gh0strat | da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
Size

13.0MB
MD5

928ac3e66f32c2aca17a597166dacf6d
SHA1

0c42d4b74f05f116d24417493f6a32de74ed8ed6
SHA256

da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955
SHA512

52b00f64a35c0157c526f49222263425c131f01402142722c116c969425861745b45df1a1ae4c38bb1f6bfcbf066aff7b148e25d126ed07ace9647950edb8500
SSDEEP

393216:m7rnOjP6uFHT+wY8MHqS93peDaAWXy8YRdt:OajPPFHTcHhprgrLt

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 8 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/228-20-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/228-21-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/228-19-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1756-28-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1756-29-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4492-37-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4492-39-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4492-44-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 9 IoCs

resource	yara_rule
behavioral2/files/0x000700000002343b-5.dat	family_gh0strat
behavioral2/memory/228-20-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/228-21-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/228-19-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1756-28-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1756-29-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4492-37-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4492-39-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4492-44-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatfor.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\240604234.txt"	R.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatfor.exe

Executes dropped EXE 6 IoCs

pid	Process
408	R.exe
228	N.exe
1756	TXPlatfor.exe
4492	TXPlatfor.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
2188	Remote Data.exe

Loads dropped DLL 3 IoCs

pid	Process
408	R.exe
5108	svchost.exe
2188	Remote Data.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/228-17-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/228-20-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/228-21-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/228-19-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1756-26-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1756-28-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1756-29-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4492-37-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4492-39-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4492-44-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\240604234.txt	R.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	R.exe
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File created	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4692	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1508	da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1508	da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
4492	TXPlatfor.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	228	N.exe
Token: SeLoadDriverPrivilege	4492	TXPlatfor.exe
Token: 33	4708	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4708	AUDIODG.EXE
Token: 33	4492	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	4492	TXPlatfor.exe
Token: 33	4492	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	4492	TXPlatfor.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1508	da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1508	da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
1528	HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 408	1508	da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe	81
PID 1508 wrote to memory of 408	1508	da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe	81
PID 1508 wrote to memory of 408	1508	da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe	81
PID 1508 wrote to memory of 228	1508	da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe	84
PID 1508 wrote to memory of 228	1508	da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe	84
PID 1508 wrote to memory of 228	1508	da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe	84
PID 228 wrote to memory of 5092	228	N.exe	86
PID 228 wrote to memory of 5092	228	N.exe	86
PID 228 wrote to memory of 5092	228	N.exe	86
PID 1756 wrote to memory of 4492	1756	TXPlatfor.exe	87
PID 1756 wrote to memory of 4492	1756	TXPlatfor.exe	87
PID 1756 wrote to memory of 4492	1756	TXPlatfor.exe	87
PID 1508 wrote to memory of 1528	1508	da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe	89
PID 1508 wrote to memory of 1528	1508	da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe	89
PID 1508 wrote to memory of 1528	1508	da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe	89
PID 5092 wrote to memory of 4692	5092	cmd.exe	90
PID 5092 wrote to memory of 4692	5092	cmd.exe	90
PID 5092 wrote to memory of 4692	5092	cmd.exe	90
PID 5108 wrote to memory of 2188	5108	svchost.exe	91
PID 5108 wrote to memory of 2188	5108	svchost.exe	91
PID 5108 wrote to memory of 2188	5108	svchost.exe	91

C:\Users\Admin\AppData\Local\Temp\da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
"C:\Users\Admin\AppData\Local\Temp\da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Users\Admin\AppData\Local\Temp\R.exe
  C:\Users\Admin\AppData\Local\Temp\\R.exe
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:408
- C:\Users\Admin\AppData\Local\Temp\N.exe
  C:\Users\Admin\AppData\Local\Temp\\N.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5092
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:4692
- C:\Users\Admin\AppData\Local\Temp\HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
  C:\Users\Admin\AppData\Local\Temp\HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1528

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
PID:3816

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Windows\SysWOW64\Remote Data.exe
  "C:\Windows\system32\Remote Data.exe" "c:\windows\system32\240604234.txt",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2188

C:\Windows\SysWOW64\TXPlatfor.exe
C:\Windows\SysWOW64\TXPlatfor.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\SysWOW64\TXPlatfor.exe
  C:\Windows\SysWOW64\TXPlatfor.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:4492

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x490 0x30c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\NewWukong\悟空神辅配置文件.ini

Filesize
146B

MD5
6f4c7a2ae02a47989e9c8f9dccc0ffa8

SHA1
7a65b8dfc6a26446d46a649199c71b01bd3d199c

SHA256
429703ba4aea8890369bb89a4489aded4bc75c35035aa59b2f3232679165623e

SHA512
5fbd3bb40a8f9ab7f3a838b3812001e353b3e6bcd2f7323f0c7a39c6ba1165e958dfcf0336a3ad551c9ec4a2d02688fc78311e9e58db54785bf70cd3e4e835db

