lumma | 7cb380bb249c35afb4a56dfe8a8dec9a6a87a76c1dc7301d9a4e62eabd03a3d1

Resubmissions

01/04/2023, 01:51

230401-cacfrage5w 10

01/04/2023, 01:44

230401-b5wmfafb53 10

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/04/2023, 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ghast Setup.exe
Size

47.0MB
MD5

aade6b70530baa03c6f520119161d224
SHA1

ba2d3b60a32e5a4ca5033ceb27ef4bc0613086c8
SHA256

7cb380bb249c35afb4a56dfe8a8dec9a6a87a76c1dc7301d9a4e62eabd03a3d1
SHA512

e8d8f3385efa219368d2a153031e0ef934e8c4e480cca22a54be526297e9093acbd6fe5bc4e6c8353c3712612d2b36f7b6f2312e0d182b73a8bba746b7092296
SSDEEP

786432:F1pKaCrTgJhsBqMCiMz0WSt++sQVOcHJ4ok7icr1TEDgvFGv1XqWHb:F6fWwsnSt++tAwq7icnvm

Score

10^/10

lumma discovery stealer

Malware Config

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	Ghast.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	Ghast.exe

Executes dropped EXE 8 IoCs

pid	Process
3520	Ghast Setup.tmp
3100	Loader.exe
4752	Ghast.exe
3884	Ghast.exe
4468	Ghast.exe
4328	Ghast.exe
1296	Ghast.exe
1268	Ghast.exe

Loads dropped DLL 34 IoCs

pid	Process
4752	Ghast.exe
4752	Ghast.exe
4752	Ghast.exe
4752	Ghast.exe
4752	Ghast.exe
4752	Ghast.exe
3884	Ghast.exe
3884	Ghast.exe
3884	Ghast.exe
3884	Ghast.exe
3884	Ghast.exe
3884	Ghast.exe
3884	Ghast.exe
4468	Ghast.exe
4468	Ghast.exe
4468	Ghast.exe
4468	Ghast.exe
4468	Ghast.exe
4328	Ghast.exe
4328	Ghast.exe
4328	Ghast.exe
4328	Ghast.exe
4328	Ghast.exe
1296	Ghast.exe
1296	Ghast.exe
1296	Ghast.exe
1296	Ghast.exe
1296	Ghast.exe
1268	Ghast.exe
1268	Ghast.exe
1268	Ghast.exe
1268	Ghast.exe
1268	Ghast.exe
1268	Ghast.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
4752	Ghast.exe
3884	Ghast.exe
4468	Ghast.exe
4328	Ghast.exe
1296	Ghast.exe
1268	Ghast.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 3884 set thread context of 4752	3884	Ghast.exe	107
PID 4468 set thread context of 4752	4468	Ghast.exe	107
PID 4328 set thread context of 4752	4328	Ghast.exe	107
PID 1296 set thread context of 4752	1296	Ghast.exe	107
PID 1268 set thread context of 4752	1268	Ghast.exe	107

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Ghast\unins000.dat	Ghast Setup.tmp
File created	C:\Program Files (x86)\Ghast\unins000.dat	Ghast Setup.tmp
File created	C:\Program Files (x86)\Ghast\is-65QNE.tmp	Ghast Setup.tmp
File created	C:\Program Files (x86)\Ghast\unins000.msg	Ghast Setup.tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Ghast on user logon - Admin.job	Ghast.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
4452	chrome.exe
4452	chrome.exe
3520	Ghast Setup.tmp
3520	Ghast Setup.tmp
4752	Ghast.exe
4752	Ghast.exe
4752	Ghast.exe
4752	Ghast.exe
4752	Ghast.exe
4752	Ghast.exe
3884	Ghast.exe
3884	Ghast.exe
3884	Ghast.exe
3884	Ghast.exe
3884	Ghast.exe
3884	Ghast.exe
3884	Ghast.exe
3884	Ghast.exe
4468	Ghast.exe
4468	Ghast.exe
4468	Ghast.exe
4468	Ghast.exe
4468	Ghast.exe
4468	Ghast.exe
4328	Ghast.exe
4328	Ghast.exe
4328	Ghast.exe
4328	Ghast.exe
4328	Ghast.exe
4328	Ghast.exe
1296	Ghast.exe
1296	Ghast.exe
1296	Ghast.exe
1296	Ghast.exe
1296	Ghast.exe
1296	Ghast.exe
1268	Ghast.exe
1268	Ghast.exe
1268	Ghast.exe
1268	Ghast.exe
1268	Ghast.exe
1268	Ghast.exe
4328	Ghast.exe
4328	Ghast.exe
4468	Ghast.exe
4468	Ghast.exe
1268	Ghast.exe
1268	Ghast.exe
1296	Ghast.exe
1296	Ghast.exe
448	chrome.exe
448	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
3520	Ghast Setup.tmp
3100	Loader.exe
3100	Loader.exe
4752	Ghast.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
3100	Loader.exe
3100	Loader.exe
4752	Ghast.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3100	Loader.exe
3100	Loader.exe
4752	Ghast.exe
3884	Ghast.exe
4752	Ghast.exe
4468	Ghast.exe
4328	Ghast.exe
1296	Ghast.exe
1268	Ghast.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 3520	2812	Ghast Setup.exe	86
PID 2812 wrote to memory of 3520	2812	Ghast Setup.exe	86
PID 2812 wrote to memory of 3520	2812	Ghast Setup.exe	86
PID 4452 wrote to memory of 216	4452	chrome.exe	87
PID 4452 wrote to memory of 216	4452	chrome.exe	87
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 2316	4452	chrome.exe	88
PID 4452 wrote to memory of 5096	4452	chrome.exe	89
PID 4452 wrote to memory of 5096	4452	chrome.exe	89
PID 4452 wrote to memory of 1052	4452	chrome.exe	90
PID 4452 wrote to memory of 1052	4452	chrome.exe	90
PID 4452 wrote to memory of 1052	4452	chrome.exe	90
PID 4452 wrote to memory of 1052	4452	chrome.exe	90
PID 4452 wrote to memory of 1052	4452	chrome.exe	90
PID 4452 wrote to memory of 1052	4452	chrome.exe	90
PID 4452 wrote to memory of 1052	4452	chrome.exe	90
PID 4452 wrote to memory of 1052	4452	chrome.exe	90
PID 4452 wrote to memory of 1052	4452	chrome.exe	90
PID 4452 wrote to memory of 1052	4452	chrome.exe	90
PID 4452 wrote to memory of 1052	4452	chrome.exe	90
PID 4452 wrote to memory of 1052	4452	chrome.exe	90
PID 4452 wrote to memory of 1052	4452	chrome.exe	90
PID 4452 wrote to memory of 1052	4452	chrome.exe	90
PID 4452 wrote to memory of 1052	4452	chrome.exe	90
PID 4452 wrote to memory of 1052	4452	chrome.exe	90
PID 4452 wrote to memory of 1052	4452	chrome.exe	90
PID 4452 wrote to memory of 1052	4452	chrome.exe	90
PID 4452 wrote to memory of 1052	4452	chrome.exe	90

