General Info

File name

Sample_5bfd1df5881d4511b4af1fe8.exe

Full analysis
https://app.any.run/tasks/d80a6a03-bcf6-4292-94ce-f31bfe56fc06
Verdict
Malicious activity
Analysis date
12/6/2018, 16:18:48
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5

cd0f7f29e337f2ebe455ba4a85fb2b70

SHA1

1c719c8a8262a07682d6dfa1bfa595d5435f06b8

SHA256

c546b8dc641f33e24d6bbfec825854b4e5a9b104c13153cc8f110e382a897d47

SSDEEP

6144:aDjjxPFc3D9DGxPFcc+3DXm3LueuPxPFc3D9DGxPFcc+31Xm3ZDD4nomq:g8vx3Ovx3k4nI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • GhostService.exe (PID: 2972)
  • GhostForm.exe (PID: 2820)
Loads dropped or rewritten executable
  • GhostForm.exe (PID: 2820)
  • GhostService.exe (PID: 2972)
Executable content was dropped or overwritten
  • GhostService.exe (PID: 2972)
  • Sample_5bfd1df5881d4511b4af1fe8.exe (PID: 3896)
Starts CMD.EXE for commands execution
  • Sample_5bfd1df5881d4511b4af1fe8.exe (PID: 3896)
Starts SC.EXE for service management
  • cmd.exe (PID: 4008)
Creates files in the user directory
  • Sample_5bfd1df5881d4511b4af1fe8.exe (PID: 3896)
Dropped object may contain Bitcoin addresses
  • Sample_5bfd1df5881d4511b4af1fe8.exe (PID: 3896)
  • GhostService.exe (PID: 2972)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Generic CIL Executable (.NET, Mono, etc.) (82.9%)
.dll
|   Win32 Dynamic Link Library (generic) (7.4%)
.exe
|   Win32 Executable (generic) (5.1%)
.exe
|   Generic Win/DOS Executable (2.2%)
.exe
|   DOS Executable Generic (2.2%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2018:10:07 17:26:04+02:00
PEType:
PE32
LinkerVersion:
11
CodeSize:
499712
InitializedDataSize:
151040
UninitializedDataSize:
null
EntryPoint:
0x7bf9e
OSVersion:
4
ImageVersion:
null
SubsystemVersion:
6
Subsystem:
Windows command line
FileVersionNumber:
1.0.0.0
ProductVersionNumber:
1.0.0.0
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
Neutral
CharacterSet:
Unicode
FileDescription:
Ghost
FileVersion:
1.0.0.0
InternalName:
Ghost.exe
LegalCopyright:
Copyright © 2018
OriginalFileName:
Ghost.exe
ProductName:
Ghost
ProductVersion:
1.0.0.0
AssemblyVersion:
1.0.0.0
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date:
07-Oct-2018 15:26:04
Debug artifacts
c:\Users\adons\Documents\Visual Studio 2012\Projects\Ghost\Ghost\obj\Debug\Ghost.pdb
FileDescription:
Ghost
FileVersion:
1.0.0.0
InternalName:
Ghost.exe
LegalCopyright:
Copyright © 2018
OriginalFilename:
Ghost.exe
ProductName:
Ghost
ProductVersion:
1.0.0.0
Assembly Version:
1.0.0.0
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000080
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
3
Time date stamp:
07-Oct-2018 15:26:04
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00002000 0x00079FA4 0x0007A000 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 5.88369
.rsrc 0x0007C000 0x00024B68 0x00024C00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 3.51622
.reloc 0x000A2000 0x0000000C 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 0.10191
Resources
1

2

3

4

5

6

7

8

9

32512

Imports
    mscoree.dll

Exports

    No exports.

