Overview

overview

10

Static

static

1

01799099.exe.vbs

windows7-x64

6

01799099.exe.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    97s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/06/2023, 08:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    01799099.exe.vbs

  • Size

    1.1MB

  • MD5

    584f03161a17b36b2f5163dd85bc0b77

  • SHA1

    04dad07d0146ff09c0dacc3f248dbda16055a609

  • SHA256

    ee2a2b418e82683de196beb5d4f6cb213e7579d783b06b9949f4a988f515b324

  • SHA512

    530ef231a0fea29700d8bbffa5ed40b4cc05b96323fcbd853e86f050362d84f8a5250387f86a47ec0f103a76b00bada9c352a3c6c76736740984732c184003ff

  • SSDEEP

    24576:gjSdueeKiZeXA940z802o5mNBriKgcdgUixQsUgk:gjSduKCeA2oqdJqfk

Score
10/10
discoveryevasionexploitpersistenceransomwaretrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables cmd.exe use via registry modification 1 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Possible privilege escalation attempt 8 IoCs
    exploit
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Modifies file permissions 1 TTPs 8 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Modifies termsrv.dll 1 TTPs 2 IoCs

    Commonly used to allow simultaneous RDP sessions.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Control Panel 5 IoCs
    evasion
  • Modifies registry class 39 IoCs
  • Suspicious use of AdjustPrivilegeToken 62 IoCs
  • Suspicious use of FindShellTrayWindow 49 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • System policy modification 1 TTPs 30 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01799099.exe.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4644
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\01799099.exe.vbs" /elevated
      2⤵
      • UAC bypass
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Sets file execution options in registry
      • Checks computer location settings
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • Modifies Control Panel
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1712
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" C:\Users\Public\ghostroot\Player.vbs
        3⤵
        • Enumerates connected drives
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:1240
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c C:\Users\Public\Ghostroot\KillDora.bat
        3⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\Windows\system32\gpupdate.exe
          gpupdate.exe /force
          4⤵
            PID:4524
          • C:\Windows\System32\rundll32.exe
            C:\Windows\System32\RUNDLL32.EXE user32.dll, UpdatePerUserSystemParameters
            4⤵
              PID:3824
            • C:\Windows\system32\reg.exe
              reg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal" /f
              4⤵
                PID:1144
              • C:\Windows\system32\reg.exe
                reg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Network" /f
                4⤵
                  PID:3512
                • C:\Windows\system32\taskkill.exe
                  taskkill /f /im explorer.exe
                  4⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3796
                • C:\Windows\system32\reg.exe
                  Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
                  4⤵
                    PID:4916
                  • C:\Windows\explorer.exe
                    explorer.exe
                    4⤵
                    • Modifies Installed Components in the registry
                    • Enumerates connected drives
                    • Checks SCSI registry key(s)
                    • Modifies registry class
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    • Suspicious use of SetWindowsHookEx
                    PID:1012
                  • C:\Windows\system32\sc.exe
                    sc config VSS start= disabled
                    4⤵
                    • Launches sc.exe
                    PID:1228
                  • C:\Windows\system32\takeown.exe
                    takeown /f C:\Windows\System32
                    4⤵
                    • Possible privilege escalation attempt
                    • Modifies file permissions
                    PID:772
                  • C:\Windows\system32\icacls.exe
                    icacls C:\Windows\System32 /Grant Users:F
                    4⤵
                    • Possible privilege escalation attempt
                    • Modifies file permissions
                    PID:4480
                  • C:\Windows\system32\takeown.exe
                    takeown /f C:\Windows
                    4⤵
                    • Possible privilege escalation attempt
                    • Modifies file permissions
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3280
                  • C:\Windows\system32\icacls.exe
                    icacls C:\Windows /Grant Users:F
                    4⤵
                    • Possible privilege escalation attempt
                    • Modifies file permissions
                    PID:1124
                  • C:\Windows\system32\takeown.exe
                    takeown /a /r /d Y /f "C:\Recovery"
                    4⤵
                    • Possible privilege escalation attempt
                    • Modifies file permissions
                    PID:3656
                  • C:\Windows\system32\icacls.exe
                    icacls "C:\Recovery" /Grant Users:F /q /c /t
                    4⤵
                    • Possible privilege escalation attempt
                    • Modifies file permissions
                    PID:3644
                  • C:\Windows\system32\takeown.exe
                    takeown /a /r /d Y /f "C:\System Volume Information"
                    4⤵
                    • Possible privilege escalation attempt
                    • Modifies file permissions
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1816
                  • C:\Windows\system32\icacls.exe
                    icacls "C:\System Volume Information" /Grant Users:F /q /c /t
                    4⤵
                    • Possible privilege escalation attempt
                    • Modifies file permissions
                    • Suspicious use of AdjustPrivilegeToken
                    PID:772
                • C:\Users\Public\ghostroot\rpdbfk.exe
                  "C:\Users\Public\ghostroot\rpdbfk.exe"
                  3⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Modifies termsrv.dll
                  PID:1564
            • C:\Windows\system32\AUDIODG.EXE
              C:\Windows\system32\AUDIODG.EXE 0x490 0x498
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4288
            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
              1⤵
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:2936
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:4000