C:\Users\Admin\AppData\Local\Temp\Ghast Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Ghast Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Users\Admin\AppData\Local\Temp\is-DVA1J.tmp\Ghast Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-DVA1J.tmp\Ghast Setup.tmp" /SL5="$A0032,48404993,898048,C:\Users\Admin\AppData\Local\Temp\Ghast Setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:3520
- - C:\Users\Admin\AppData\Local\Programs\Ghast\Loader.exe
    "C:\Users\Admin\AppData\Local\Programs\Ghast\Loader.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:3100
  - - C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe
      C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe 9dbec760cb1f6259387d89adf480d75c
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:4752
    - - C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe" --type=gpu-process --field-trial-handle=1652,1302926123253816357,15220201811775020274,131072 --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Programs\Ghast\debug.log" --log-severity=warning --lang=en-US --disable-gpu disable-software-rasterizer --gpu-preferences=KAAAAAAAAADgAAAwAAAAAAAAYAAAAAAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --log-file="C:\Users\Admin\AppData\Local\Programs\Ghast\debug.log" --mojo-platform-channel-handle=1660 /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3884
    - - C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe" --type=utility --field-trial-handle=1652,1302926123253816357,15220201811775020274,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Programs\Ghast\debug.log" --log-severity=warning --lang=en-US --disable-gpu disable-software-rasterizer --log-file="C:\Users\Admin\AppData\Local\Programs\Ghast\debug.log" --mojo-platform-channel-handle=2092 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4468
    - - C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Programs\Ghast\debug.log" --field-trial-handle=1652,1302926123253816357,15220201811775020274,131072 --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Programs\Ghast\debug.log" --log-severity=warning --disable-gpu disable-software-rasterizer --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2236 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4328
    - - C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Programs\Ghast\debug.log" --field-trial-handle=1652,1302926123253816357,15220201811775020274,131072 --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Programs\Ghast\debug.log" --log-severity=warning --disable-gpu disable-software-rasterizer --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2212 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1296
    - - C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe" --type=gpu-process --field-trial-handle=1652,1302926123253816357,15220201811775020274,131072 --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Programs\Ghast\debug.log" --log-severity=warning --lang=en-US --disable-gpu disable-software-rasterizer --gpu-preferences=KAAAAAAAAADgAAAwAAAAAAAAYAAAAAAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Programs\Ghast\debug.log" --mojo-platform-channel-handle=1660 /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbbfb49758,0x7ffbbfb49768,0x7ffbbfb49778
  2⤵
  PID:216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1824 --field-trial-handle=1840,i,4624764607301253122,9860411779695641310,131072 /prefetch:2
  2⤵
  PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1840,i,4624764607301253122,9860411779695641310,131072 /prefetch:8
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1420 --field-trial-handle=1840,i,4624764607301253122,9860411779695641310,131072 /prefetch:8
  2⤵
  PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3208 --field-trial-handle=1840,i,4624764607301253122,9860411779695641310,131072 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3232 --field-trial-handle=1840,i,4624764607301253122,9860411779695641310,131072 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4548 --field-trial-handle=1840,i,4624764607301253122,9860411779695641310,131072 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4712 --field-trial-handle=1840,i,4624764607301253122,9860411779695641310,131072 /prefetch:8
  2⤵
  PID:4656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4832 --field-trial-handle=1840,i,4624764607301253122,9860411779695641310,131072 /prefetch:8
  2⤵
  PID:1420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1032 --field-trial-handle=1840,i,4624764607301253122,9860411779695641310,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:448

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3416

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Ghast\unins000.exe

Filesize
3.1MB

MD5
161d1bd06392e424ebf8e4f7971db25b

SHA1
e77ded0d21db752db95dee086137cf138701c99a

SHA256
8c5f29f44a196946191e3ef6f6e8b829c9e6123176b4a4223ada06724471437c

SHA512
e3474f14633de67411ca0e3c26f18b0629b60d6e8f330c71bfadf0a6995cbcf356dc0b063eedd6712a764bfae4ada901ffdcc9285a337a02d045aabcdb4135f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
056b354fe0f2209b9ffac20344ed1dea