Screenshots

Processes

Total processes
41
Monitored processes
6
Malicious processes
2
Suspicious processes
1

Behavior graph

+
start drop and start sample_5bfd1df5881d4511b4af1fe8.exe no specs sample_5bfd1df5881d4511b4af1fe8.exe cmd.exe no specs sc.exe no specs ghostservice.exe ghostform.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3472
CMD
"C:\Users\admin\AppData\Local\Temp\Sample_5bfd1df5881d4511b4af1fe8.exe"
Path
C:\Users\admin\AppData\Local\Temp\Sample_5bfd1df5881d4511b4af1fe8.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Description
Ghost
Version
1.0.0.0
Modules
Image
c:\users\admin\appdata\local\temp\sample_5bfd1df5881d4511b4af1fe8.exe
c:\systemroot\system32\ntdll.dll

PID
3896
CMD
"C:\Users\admin\AppData\Local\Temp\Sample_5bfd1df5881d4511b4af1fe8.exe"
Path
C:\Users\admin\AppData\Local\Temp\Sample_5bfd1df5881d4511b4af1fe8.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Ghost
Version
1.0.0.0
Modules
Image
c:\users\admin\appdata\local\temp\sample_5bfd1df5881d4511b4af1fe8.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\system32\shell32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.serv759bfb78#\86909e4c4c7deb51e42b8f335c7aaa77\system.serviceprocess.ni.dll

PID
4008
CMD
cmd /c ""C:\Users\admin\AppData\Roaming\Ghost\Ghost.bat" "
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
Sample_5bfd1df5881d4511b4af1fe8.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll

PID
2732
CMD
SC CREATE "GhostService" password= "FromHell" DisplayName= "Ghost" start= "auto" binPath= "C:\Users\admin\AppData\Roaming\Ghost\GhostService.exe"
Path
C:\Windows\system32\sc.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
A tool to aid in developing services for WindowsNT
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll

PID
2972
CMD
C:\Users\admin\AppData\Roaming\Ghost\GhostService.exe
Path
C:\Users\admin\AppData\Roaming\Ghost\GhostService.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Description
GhostService
Version
1.0.0.0
Modules
Image
c:\users\admin\appdata\roaming\ghost\ghostservice.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.serv759bfb78#\86909e4c4c7deb51e42b8f335c7aaa77\system.serviceprocess.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\wtsapi32.dll
c:\users\admin\appdata\roaming\ghost\ghosthammer.dll
c:\windows\system32\winsta.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\apphelp.dll
\ghostform.exe
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll

PID
2820
CMD
"C:\GhostForm.exe"
Path
C:\GhostForm.exe
Indicators
No indicators
Parent process
GhostService.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
GhostForm
Version
1.0.0.0
Modules
Image
c:\ghostform.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\system32\uxtheme.dll
c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
\ghostfile.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
\ghosthammer.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\system32\shell32.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll
c:\windows\system32\bcrypt.dll

Registry activity

Total events
429
Read events
421
Write events
8
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3896
Sample_5bfd1df5881d4511b4af1fe8.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3896
Sample_5bfd1df5881d4511b4af1fe8.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2972
GhostService.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\GhostLog
MaxSize
524288
2972
GhostService.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\GhostLog
AutoBackupLogFiles
0
2972
GhostService.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\GhostLog\GhostLog
EventMessageFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\EventLogMessages.dll
2972
GhostService.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\GhostLog\Ghost
EventMessageFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\EventLogMessages.dll

