb031393838d36e6a1fe1e978ced36ff750d84e183cde6dd20f75074f4597742c9f8d6f87af12794c589d596a81b920c6c62ee2ba2e5654

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\libcrypto-3.dll
Filesize
4.9MB

MD5
51e8a5281c2092e45d8c97fbdbf39560

SHA1
c499c810ed83aaadce3b267807e593ec6b121211

SHA256
2a234b5aa20c3faecf725bbb54fb33f3d94543f78fa7045408e905593e49960a

SHA512
98b91719b0975cb38d3b3c7b6f820d184ef1b64d38ad8515be0b8b07730e2272376b9e51631fe9efd9b8a1709fea214cf3f77b34eeb9fd282eb09e395120e7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\libcrypto-3.dll
Filesize
3.2MB

MD5
d53697de739b64bce876d8284a16eb87

SHA1
3e90cde73a888c9d7715b60c9de8870a036cee69

SHA256
c741eb6e841ab91b27fd560d960907aac739ca4ffad1f4d43a4c10cbafec8481

SHA512
7372639a33b43e0664e8ab9658e8080d702094ab3da205f5a1c9f5a2fd5b13e84f09bf0d32adacad49901bd1d0831cd024b8dcbcfee6957c2437733ec47a9e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\libssl-3.dll
Filesize
771KB

MD5
bfc834bb2310ddf01be9ad9cff7c2a41

SHA1
fb1d601b4fcb29ff1b13b0d2ed7119bd0472205c

SHA256
41ad1a04ca27a7959579e87fbbda87c93099616a64a0e66260c983381c5570d1

SHA512
6af473c7c0997f2847ebe7cee8ef67cd682dee41720d4f268964330b449ba71398fda8954524f9a97cc4cdf9893b8bdc7a1cf40e9e45a73f4f35a37f31c6a9c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\python312.dll
Filesize
6.7MB

MD5
48ebfefa21b480a9b0dbfc3364e1d066

SHA1
b44a3a9b8c585b30897ddc2e4249dfcfd07b700a

SHA256
0cc4e557972488eb99ea4aeb3d29f3ade974ef3bcd47c211911489a189a0b6f2

SHA512
4e6194f1c55b82ee41743b35d749f5d92a955b219decacf9f1396d983e0f92ae02089c7f84a2b8296a3062afa3f9c220da9b7cd9ed01b3315ea4a953b4ecc6ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\select.pyd
Filesize
29KB

MD5
e1604afe8244e1ce4c316c64ea3aa173

SHA1
99704d2c0fa2687997381b65ff3b1b7194220a73

SHA256
74cca85600e7c17ea6532b54842e26d3cae9181287cdf5a4a3c50af4dab785e5

SHA512
7bf35b1a9da9f1660f238c2959b3693b7d9d2da40cf42c6f9eba2164b73047340d0adff8995049a2fe14e149eba05a5974eee153badd9e8450f961207f0b3d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\unicodedata.pyd
Filesize
1.1MB

MD5
fc47b9e23ddf2c128e3569a622868dbe

SHA1
2814643b70847b496cbda990f6442d8ff4f0cb09

SHA256
2a50d629895a05b10a262acf333e7a4a31db5cb035b70d14d1a4be1c3e27d309

SHA512
7c08683820498fdff5f1703db4ad94ad15f2aa877d044eddc4b54d90e7dc162f48b22828cd577c9bb1b56f7c11f777f9785a9da1867bf8c0f2b6e75dc57c3f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghostRat.exe
Filesize
34.1MB

MD5
d8c31420a45b10b207cb9b982495ea95

SHA1
bb834296be0866fd5386aa17ec8bf6c74af6f412

SHA256
2f8cc103c8cefdf4e92d2a881914cafc5af7582f231e2603e70ba37bfc288397

SHA512
751b0d35f2a82f904e0c121f875af22d91c4692ee80edbb338c72462c6a790ecb2df7c4be6aa2c2207a6df1994e9fa1411249de18a95c4d12758366094ea3ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghostRat.exe
Filesize
6.9MB

MD5
be0102147f69686b43872f351e122169

SHA1
c8b3e79cabb17b9157ae487068ef5383d107a252

SHA256
019672a29c133f1e4af12968b91af2abed005a58b9f236580d236a05070dda3c

SHA512
782ae0eda7b61b20fa4e77e90216586a2e9f5f246e1c56995ad7dcce5757804753663e109289a252eb680353f46b18c31212aaa9ef4f758828cd1e5425fcf33d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghostRat.exe
Filesize
6.5MB