SHA1
83ecda17ddcb337f6214fff896d28ebe71a2cc8f

SHA256
450cb5dd12f87671657603654714d45325b987f0b6595db2a869b0d8861e321f

SHA512
2d20cbe88c6aa78dc739b4d83da8229d8405a674678f6a39d64f87d8456ab2b44647b0b329407753d92f44f43ccd2b8da4e99406fdaf8e64e12320feada22642

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
04a5214e7ab1d18f2af2198d1d8c4aad

SHA1
043d10a6643f8d476659ea1e27c06c31f0fe17b8

SHA256
192e1e3708c7d26ad97c44558020432d00a75f4de27a64220ffd434f0373f2a4

SHA512
22ea45d65562a78ec8e3c3ed8bda60691c327a7901c37d51717cf8603dad216aca3d78c6825256443965d410b66544f16651afb5a078b054f0a4d555d6a2e0d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
61b5fc52c84e1e7ab19ca3a4be957ff8

SHA1
33160ade81e09f87fc65ca63f924e5f1e6b680c5

SHA256
c7e5512ad23cce26f3f9af5c07f9edfd1710ba8571844b0ad70ae5bb4ba1c0a6

SHA512
261d0d2c27f2b07c46bf221ddbee008369f9d6ebcbb5f500a306f67021726541de3dcff89467a1cd4374ae6a546827815a07461464a76eba297676ee048be9d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
36cedd4f25ecf1644323518d530d7735

SHA1
96c0365c6a133d2c623a2b3c9613f0b25b641303

SHA256
10f426dcf637237eb8def2678c0d7a9fec41516bc0aa02c4b9ee28b0f64363c1

SHA512
d11b2bb3d20c6992baf9f6d4dd5ee2dec2310e055f771b6b6732bcf72ee7c3706b8b97801775a3c332e78362893a5721a90fcb52c4b8e02ea64cdde3db0b8ddc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
07961430bf23f3762b38ac187e2bc207

SHA1
896eb74425e30559963946b97912c3e80bea4a28

SHA256
b7dc8e690ca18d5a49ecd72265d545c2c2968f24bcddbdef3c151564582ec23a

SHA512
90c466e92d8afa462e4eeb7408b5f918f0eabcc568341c2f388651ea5564c1f2589d0d178a6b1b0f4a270092be870ab18fabf9daceee766c3ddbccc3b870dd19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
4792c1227de72eee2b96568dd2d5cd8e

SHA1
ffa7ad15a3af79c170d22a5ae76f28eddf7cfef4

SHA256
6610c889802a9133890067e1589d5897e894375ac1db359dbbe82322e7abda72

SHA512
f174da4a9e9193e0b2e963ac955c3ac5eeb6e30d027500003e979fc2f775161a91040c4ffc99a007ea219e801898f4bd548d5c154ec3ef9763f896ecf7411850

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\Common.dll

Filesize
527KB

MD5
05a1529dde4639e1f4462c4e3742d5a4

SHA1
783c905a4bd544f881dfe6883f24052bccfa4a14

SHA256
3da58f79c1173a4ad547b409b706c48076230c53c51fe9b95d7428d977d8247c

SHA512
e82933b8065e76e3176b3a1f2ecee0c869933558558001d95638075c1a8cc15c439ba26c90aab9dca7cb11ecd56e5cd6ce065d1c1076cee5f910ef2fe75c1ce6

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\D3DCompiler_47.dll

Filesize
4.1MB

MD5
222d020bd33c90170a8296adc1b7036a

SHA1
612e6f443d927330b9b8ac13cc4a2a6b959cee48

SHA256
4432bbd1a390874f3f0a503d45cc48d346abc3a8c0213c289f4b615bf0ee84f3

SHA512
ad8c7ce7f6f353da5e2cf816e1a69f1ec14011612e8041e4f9bb6ebed3e0fa4e4ebc069155a0c66e23811467012c201893b9b3b7a947d089ce2c749d5e8910c6

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe

Filesize
4.7MB

MD5
5df04392bc93b32d6db17200d665ef55

SHA1
5d862174d83a653db244b3bf39ce3190e2493639

SHA256
214fd3af555d478fc17fef914fcb882f72d4fc0f82f0ca9f662efdbc11304a34

SHA512
7f1b95e3eeb86dceecab42b7616ee135fe79b7e942561a2270b2241793871135dfa8233aeb9956be4ed646585f3969b1ae70b39044593dcdf082419e8095477a

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe

Filesize
4.7MB

MD5
5df04392bc93b32d6db17200d665ef55

SHA1
5d862174d83a653db244b3bf39ce3190e2493639

SHA256
214fd3af555d478fc17fef914fcb882f72d4fc0f82f0ca9f662efdbc11304a34

SHA512
7f1b95e3eeb86dceecab42b7616ee135fe79b7e942561a2270b2241793871135dfa8233aeb9956be4ed646585f3969b1ae70b39044593dcdf082419e8095477a

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe

Filesize
4.7MB

MD5
5df04392bc93b32d6db17200d665ef55

SHA1
5d862174d83a653db244b3bf39ce3190e2493639

SHA256
214fd3af555d478fc17fef914fcb882f72d4fc0f82f0ca9f662efdbc11304a34

SHA512
7f1b95e3eeb86dceecab42b7616ee135fe79b7e942561a2270b2241793871135dfa8233aeb9956be4ed646585f3969b1ae70b39044593dcdf082419e8095477a