Files activity

Executable files
6
Suspicious files
21
Text files
3
Unknown types
1

Dropped files

PID
Process
Filename
Type
2972
GhostService.exe
C:\GhostHammer.dll
executable
MD5: 5db40b7c42376cc077383069a9c509eb
SHA256: f6b65a403417ea4d973b5d42dc16a35e7562b37350603bf2070d9a0da5ed5f66
2972
GhostService.exe
C:\GhostFile.dll
executable
MD5: 464da6c4465816cba2d278634e2b9d3e
SHA256: 9261284a9d5ecdf29a1584f80c28f4ee027cfaf3d14776779b61b3874643c0ed
3896
Sample_5bfd1df5881d4511b4af1fe8.exe
C:\Users\admin\AppData\Roaming\Ghost\GhostService.exe
executable
MD5: b93588bbb3f3f0addd5598586bbe2566
SHA256: f634ab004fa40fe3bcce8b34d5184e0ab68798a04026682663a3abd2e7d87065
3896
Sample_5bfd1df5881d4511b4af1fe8.exe
C:\Users\admin\AppData\Roaming\Ghost\GhostService.vshost.exe
executable
MD5: a219fda38d52905ccf484f9f300b69b3
SHA256: f4cefed49fb2f58655cde4c216f4e52a1f2aaaea0b5809664a97f075026f92bc
3896
Sample_5bfd1df5881d4511b4af1fe8.exe
C:\Users\admin\AppData\Roaming\Ghost\GhostHammer.dll
executable
MD5: 5db40b7c42376cc077383069a9c509eb
SHA256: f6b65a403417ea4d973b5d42dc16a35e7562b37350603bf2070d9a0da5ed5f66
2972
GhostService.exe
C:\GhostForm.exe
executable
MD5: 3a2633cd5152a229d1f986073082ecd0
SHA256: ee884ee08474f7153c3acea1cbb8d81e679415c1d87d597e23172e0b8e3ba78e
2820
GhostForm.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst.Ghost
binary
MD5: 290a94894ffce577b18989df0647e646
SHA256: 19cb6b9cdd8165f3bd68cfc6cc1206f2debcce4c67ddfa725ec9fd6cdcf886ba
2820
GhostForm.exe
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.Ghost
binary
MD5: 4873bf613a39aa698978a526ad2d2ae9
SHA256: c0c36bdba6caab56c1323b8e9f037239701caee16edd142c3aae20f9572a5ab7
2820
GhostForm.exe
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.Ghost
binary
MD5: 888dac9c6f54745853c596c6a5bcd0ee
SHA256: ac949f5a1bded85621048325672a7ba62569ddd6d5c1facde72b009b6cbdff52
2820
GhostForm.exe
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.Ghost
binary
MD5: dfcb02bb8e1c7c6c23f4637296547b9e
SHA256: 2caa1c5edea0c67f57df3e04355f3a93b5f9b3f7e38e805b84fac8311bb2f560
2820
GhostForm.exe
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.Ghost
binary
MD5: 1922a301b8650223306e2ad9fa54d232
SHA256: 2c168cd83a40337d14a588bcdd476570e7166fb539dc241435152e8ef16bf76b
2820
GhostForm.exe
C:\Users\admin\Pictures\switchby.png.Ghost
binary
MD5: fee8614fd8f7d3a2b62e7e632617d971
SHA256: 057f9cdc490b0f2eb7b293955a80fb3291cc1181629620896ee3b7163529bee3
2820
GhostForm.exe
C:\Users\admin\Pictures\leebuild.png.Ghost
binary
MD5: 6394f70b1135a3f3c1daba0ab7b93e37
SHA256: c8b61c48acc56dc1f77224b795697de7d179f9b3820d735fe84cb132dcbebc59
2820
GhostForm.exe
C:\Users\admin\Pictures\cakind.jpg.Ghost
binary
MD5: b2197ab71260e386e1e52f9e464040f1
SHA256: 2e9e5634aee8e6d76a7c64ceb3fe442fcb2c4c0a4f5a0efefd8427b34d272001
2820
GhostForm.exe
C:\Users\admin\Documents\Outlook Files\Outlook.pst.Ghost
binary
MD5: ec19ac464d99c2cc5f8783a2829780c2
SHA256: 3ccb9e074fade76a5196d612942f1905f8bd8012874cc2d3af90cf6d959e26d6
2820
GhostForm.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - test.pst.Ghost
binary
MD5: 91c9e0c4b4213ea88b1c4a8a1484b1e7
SHA256: 2c2a2393fb78bda3c70078a89423f7852fa0bef189142ce62945e6b4300cd851
3896
Sample_5bfd1df5881d4511b4af1fe8.exe