MD5
8d224cd56876f30488e267a721ab3613

SHA1
552e4b7d0d61145a193ad718257f7f3fed47c989

SHA256
6712feba655ec2f575efb9720cfd1e517ce68e2492ac3160757e73cab9aea40e

SHA512
126b3eb6f0e91ca05f38ca9d911a2cb271c4009823bf188e6b6accd2b322be57c89efee052cab4bf861e0c554eb3e2b87ceb9f8b06a7a0c72aaeb1434024d333

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghostRat.exe
Filesize
7.0MB

MD5
b67552998026d5a815039a5465e308da

SHA1
55b3c0a903b38db8362956a5d2508ea4552b74a2

SHA256
67de9d5f263da572aa7df80201b3f920a0cc0abe8fe8eb039abd0386cfc25ec6

SHA512
87ded932b128c12740d4e0d5ebbc7afba428a1bafeaada37dc124bbec2fdf1ed392eb19e70b2abb8f8e4016732f7452db9255aac18b2d5437e36a7edb33cd07e

Download Submit
C:\Users\Admin\AppData\Local\Temp\upgrade.exe
Filesize
95KB

MD5
09df6098940807edf2129e1ba3f22189

SHA1
6994ecd4ee8cd778b595a58f42cc9fed0ccead04

SHA256
44e6b5dd62b07965fc201666487a92a535cfc492413db2a7d8274ba60be695d4

SHA512
85408e2341f3d4be7a287b055bbf1c8c987191e6ef96cb931cef58586e675ad3f78c42af09eb82cceb9b7e30566ba7d28b39769c9f703ca4d95898bc93554f3c

Download Submit
C:\Users\Admin\AppData\Local\安卓远控\.temp.exe_Url_r5j10fetpprx1nkuxaz2xyx15omxfmrp\6.0.0.0\a3ji11uu.newcfg
Filesize
1KB

MD5
a3261ae751f4b30ef5fa426b4eceb10a

SHA1
2991a46dee3748c9c51ab4a3db35d62dd10f9279

SHA256
3f297c0fd48d56864aed4aff61fae6cf7c5414257dfb95343be82e760a4fece1

SHA512
83acfca2d437e296558b7fcf0aa06d75fca4f67fbf6ae3076a16fea99391efd793c2c0ef658ff3baa70a93dc9cf97a45d5bf82c5418313851b8509581f158c86

Download Submit
C:\Users\Admin\AppData\Local\安卓远控\.temp.exe_Url_r5j10fetpprx1nkuxaz2xyx15omxfmrp\6.0.0.0\user.config
Filesize
814B

MD5
5e46ee9633df55b8d74dbf9a5e85050b

SHA1
2cb4e55fde6ba1de14d70279e7748c6a14cb28fd

SHA256
acdceea373b9987355fef182a5a7d6cd1a0af45b2c5e3d799c8f92cb0745e2d8

SHA512
5c6448b70c72aa4c9e25c17fdad9ef57ca4553d8a1e3e5b7e189a524b00db5d51218e6e9daa519ea64ebbd22dd1c38a5ad79d47ae3ef709db3ca3646960d0ea2

Download Submit
C:\Users\Admin\AppData\Local\安卓远控\.temp.exe_Url_r5j10fetpprx1nkuxaz2xyx15omxfmrp\6.0.0.0\user.config
Filesize
932B

MD5
306752758841933440e3f486f931ad48

SHA1
bfcdd257c5d0f73f037a3fe36d22fa3a30fcbb77

SHA256
19c0c69c423d5512bc588028d756450e2ed83e00fa4fd302239c3e2d477bd32e

SHA512
9805009f7fbe12ede1f54b6374aa12ac8a6f363334f97e6867d0fc6e40bb45e33bdb086a4342f0b3e6eb4386dd64fe87f4336beda644e033c51e9743fec6ecf6

Download Submit
C:\Users\Admin\Documents\GhostRat\GhostRat\.temp.exe
Filesize
14.9MB

MD5
2afe7e804ef61bf0078dd19f3dafb33d

SHA1
6c0655f4237ea814c3672d95bdbf821ebdd11354

SHA256
352b714bff51f8285d230bcee7be1730552ae84d1aabfc318f583f3b87bb6e16

SHA512
9a381c9257b086462580df52c39a6da7eff8735de8c9e4f520b1dbd8d2b9dc5e88464b69ecad7c48e88ef7676cbf7e60533dbfcd0d636caf9b5cf924991c29cc

Download Submit
C:\Users\Admin\Documents\GhostRat\GhostRat\.temp.exe
Filesize
5.3MB