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe

Filesize
4.7MB

MD5
5df04392bc93b32d6db17200d665ef55

SHA1
5d862174d83a653db244b3bf39ce3190e2493639

SHA256
214fd3af555d478fc17fef914fcb882f72d4fc0f82f0ca9f662efdbc11304a34

SHA512
7f1b95e3eeb86dceecab42b7616ee135fe79b7e942561a2270b2241793871135dfa8233aeb9956be4ed646585f3969b1ae70b39044593dcdf082419e8095477a

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe

Filesize
4.7MB

MD5
5df04392bc93b32d6db17200d665ef55

SHA1
5d862174d83a653db244b3bf39ce3190e2493639

SHA256
214fd3af555d478fc17fef914fcb882f72d4fc0f82f0ca9f662efdbc11304a34

SHA512
7f1b95e3eeb86dceecab42b7616ee135fe79b7e942561a2270b2241793871135dfa8233aeb9956be4ed646585f3969b1ae70b39044593dcdf082419e8095477a

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe

Filesize
4.7MB

MD5
5df04392bc93b32d6db17200d665ef55

SHA1
5d862174d83a653db244b3bf39ce3190e2493639

SHA256
214fd3af555d478fc17fef914fcb882f72d4fc0f82f0ca9f662efdbc11304a34

SHA512
7f1b95e3eeb86dceecab42b7616ee135fe79b7e942561a2270b2241793871135dfa8233aeb9956be4ed646585f3969b1ae70b39044593dcdf082419e8095477a

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe

Filesize
4.7MB

MD5
5df04392bc93b32d6db17200d665ef55

SHA1
5d862174d83a653db244b3bf39ce3190e2493639

SHA256
214fd3af555d478fc17fef914fcb882f72d4fc0f82f0ca9f662efdbc11304a34

SHA512
7f1b95e3eeb86dceecab42b7616ee135fe79b7e942561a2270b2241793871135dfa8233aeb9956be4ed646585f3969b1ae70b39044593dcdf082419e8095477a

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\Loader.exe

Filesize
4.8MB

MD5
9dbec760cb1f6259387d89adf480d75c

SHA1
e855453a2fc08fc529dd647d4d2e2c1444b777bb

SHA256
5b0dc69e9ee9aeb6e9ff56cd793ceb567d9e99dd546a9b16fb24e5fb491d40b5

SHA512
2526da3047677dc20d6c7676152aef7f952120073d36ee22c9f0c9735e6325bc7f456145cb56196baf96326bdbc5d2169ce7c0b099be388e1a71469cfa7a374e

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\Loader.exe

Filesize
4.8MB

MD5
9dbec760cb1f6259387d89adf480d75c

SHA1
e855453a2fc08fc529dd647d4d2e2c1444b777bb

SHA256
5b0dc69e9ee9aeb6e9ff56cd793ceb567d9e99dd546a9b16fb24e5fb491d40b5

SHA512
2526da3047677dc20d6c7676152aef7f952120073d36ee22c9f0c9735e6325bc7f456145cb56196baf96326bdbc5d2169ce7c0b099be388e1a71469cfa7a374e

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\Loader.exe

Filesize
4.8MB

MD5
9dbec760cb1f6259387d89adf480d75c

SHA1
e855453a2fc08fc529dd647d4d2e2c1444b777bb

SHA256
5b0dc69e9ee9aeb6e9ff56cd793ceb567d9e99dd546a9b16fb24e5fb491d40b5

SHA512
2526da3047677dc20d6c7676152aef7f952120073d36ee22c9f0c9735e6325bc7f456145cb56196baf96326bdbc5d2169ce7c0b099be388e1a71469cfa7a374e

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\VCRUNTIME140.dll

Filesize
74KB

MD5
a075828073369628bcca8a80fa225744

SHA1
2d576b316860c141d81ba9916d5915aceb336c7e

SHA256
dbc5559ca8d99f045c5511f56a2c4dd156d2672d189935e242284a835c0d7f92

SHA512
f92bc90a1d75268f2961e8a83268afc1efbf1381c884742658bca135367104b148fdbb8c0d643daa10063a98e032bcd7d4da50daebf4fa96e203814030a2c993

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\cef.pak

Filesize
2.0MB

MD5
fadbeb0dfdcf3e3321b954dccd5f2dc9

SHA1
88a3f6ff673a77d613bca4461949c6f8a1208aed

SHA256
b816b4775ad62cfd9b1b8c27446f39dfe06fb5ce8637ce89c7896a4b0095a835

SHA512
644f6af10f991e02b4613cfcb422520c9f39d5de4d9941fbc480716ce96c141875e8477f9b6844d740e164cd055fc0a0246afa0de2939d6636086112007cb0c9

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\cef_100_percent.pak

Filesize
638KB

MD5
d6537d8bd18bea635651fdec3d152909

SHA1
888bd16bbcead51b8968e706eb57177ffcd57227

SHA256
24bc9d0779ee755518702aa8f62c313feaaeee5f85688d9c17d22d0c3a3f0dbc

SHA512
4f9909cdd0199f37e0c5cd64b9cf943e2f6e479243a31fa02456cce0dcbecf4df7dd469e375fad5f823920e1beb5e18bb534d9bdcf039ef1850a0e2220951ebc

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\cef_200_percent.pak

Filesize
789KB

MD5
bd1ce17f9350ac0ee83a350439099526

SHA1
fd9328c6c2b2fb2cb3b877548bcf86afcc65a6a3

SHA256
bbb4fae64ae9a18a3cd27fde9936d0c79b8df03aca7f25043e51ed6d85455e30

SHA512
4b5d31a10ebf5c0d511d4df2ca661a484f2299af93b2cb3c26f54c6d590c972cb4b01f74595575fb51e0da44627463104808e4f16dc6f02c660309d2c77379b0