Download Submit
C:\Users\Admin\AppData\Local\NewWukong\悟空神辅配置文件.ini

Filesize
332B

MD5
e28edcc12cc0545fbc7313c100a625e9

SHA1
68a5ddc6e7f56f491e738e1e3c9f90c0ba7a9537

SHA256
18a89172904ec715fecedd2a9d3e78cef56afd314277e00bbb59d5e4ce18aac2

SHA512
a7c8e53cc5ca77b1bb0e1d6c1079154c201ef7b4e923e72d0eb93cb7a10ca5d197a326a86ff279c8b47745d758d347e370ecb2b3094d1882462db24892765b0f

Download Submit
C:\Users\Admin\AppData\Local\NewWukong\悟空神辅配置文件.ini

Filesize
528B

MD5
43e8cdec8f31bd1dd040681bae1193ca

SHA1
55b60560a93ff3e72998266a0b03b638d57657a4

SHA256
d7ce58edc46f34e943c4bffc818051a36c955e1677e8b12241b660a6d74838ba

SHA512
515fb70f058bcea354ff3ab494553bb06cc08bd876c5657762ccebd1430009c85489bd41f8a42972aab894c1616619e2a9ffe84274f764d8766edde665721882

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
2.7MB

MD5
150f3eedecea08df746a32d4aad1fe0d

SHA1
d36cef91cc8bc55ce319a3321fb071b78619d275

SHA256
6ffe30766e6bb61133dd00c267bf9fd8f28b919919937b7ef4623017cc615a35

SHA512
6e503725cafd725aa7d2b39e81820b365f7ecb1affe6fa8a2bbc2192f2b848e026274593acde60f79f35024714dfd8af212798121e20de3696a2a002734983bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_da4a4ccc5022abce850a2d77821a6dc3fc534dd3d30e5f476e7a88301ebef955.exe

Filesize
10.3MB

MD5
ebfeb7530f6733283f67a7c88305f68f

SHA1
41ee2c969afc97a24c427854bb97f144a56931f4

SHA256
c9bba1141086817d8e7a02ed904afab8661315d4753239fe7f2795a4e3359f9e

SHA512
99d10df1b73e6f7c86113577dd0abf60ab5de82875a2f82f787ca1412176147ee865d0e0be0792c6f94681f272dd43328efb9b6a3302f07a9668003a52551f8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\N.exe

Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\R.exe

Filesize
941KB

MD5
8dc3adf1c490211971c1e2325f1424d2

SHA1
4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

SHA256
bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

SHA512
ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

Download Submit
C:\Windows\SysWOW64\240604234.txt

Filesize
899KB

MD5
8150577e24baf9a6677c50b6dbc057f4

SHA1
e1de4bddabc399a0a83cb80a1de06921d9700058

SHA256
9a191e75942ae370054aa0b4f31ee196945f344655ae391ecbb3b2c99b331308

SHA512
75f7593be42a901e9ef94c5e57c7061a76b88e33a1e989667e725715c9bead37f2a749223f798f5b39d14bfc2d24a299f58bcf7098c3b499d79ebcebdd675b20

Download Submit
C:\Windows\SysWOW64\Remote Data.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
memory/228-17-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/228-19-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/228-21-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/228-20-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1528-65-0x0000000003BD0000-0x0000000003D10000-memory.dmp

Filesize
1.2MB

Download
memory/1528-66-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/1528-48-0x0000000000400000-0x000000000192D000-memory.dmp

Filesize
21.2MB

Download
memory/1528-45-0x0000000000400000-0x000000000192D000-memory.dmp

Filesize
21.2MB

Download
memory/1528-49-0x0000000000400000-0x000000000192D000-memory.dmp

Filesize
21.2MB

Download
memory/1528-62-0x0000000000400000-0x000000000192D000-memory.dmp

Filesize
21.2MB

Download
memory/1528-63-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/1528-64-0x0000000003BD0000-0x0000000003D10000-memory.dmp

Filesize
1.2MB

Download
memory/1528-68-0x0000000003BD0000-0x0000000003D10000-memory.dmp

Filesize
1.2MB

Download
memory/1528-67-0x0000000003BD0000-0x0000000003D10000-memory.dmp

Filesize
1.2MB

Download
memory/1528-165-0x0000000000400000-0x000000000192D000-memory.dmp

Filesize
21.2MB

Download
memory/1528-47-0x0000000000400000-0x000000000192D000-memory.dmp

Filesize
21.2MB

Download
memory/1528-164-0x0000000000400000-0x000000000192D000-memory.dmp

Filesize
21.2MB

Download
memory/1528-73-0x0000000000400000-0x000000000192D000-memory.dmp

Filesize
21.2MB

Download
memory/1528-154-0x0000000000400000-0x000000000192D000-memory.dmp

Filesize
21.2MB

Download
memory/1756-29-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1756-28-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1756-26-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4492-37-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4492-39-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4492-44-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download