MD5
07edfcd16dde558f8eaf5636ed3862bf

SHA1
7207bd9187becf7d8dcb6c69a6fed0ce44287a15

SHA256
e07862fc148358379dc04ffb19267eed98b316dcbcb3a6b90c95e51570232a44

SHA512
b6bd97df6ce4263509439ff93194115f27ae9b603c07de075ca597dc5c0d00d5fa12b7fa1fc53b830cab981c7e87e83356730f66c3049151abb19c4ccbfe7716

Download Submit
memory/1956-0-0x00007FFA00260000-0x00007FFA00D22000-memory.dmp

Filesize
10.8MB

Download
memory/1956-3-0x000000000C730000-0x000000000C740000-memory.dmp

Filesize
64KB

Download
memory/1956-30-0x00007FFA00260000-0x00007FFA00D22000-memory.dmp

Filesize
10.8MB

Download
memory/1956-1-0x00000000009C0000-0x00000000019C0000-memory.dmp

Filesize
16.0MB

Download
memory/3220-114-0x00000000104F0000-0x0000000010500000-memory.dmp

Filesize
64KB

Download
memory/3220-115-0x00000000104F0000-0x0000000010500000-memory.dmp

Filesize
64KB

Download
memory/3220-86-0x000000000FBA0000-0x000000000FC3C000-memory.dmp

Filesize
624KB

Download
memory/3220-96-0x0000000019E50000-0x0000000019FF6000-memory.dmp

Filesize
1.6MB

Download
memory/3220-136-0x00000000104F0000-0x0000000010500000-memory.dmp

Filesize
64KB

Download
memory/3220-84-0x0000000074E70000-0x0000000075621000-memory.dmp

Filesize
7.7MB

Download
memory/3220-85-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3220-134-0x00000000104F0000-0x0000000010500000-memory.dmp

Filesize
64KB

Download
memory/3220-88-0x000000000FCC0000-0x000000000FD52000-memory.dmp

Filesize
584KB

Download
memory/3220-87-0x000000000FD80000-0x0000000010326000-memory.dmp

Filesize
5.6MB

Download
memory/3220-89-0x00000000104F0000-0x0000000010500000-memory.dmp

Filesize
64KB

Download
memory/3220-91-0x0000000010500000-0x0000000010556000-memory.dmp

Filesize
344KB

Download
memory/3220-135-0x00000000104F0000-0x0000000010500000-memory.dmp

Filesize
64KB

Download
memory/3220-97-0x0000000019BE0000-0x0000000019C46000-memory.dmp

Filesize
408KB

Download
memory/3220-92-0x0000000010780000-0x00000000107F6000-memory.dmp

Filesize
472KB

Download
memory/3220-133-0x00000000104F0000-0x0000000010500000-memory.dmp

Filesize
64KB

Download
memory/3220-132-0x00000000104F0000-0x0000000010500000-memory.dmp

Filesize
64KB

Download
memory/3220-116-0x00000000104F0000-0x0000000010500000-memory.dmp

Filesize
64KB

Download
memory/3220-90-0x00000000103A0000-0x00000000103AA000-memory.dmp

Filesize
40KB

Download
memory/3220-98-0x0000000074E70000-0x0000000075621000-memory.dmp

Filesize
7.7MB

Download
memory/3220-99-0x00000000104F0000-0x0000000010500000-memory.dmp

Filesize
64KB

Download
memory/3220-100-0x00000000104F0000-0x0000000010500000-memory.dmp

Filesize
64KB

Download
memory/3220-93-0x00000000104F0000-0x0000000010500000-memory.dmp

Filesize
64KB

Download
memory/3352-19-0x00000000058C0000-0x00000000058D0000-memory.dmp

Filesize
64KB

Download
memory/3352-15-0x0000000000D60000-0x0000000000D7E000-memory.dmp

Filesize
120KB

Download
memory/3352-26-0x0000000005AF0000-0x0000000005BFA000-memory.dmp

Filesize
1.0MB

Download
memory/3352-16-0x0000000005EF0000-0x0000000006508000-memory.dmp

Filesize
6.1MB

Download
memory/3352-14-0x0000000074E70000-0x0000000075621000-memory.dmp

Filesize
7.7MB

Download
memory/3352-21-0x00000000058D0000-0x000000000591C000-memory.dmp

Filesize
304KB

Download
memory/3352-18-0x0000000005840000-0x000000000587C000-memory.dmp

Filesize
240KB

Download
memory/3352-95-0x00000000058C0000-0x00000000058D0000-memory.dmp

Filesize
64KB

Download
memory/3352-94-0x0000000074E70000-0x0000000075621000-memory.dmp

Filesize
7.7MB

Download
memory/3352-17-0x00000000057E0000-0x00000000057F2000-memory.dmp

Filesize
72KB

Download