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\cef_extensions.pak

Filesize
1.7MB

MD5
968fbcb567ad6a183a11511cd9871086

SHA1
a3f74917fc7a78f9a6cdf7d9f69234605c7eeffa

SHA256
85e4c876c03e997833d0859e8ce28df41de458142c4d02e9651686c426ef5a8d

SHA512
2af6d1d6726279a1f6dfbf3968b20d32c5a77bac8bddf01ed24d20b33c1b027baccf3541bc6db8a6ba848de69fc7affc5bb7e30e4d3c2a0ea02d261190795e8c

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\chrome_elf.dll

Filesize
801KB

MD5
b5705e3ab1c96214e454dfb140654bc3

SHA1
39656b014dd9de7a4a2bf74b7f0defd34a83a8c5

SHA256
f63e2dcdc17c94ffa21fd933d4d67f9a15b6f3164d046a480289953a67640ca3

SHA512
eeb22d741e07c1e4e03d9fd642f328147264b6972b382903b31df3c07e92f8b327e4b87d9d2ac59d95872d9c8da37d5772116f0b94c43f5537ed7bc0fd6d2cfb

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\chrome_elf.dll

Filesize
801KB

MD5
b5705e3ab1c96214e454dfb140654bc3

SHA1
39656b014dd9de7a4a2bf74b7f0defd34a83a8c5

SHA256
f63e2dcdc17c94ffa21fd933d4d67f9a15b6f3164d046a480289953a67640ca3

SHA512
eeb22d741e07c1e4e03d9fd642f328147264b6972b382903b31df3c07e92f8b327e4b87d9d2ac59d95872d9c8da37d5772116f0b94c43f5537ed7bc0fd6d2cfb

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\chrome_elf.dll

Filesize
801KB

MD5
b5705e3ab1c96214e454dfb140654bc3

SHA1
39656b014dd9de7a4a2bf74b7f0defd34a83a8c5

SHA256
f63e2dcdc17c94ffa21fd933d4d67f9a15b6f3164d046a480289953a67640ca3

SHA512
eeb22d741e07c1e4e03d9fd642f328147264b6972b382903b31df3c07e92f8b327e4b87d9d2ac59d95872d9c8da37d5772116f0b94c43f5537ed7bc0fd6d2cfb

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\chrome_elf.dll

Filesize
801KB

MD5
b5705e3ab1c96214e454dfb140654bc3

SHA1
39656b014dd9de7a4a2bf74b7f0defd34a83a8c5

SHA256
f63e2dcdc17c94ffa21fd933d4d67f9a15b6f3164d046a480289953a67640ca3

SHA512
eeb22d741e07c1e4e03d9fd642f328147264b6972b382903b31df3c07e92f8b327e4b87d9d2ac59d95872d9c8da37d5772116f0b94c43f5537ed7bc0fd6d2cfb

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\chrome_elf.dll

Filesize
801KB

MD5
b5705e3ab1c96214e454dfb140654bc3

SHA1
39656b014dd9de7a4a2bf74b7f0defd34a83a8c5

SHA256
f63e2dcdc17c94ffa21fd933d4d67f9a15b6f3164d046a480289953a67640ca3

SHA512
eeb22d741e07c1e4e03d9fd642f328147264b6972b382903b31df3c07e92f8b327e4b87d9d2ac59d95872d9c8da37d5772116f0b94c43f5537ed7bc0fd6d2cfb

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\chrome_elf.dll

Filesize
801KB

MD5
b5705e3ab1c96214e454dfb140654bc3

SHA1
39656b014dd9de7a4a2bf74b7f0defd34a83a8c5

SHA256
f63e2dcdc17c94ffa21fd933d4d67f9a15b6f3164d046a480289953a67640ca3

SHA512
eeb22d741e07c1e4e03d9fd642f328147264b6972b382903b31df3c07e92f8b327e4b87d9d2ac59d95872d9c8da37d5772116f0b94c43f5537ed7bc0fd6d2cfb

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\chrome_elf.dll

Filesize
801KB

MD5
b5705e3ab1c96214e454dfb140654bc3

SHA1
39656b014dd9de7a4a2bf74b7f0defd34a83a8c5

SHA256
f63e2dcdc17c94ffa21fd933d4d67f9a15b6f3164d046a480289953a67640ca3

SHA512
eeb22d741e07c1e4e03d9fd642f328147264b6972b382903b31df3c07e92f8b327e4b87d9d2ac59d95872d9c8da37d5772116f0b94c43f5537ed7bc0fd6d2cfb

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\d3dcompiler_47.dll

Filesize
4.1MB

MD5
222d020bd33c90170a8296adc1b7036a

SHA1
612e6f443d927330b9b8ac13cc4a2a6b959cee48

SHA256
4432bbd1a390874f3f0a503d45cc48d346abc3a8c0213c289f4b615bf0ee84f3

SHA512
ad8c7ce7f6f353da5e2cf816e1a69f1ec14011612e8041e4f9bb6ebed3e0fa4e4ebc069155a0c66e23811467012c201893b9b3b7a947d089ce2c749d5e8910c6

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\icudtl.dat

Filesize
10.0MB

MD5
3f019441588332ac8b79a3a3901a5449

SHA1
c8930e95b78deef5b7730102acd39f03965d479a

SHA256
594637e10b8f5c97157413528f0cbf5bc65b4ab9e79f5fa34fe268092655ec57

SHA512
ee083ae5e93e70d5bbebe36ec482aa75c47d908df487a43db2b55ddd6b55c291606649175cf7907d6ab64fc81ead7275ec56e3193b631f8f78b10d2c775fd1a9