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\BolbiForPresident.vbs
              Filesize

              1.1MB

              MD5

              584f03161a17b36b2f5163dd85bc0b77

              SHA1

              04dad07d0146ff09c0dacc3f248dbda16055a609

              SHA256

              ee2a2b418e82683de196beb5d4f6cb213e7579d783b06b9949f4a988f515b324

              SHA512

              530ef231a0fea29700d8bbffa5ed40b4cc05b96323fcbd853e86f050362d84f8a5250387f86a47ec0f103a76b00bada9c352a3c6c76736740984732c184003ff

              Download Submit

            • C:\USERS\ADMIN\DESKTOP\BOLBI.TXT
              Filesize

              29B

              MD5

              b37ed35ef479e43f406429bc36e68ec4

              SHA1

              5e3ec88d9d13d136af28dea0d3c2529f5b6e3b82

              SHA256

              cc2b26f9e750e05cd680ef5721d9269fe4c8d23cabf500a2ff9065b6b4f7e08c

              SHA512

              d1c1ea6292d8113ce8f02a9ad3921e2d8632f036bdfa243bd6600a173ac0b1fc659f91b43c8d9ec0beaabb87d9654f5f231e98fde27e4d9bdfd5862ca5cb13b7

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
              Filesize

              64KB

              MD5

              dbfc662304aa4236ac6c685fdd3ee597

              SHA1

              bee96b9256c93a35398a8c6a341da9470c6101c2

              SHA256

              dfd76fd8ae4d04c006729be160e7c23fe8e003e7094a54abf3a5aaee1a5c5590

              SHA512

              6730c50e8217e93d819b24a76af50ed9afeb34c73f32bcf65cca1bac139219c4897f7a43faa7a88909b32777420f47beb2a1ab23fad5886ef4da35226305c42b

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
              Filesize

              9KB

              MD5

              7050d5ae8acfbe560fa11073fef8185d

              SHA1

              5bc38e77ff06785fe0aec5a345c4ccd15752560e

              SHA256

              cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

              SHA512

              a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

              Download Submit

            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133307720389554846.txt
              Filesize

              75KB

              MD5

              65019a5db517d9fb830d8a57406a03ea

              SHA1

              817faf2ffe8461f653519e7bd96e7ee75021c891

              SHA256

              3ae88b3a99e6b785bdb44760790bc03ac722ef5b673ad5b3ca49b5cc5eecf84f

              SHA512

              bcc985d3fa48efcbb4a334b1a341a6686ef6c69f237d6d9bdcd9885696d148519ab824b9150194d783cb03189c1cc00a483f1b73ebce323f1f6a303a05b8ea62