C:\Users\admin\AppData\Roaming\Ghost\Ghost.bat
text
MD5: afb6743cd7274d5441129cb66bb5a9a4
SHA256: 6819f7e5ee49ee13d72203ef9efed089519f803d876255dcd654bd1b83b7cb9c
2820
GhostForm.exe
C:\Users\admin\Documents\Outlook Files\[email protected]
binary
MD5: 0291d204153ddebae6e5552e1638d4d3
SHA256: 57e03a69b43c11bb7530173f5d87559a00da6a65b7f0ea9f39907ff477d73a06
2820
GhostForm.exe
C:\Users\admin\Desktop\xboxsports.png.Ghost
binary
MD5: 546326678cc7247bce7f4f8689e1bd2e
SHA256: 7ed4d4f72ac79f32fb8ecb2aa8a7c047d0d2c22c1fadc396922328e708d4931d
2820
GhostForm.exe
C:\Users\admin\Desktop\thinkmonth.jpg.Ghost
binary
MD5: c5baba6cb91300276007ea1ce9ac95f2
SHA256: ff70d0693ef34b560ecefc480b04cedb1f08c6466f2d10b5fb5fafaf458149e6
2820
GhostForm.exe
C:\Users\admin\Desktop\nostuff.png.Ghost
binary
MD5: 958ae8eda53b43e8cf0190a40d7c7eb2
SHA256: ba11454c842653affedb19c6f35ed06951f83c3db0db9ebc797c5a3b32fd0526
2820
GhostForm.exe
C:\Users\admin\Desktop\monthssimply.png.Ghost
binary
MD5: d55cc8f6a121fcfc1fee0ea1336e9f72
SHA256: 4ca1a1ab60a5db9e23de2fec527111485aebad1d79600174adbc917ffda98c72
2972
GhostService.exe
C:\autoexec.bat.Ghost
binary
MD5: 2a861202fa4b0349790037702c2ee171
SHA256: f8047f8e539ba7a9aac6a6ce00b8a62bd07035a71582d85e049557cd1dcbb9d4
2820
GhostForm.exe
C:\Users\Public\Music\Sample Music\Sleep Away.mp3.Ghost
––
MD5:  ––
SHA256:  ––
2820
GhostForm.exe
C:\Users\Public\Music\Sample Music\Kalimba.mp3.Ghost
––
MD5:  ––
SHA256:  ––
2820
GhostForm.exe
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.Ghost
binary
MD5: 0b8635c98acf5fc81dab10c0d5e7d8ba
SHA256: 9cf2e96c90921c74f7d4d66b2beb309f24017a0e6c7c99f821b85a775485ac17
2972
GhostService.exe
C:\Do_Not_Delete_codeId.txt
text
MD5: 9848a0bbb8f4582e7b06a14e53a71f1d
SHA256: 14df7bcbedff9ab07b21e95a7c063afcb3ac5abab6104bc4518bcadaf4304fbe
2820
GhostForm.exe
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.Ghost
binary
MD5: 7156d6f30b4204dfe06c607c4b765db1
SHA256: 13389e84d085a767d807f98209548634148d41bea34d94021b4ace0ad82f7009
3896
Sample_5bfd1df5881d4511b4af1fe8.exe
C:\Users\admin\AppData\Roaming\Ghost\GhostService.exe.config
xml
MD5: 3f9b7c50015ca8be5ec84127bb37e2cb
SHA256: c66e1ba36e874342cd570cf5bdd3d8b73864a4c9e9d802398be7f46fe39a8532
2820
GhostForm.exe
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.Ghost
binary
MD5: 8c3960a303155c5bff8516eacd03ac6a
SHA256: c16c1462f54942dacf2c0a40f08ea634a09614387f1737de670cdfb965084fb6
3896
Sample_5bfd1df5881d4511b4af1fe8.exe
C:\Users\admin\AppData\Roaming\Ghost\GhostService.pdb
pdb
MD5: 5c5988dcf6a041989708055154c070bf
SHA256: 1b5656e19f71d8673a961167e34789795e401feaf532dcc1a4260fefcd58e029
2820
GhostForm.exe
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.Ghost
binary
MD5: 1ff32edd044e941a7b59d7fec145778d
SHA256: ff0f8867914ddd5927346cd8d31e697bb3b08453a1f67b35901cf5c225904007
2820
GhostForm.exe
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.Ghost
binary
MD5: b5b0e7cd161b00697cb2d66bd58f4157
SHA256: 0d73fff6f16a5b2a65cec14b904b097756c55cc94c401719283af1faacaa7b41

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests.

Connections

No connections.

DNS requests

Domain IP Reputation
www.12312312eewfef231.com No response unknown

Threats

No threats detected.

Debug output strings

No debug info.