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\libcef.dll

Filesize
95.8MB

MD5
07f2b060b5e53c8ac3110bcc3b1a3b76

SHA1
8a0f8ad03d6c422383dd90b24fe5cb0e5a661c4f

SHA256
f069bdf29d6834f5fd5971da127a694897afecc6d0cb9a530bbb66aebcda4409

SHA512
59caae84d966e54d7717335aa22d2ef3bc684f5c26d6b05142f4de18d1de8c75b4f55802228d427aa9fb32ff298a228db220166b654baf5f3c19509a1b20502d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\libcef.dll

Filesize
95.8MB

MD5
07f2b060b5e53c8ac3110bcc3b1a3b76

SHA1
8a0f8ad03d6c422383dd90b24fe5cb0e5a661c4f

SHA256
f069bdf29d6834f5fd5971da127a694897afecc6d0cb9a530bbb66aebcda4409

SHA512
59caae84d966e54d7717335aa22d2ef3bc684f5c26d6b05142f4de18d1de8c75b4f55802228d427aa9fb32ff298a228db220166b654baf5f3c19509a1b20502d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\libcef.dll

Filesize
95.8MB

MD5
07f2b060b5e53c8ac3110bcc3b1a3b76

SHA1
8a0f8ad03d6c422383dd90b24fe5cb0e5a661c4f

SHA256
f069bdf29d6834f5fd5971da127a694897afecc6d0cb9a530bbb66aebcda4409

SHA512
59caae84d966e54d7717335aa22d2ef3bc684f5c26d6b05142f4de18d1de8c75b4f55802228d427aa9fb32ff298a228db220166b654baf5f3c19509a1b20502d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\libcef.dll

Filesize
95.8MB

MD5
07f2b060b5e53c8ac3110bcc3b1a3b76

SHA1
8a0f8ad03d6c422383dd90b24fe5cb0e5a661c4f

SHA256
f069bdf29d6834f5fd5971da127a694897afecc6d0cb9a530bbb66aebcda4409

SHA512
59caae84d966e54d7717335aa22d2ef3bc684f5c26d6b05142f4de18d1de8c75b4f55802228d427aa9fb32ff298a228db220166b654baf5f3c19509a1b20502d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\libcef.dll

Filesize
95.8MB

MD5
07f2b060b5e53c8ac3110bcc3b1a3b76

SHA1
8a0f8ad03d6c422383dd90b24fe5cb0e5a661c4f

SHA256
f069bdf29d6834f5fd5971da127a694897afecc6d0cb9a530bbb66aebcda4409

SHA512
59caae84d966e54d7717335aa22d2ef3bc684f5c26d6b05142f4de18d1de8c75b4f55802228d427aa9fb32ff298a228db220166b654baf5f3c19509a1b20502d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\libcef.dll

Filesize
95.8MB

MD5
07f2b060b5e53c8ac3110bcc3b1a3b76

SHA1
8a0f8ad03d6c422383dd90b24fe5cb0e5a661c4f

SHA256
f069bdf29d6834f5fd5971da127a694897afecc6d0cb9a530bbb66aebcda4409

SHA512
59caae84d966e54d7717335aa22d2ef3bc684f5c26d6b05142f4de18d1de8c75b4f55802228d427aa9fb32ff298a228db220166b654baf5f3c19509a1b20502d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\libcef.dll

Filesize
95.8MB

MD5
07f2b060b5e53c8ac3110bcc3b1a3b76

SHA1
8a0f8ad03d6c422383dd90b24fe5cb0e5a661c4f

SHA256
f069bdf29d6834f5fd5971da127a694897afecc6d0cb9a530bbb66aebcda4409

SHA512
59caae84d966e54d7717335aa22d2ef3bc684f5c26d6b05142f4de18d1de8c75b4f55802228d427aa9fb32ff298a228db220166b654baf5f3c19509a1b20502d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\libsodium.dll

Filesize
328KB

MD5
d07628811c6c2a042d9d5849c5e6d5d3

SHA1
58b9687050a1808e71288241c25c68b82d0e03e6

SHA256
0c91e8be0548203978caeb8dd02a3db31c69e9b4bbfc13f768e39fe2b1486ddf

SHA512
0f489aa068539905bd29a5243d8639297e261111e900955147900a222bbe62f01081edb078626677af828481c88a28fad754018427a2cb1b168c690487976df1

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\libsodium.dll

Filesize
328KB

MD5
d07628811c6c2a042d9d5849c5e6d5d3

SHA1
58b9687050a1808e71288241c25c68b82d0e03e6

SHA256
0c91e8be0548203978caeb8dd02a3db31c69e9b4bbfc13f768e39fe2b1486ddf

SHA512
0f489aa068539905bd29a5243d8639297e261111e900955147900a222bbe62f01081edb078626677af828481c88a28fad754018427a2cb1b168c690487976df1

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\libsodium.dll

Filesize
328KB

MD5
d07628811c6c2a042d9d5849c5e6d5d3

SHA1
58b9687050a1808e71288241c25c68b82d0e03e6

SHA256
0c91e8be0548203978caeb8dd02a3db31c69e9b4bbfc13f768e39fe2b1486ddf

SHA512
0f489aa068539905bd29a5243d8639297e261111e900955147900a222bbe62f01081edb078626677af828481c88a28fad754018427a2cb1b168c690487976df1