              Download Submit

            • C:\Users\Admin\Documents\Are.docx
              Filesize

              1.1MB

              MD5

              6734d260318f6fdcf2830001cec10684

              SHA1

              ec96aae5ec69f7f7c699b69ad998072ad42adced

              SHA256

              bb92f0fce92b22aca9289e383a5cf26d4dbcced387c89a3cf274310603c04952

              SHA512

              0abe2a8af1d1ed9d8ec0377230813b8891c2167302110731623f2b6cda0a159d15093c10c4a08a166698da0d450c71c130a11c281264bf0d06e6c33f1e2ea318

              Download Submit

            • C:\Users\Admin\Documents\ExportComplete.doc
              Filesize

              1.1MB

              MD5

              8779cb43810382279b9147ec3387c5ab

              SHA1

              aa3489887515d1e9d1cdf2a7fb58b08de3c30694

              SHA256

              51b277ef5f350786fe51388af4f3cdaff6c81dc600874c68f852fe10cb81b129

              SHA512

              0c3960631475fb4cdecd15af0f2735fc802cbcf80813776063f5ae316d2f610908dda8e308240122262910061fc1ebeb0fcf1f5477deb42b2b474750399c4f25

              Download Submit

            • C:\Users\Admin\Documents\Files.docx
              Filesize

              1.1MB

              MD5

              4c66e88eaa86fa87df813daf00a1e6bf

              SHA1

              995852d07c53e9290cee4a89b7ec401db3bf9993

              SHA256

              4f1e2aa0a0748437b0eb7e9c407dfcc0dbcd5d4eb215fa230c105e37ce5c3bdc

              SHA512

              2f558022e9893006fe1538a969c987751d53015c4c86d91fdeace97b2be1334c1fba10f157e608e97155bf487b0bac9221c072aa6389a976851d0acf6a32a98c

              Download Submit

            • C:\Users\Admin\Documents\GetBlock.txt
              Filesize

              1.1MB

              MD5

              031eaf72f6885c1971d5d189c8e78f94

              SHA1

              0b91ffcaccc97b9f629f320fd60129e6e6430c0c

              SHA256

              4801af40d0236fa2557412dc2e3e316888ddff20b614e98e13cafa3eeaa76fda

              SHA512

              348a5dfff27c12cbb0c9d817c3fb9646202f6685fd4356b49c66d0eb1ea17e1726964895fd4e39671c811ce807d6999985f701ce53663caa311976bb2aee1af8

              Download Submit

            • C:\Users\Admin\Documents\MoveCompress.pptx
              Filesize

              1.1MB

              MD5

              2f89d8e58aea582f6c9cf032699d5867

              SHA1

              1358ddbfcbae4f8f80e5613c7083dcc097e60e7f

              SHA256

              67ad12ff2c1758a1ffb61711efbf0b5bd409e04ff0017a2ba75e3040901d5c46

              SHA512

              3c7b512d7e490780d01c8849bdcba400c4ba477c9c65902c604bf9ffb7e004406ccbe5ac1c0561502f19ec9847e4cb2ad991e6431fb7d1c662ed15ecd38767a5

              Download Submit

            • C:\Users\Admin\Documents\OpenDismount.html
              Filesize

              374B

              MD5

              284e40b2b551ff7c43885924869ee900

              SHA1

              3aa03be7c9edf322af2db25a44ae6bb9deaa5d1f

              SHA256

              a79de008a47782651a7800ee6db173c7debeb1ef72dbbbc29eb5a178532950be

              SHA512

              dcc4bca116fbb3afde2c41edd7ec8283db3dff5927a9344015b7e03aecc36b17e885127432e38040f7e5c311c3f4ea4087be61941128fb7452ce97d9263d7681