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\libsodium.dll

Filesize
328KB

MD5
d07628811c6c2a042d9d5849c5e6d5d3

SHA1
58b9687050a1808e71288241c25c68b82d0e03e6

SHA256
0c91e8be0548203978caeb8dd02a3db31c69e9b4bbfc13f768e39fe2b1486ddf

SHA512
0f489aa068539905bd29a5243d8639297e261111e900955147900a222bbe62f01081edb078626677af828481c88a28fad754018427a2cb1b168c690487976df1

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\libsodium.dll

Filesize
328KB

MD5
d07628811c6c2a042d9d5849c5e6d5d3

SHA1
58b9687050a1808e71288241c25c68b82d0e03e6

SHA256
0c91e8be0548203978caeb8dd02a3db31c69e9b4bbfc13f768e39fe2b1486ddf

SHA512
0f489aa068539905bd29a5243d8639297e261111e900955147900a222bbe62f01081edb078626677af828481c88a28fad754018427a2cb1b168c690487976df1

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\libsodium.dll

Filesize
328KB

MD5
d07628811c6c2a042d9d5849c5e6d5d3

SHA1
58b9687050a1808e71288241c25c68b82d0e03e6

SHA256
0c91e8be0548203978caeb8dd02a3db31c69e9b4bbfc13f768e39fe2b1486ddf

SHA512
0f489aa068539905bd29a5243d8639297e261111e900955147900a222bbe62f01081edb078626677af828481c88a28fad754018427a2cb1b168c690487976df1

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\libsodium.dll

Filesize
328KB

MD5
d07628811c6c2a042d9d5849c5e6d5d3

SHA1
58b9687050a1808e71288241c25c68b82d0e03e6

SHA256
0c91e8be0548203978caeb8dd02a3db31c69e9b4bbfc13f768e39fe2b1486ddf

SHA512
0f489aa068539905bd29a5243d8639297e261111e900955147900a222bbe62f01081edb078626677af828481c88a28fad754018427a2cb1b168c690487976df1

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\locales\en-US.pak

Filesize
201KB

MD5
ca71b35dd44d9949f8d7f1f47f6e274b

SHA1
7614f231538628f56cbde317495d6ffe95f8900a

SHA256
a4a1b7c72a6cf829e9f023a8673ceff385931e22fc5c23c361d8f43448b95ebc

SHA512
000017ebc7fbb3cfbc5837107795130b1c2916e8fcb3f35ebd010352921d3d8eb45a8d3ecf9a395b3409881440497c453efab9edbee0cd886bb9be848698255e

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\v8_context_snapshot.bin

Filesize
541KB

MD5
87e39a722b1469f1f19f456e6b7f93ad

SHA1
4c07e2fcf21a1925049ca34f26c2572daeeba4cb

SHA256
23e7f749ee278ffb21a9f109e860f99a2ded13ad6ffdefd16b069559e8e40cf7

SHA512
086bbd50394b11bf148922a1ac9881328842f3041093f95d6bb1cc57e64d73801c6b5e41deb43dcca3e22f10f65c88388d4300e185c639f28da33f4a0e8b30d6

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\vcruntime140.dll

Filesize
74KB

MD5
a075828073369628bcca8a80fa225744

SHA1
2d576b316860c141d81ba9916d5915aceb336c7e

SHA256
dbc5559ca8d99f045c5511f56a2c4dd156d2672d189935e242284a835c0d7f92

SHA512
f92bc90a1d75268f2961e8a83268afc1efbf1381c884742658bca135367104b148fdbb8c0d643daa10063a98e032bcd7d4da50daebf4fa96e203814030a2c993

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\vcruntime140.dll

Filesize
74KB

MD5
a075828073369628bcca8a80fa225744

SHA1
2d576b316860c141d81ba9916d5915aceb336c7e

SHA256
dbc5559ca8d99f045c5511f56a2c4dd156d2672d189935e242284a835c0d7f92

SHA512
f92bc90a1d75268f2961e8a83268afc1efbf1381c884742658bca135367104b148fdbb8c0d643daa10063a98e032bcd7d4da50daebf4fa96e203814030a2c993

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\vcruntime140.dll

Filesize
74KB

MD5
a075828073369628bcca8a80fa225744

SHA1
2d576b316860c141d81ba9916d5915aceb336c7e

SHA256
dbc5559ca8d99f045c5511f56a2c4dd156d2672d189935e242284a835c0d7f92

SHA512
f92bc90a1d75268f2961e8a83268afc1efbf1381c884742658bca135367104b148fdbb8c0d643daa10063a98e032bcd7d4da50daebf4fa96e203814030a2c993

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\vcruntime140.dll

Filesize
74KB

MD5
a075828073369628bcca8a80fa225744

SHA1
2d576b316860c141d81ba9916d5915aceb336c7e

SHA256
dbc5559ca8d99f045c5511f56a2c4dd156d2672d189935e242284a835c0d7f92

SHA512
f92bc90a1d75268f2961e8a83268afc1efbf1381c884742658bca135367104b148fdbb8c0d643daa10063a98e032bcd7d4da50daebf4fa96e203814030a2c993

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\vcruntime140.dll

Filesize
74KB

MD5
a075828073369628bcca8a80fa225744

SHA1
2d576b316860c141d81ba9916d5915aceb336c7e

SHA256
dbc5559ca8d99f045c5511f56a2c4dd156d2672d189935e242284a835c0d7f92

SHA512
f92bc90a1d75268f2961e8a83268afc1efbf1381c884742658bca135367104b148fdbb8c0d643daa10063a98e032bcd7d4da50daebf4fa96e203814030a2c993

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\vcruntime140.dll

Filesize
74KB

MD5
a075828073369628bcca8a80fa225744

SHA1
2d576b316860c141d81ba9916d5915aceb336c7e

SHA256
dbc5559ca8d99f045c5511f56a2c4dd156d2672d189935e242284a835c0d7f92

SHA512
f92bc90a1d75268f2961e8a83268afc1efbf1381c884742658bca135367104b148fdbb8c0d643daa10063a98e032bcd7d4da50daebf4fa96e203814030a2c993

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\vcruntime140.dll

Filesize
74KB

MD5
a075828073369628bcca8a80fa225744

SHA1
2d576b316860c141d81ba9916d5915aceb336c7e

SHA256
dbc5559ca8d99f045c5511f56a2c4dd156d2672d189935e242284a835c0d7f92

SHA512
f92bc90a1d75268f2961e8a83268afc1efbf1381c884742658bca135367104b148fdbb8c0d643daa10063a98e032bcd7d4da50daebf4fa96e203814030a2c993

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\zlib1.dll

Filesize
76KB

MD5
590f948143d93691efdee479d459944e

SHA1
0a93952856d28509793d56cde7b999f4c3502a91

SHA256
ee192eba2020707d56bf9e51c30d878636576d0c4481252a19a6da771841502e

SHA512
75fcc3e37e713f46bbe2abcd6dca8b413353cdffa96595d10b04c01210f3c5b91f98d51ee8aa1920feac2a085eeac144241bd2b639cc266be2a248b9e07c245a

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\zlib1.dll

Filesize
76KB

MD5
590f948143d93691efdee479d459944e

SHA1
0a93952856d28509793d56cde7b999f4c3502a91

SHA256
ee192eba2020707d56bf9e51c30d878636576d0c4481252a19a6da771841502e

SHA512
75fcc3e37e713f46bbe2abcd6dca8b413353cdffa96595d10b04c01210f3c5b91f98d51ee8aa1920feac2a085eeac144241bd2b639cc266be2a248b9e07c245a

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\zlib1.dll

Filesize
76KB

MD5
590f948143d93691efdee479d459944e

SHA1
0a93952856d28509793d56cde7b999f4c3502a91

SHA256
ee192eba2020707d56bf9e51c30d878636576d0c4481252a19a6da771841502e

SHA512
75fcc3e37e713f46bbe2abcd6dca8b413353cdffa96595d10b04c01210f3c5b91f98d51ee8aa1920feac2a085eeac144241bd2b639cc266be2a248b9e07c245a

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\zlib1.dll

Filesize
76KB

MD5
590f948143d93691efdee479d459944e

SHA1
0a93952856d28509793d56cde7b999f4c3502a91

SHA256
ee192eba2020707d56bf9e51c30d878636576d0c4481252a19a6da771841502e

SHA512
75fcc3e37e713f46bbe2abcd6dca8b413353cdffa96595d10b04c01210f3c5b91f98d51ee8aa1920feac2a085eeac144241bd2b639cc266be2a248b9e07c245a

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\zlib1.dll

Filesize
76KB

MD5
590f948143d93691efdee479d459944e

SHA1
0a93952856d28509793d56cde7b999f4c3502a91

SHA256
ee192eba2020707d56bf9e51c30d878636576d0c4481252a19a6da771841502e

SHA512
75fcc3e37e713f46bbe2abcd6dca8b413353cdffa96595d10b04c01210f3c5b91f98d51ee8aa1920feac2a085eeac144241bd2b639cc266be2a248b9e07c245a

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\zlib1.dll

Filesize
76KB

MD5
590f948143d93691efdee479d459944e

SHA1
0a93952856d28509793d56cde7b999f4c3502a91

SHA256
ee192eba2020707d56bf9e51c30d878636576d0c4481252a19a6da771841502e

SHA512
75fcc3e37e713f46bbe2abcd6dca8b413353cdffa96595d10b04c01210f3c5b91f98d51ee8aa1920feac2a085eeac144241bd2b639cc266be2a248b9e07c245a

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\zlib1.dll

Filesize
76KB

MD5
590f948143d93691efdee479d459944e

SHA1
0a93952856d28509793d56cde7b999f4c3502a91

SHA256
ee192eba2020707d56bf9e51c30d878636576d0c4481252a19a6da771841502e

SHA512
75fcc3e37e713f46bbe2abcd6dca8b413353cdffa96595d10b04c01210f3c5b91f98d51ee8aa1920feac2a085eeac144241bd2b639cc266be2a248b9e07c245a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DVA1J.tmp\Ghast Setup.tmp

Filesize
3.1MB

MD5
161d1bd06392e424ebf8e4f7971db25b

SHA1
e77ded0d21db752db95dee086137cf138701c99a

SHA256
8c5f29f44a196946191e3ef6f6e8b829c9e6123176b4a4223ada06724471437c

SHA512
e3474f14633de67411ca0e3c26f18b0629b60d6e8f330c71bfadf0a6995cbcf356dc0b063eedd6712a764bfae4ada901ffdcc9285a337a02d045aabcdb4135f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DVA1J.tmp\Ghast Setup.tmp

Filesize
3.1MB

MD5
161d1bd06392e424ebf8e4f7971db25b

SHA1
e77ded0d21db752db95dee086137cf138701c99a

SHA256
8c5f29f44a196946191e3ef6f6e8b829c9e6123176b4a4223ada06724471437c

SHA512
e3474f14633de67411ca0e3c26f18b0629b60d6e8f330c71bfadf0a6995cbcf356dc0b063eedd6712a764bfae4ada901ffdcc9285a337a02d045aabcdb4135f6

Download Submit
memory/2812-242-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2812-159-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2812-133-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3520-161-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/3520-140-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/3520-160-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3520-198-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3520-241-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download