              Download Submit

            • C:\Users\Admin\Documents\Opened.docx
              Filesize

              1.1MB

              MD5

              17ddebd7570a14d4d6084dbbd5b83565

              SHA1

              57c98a1142c72ed47ee3b645f63db65c0eb80127

              SHA256

              d0a78b9de544a7c65e9a14114348f6c5f8503276ddb0df608e4da47803c3c65c

              SHA512

              8df9c0ad734728dd6a78f4834de8e06da0f3d439ab4e5037f95cb0d459e2a2d980f08a60e1391f50a1307557d8ef501e882d091079d1a89aa3f5eb9b20ab72af

              Download Submit

            • C:\Users\Admin\Documents\OptimizeSearch.pptx
              Filesize

              1.1MB

              MD5

              03058bb62df292a36c52d4e91852320c

              SHA1

              b3571bf35da163d0d45442f22de55554a0ef7b2d

              SHA256

              e0e56146c8e72098fab024e8c6af5baef7ec5d34f2d684035ddfefde4270d197

              SHA512

              19a0f4da5692c4a79b3fa8965cdf76c606158245af261b12d1cfc5e5eb39b445c21e18acf18e517c3366f4fc93dc0724920f40b1082c1144387111932734fe11

              Download Submit

            • C:\Users\Admin\Documents\Recently.docx
              Filesize

              1.1MB

              MD5

              962b8bf59b558339600b1072184e2c8b

              SHA1

              a69d02d0acb86798d184d730870c32df926a31ac

              SHA256

              552f51622f737c662882a978139b5a14207928bc60d94dd0659c3cf698503d7c

              SHA512

              7a67fd52d093f4286b6a35af44ce3bf8d483ca6465138e2fb203199eebf69fca17899f7cae9d5fe0914d8a1576d132610312a10930e6e39f2c2d34ad5a91a6fd

              Download Submit

            • C:\Users\Admin\Documents\ResizeCheckpoint.htm
              Filesize

              374B

              MD5

              f49635f171ffe197a8f9c42fa8923892

              SHA1

              46e8f5003b291ee36e4e12bd820a25136b217ca4

              SHA256

              b4a582cba66b5540801d00bdaef5e262315c44c52751e307ca04490f7e2bc34b

              SHA512

              b15f5dbf13f6fe73d6a1ece0613f5a7fa59c826b5137d517929f4af05cb65c3897685b02c358a75d00cd72c700bfcbe7e53cc1f54c16c88565446cb219ed4f29

              Download Submit

            • C:\Users\Admin\Documents\SendSkip.htm
              Filesize

              374B

              MD5

              d4b950027dcc270add8b25a48b765101

              SHA1

              e3ee15304f5909126cf1c9be8ad588da5fd8541f

              SHA256

              47683ee6b3e48caccffded7269636546c9dc195b540c13739dd4eb9d31c62967

              SHA512

              76736a4fc4f371f513c0a41342c9954e84d3fac07eea0813988063eb1ae7304dfc557f6a071c1f727548aac390821bb790a1b77e4d2e9d14100495187f5a18d0

              Download Submit

            • C:\Users\Admin\Documents\SetTrace.ppt
              Filesize

              1.1MB

              MD5

              9f401cedee09cced4d63dc04c9079c36

              SHA1

              83d7342ee9c02448c410b986350fdea0185aa4f6

              SHA256

              9c357c827d633a8a66ef1052ed13c56ae4e8b3afc96fc41bc7229fc80e4637b5

              SHA512

              452a3c8c6509de903975f9ef9b424e321372148abcb01485e56d2df1952b61203a97c6c633b1642bbfbfe1624d7bb3e91f5455147216529c5d6b040d3618d802

              Download Submit

            • C:\Users\Admin\Documents\ShowRedo.html
              Filesize

              374B

              MD5

              d36cc4308ce0c0562287ce290f076243

              SHA1

              b56f8d37a77e871aa269c78c479f5f05da53fc2b

              SHA256

              28e3e35557dc6d8f7f359a100314a5fdc560f9eb8d6e51b9d90b580f25a931ba

              SHA512

              5ae8436e6439744668b9d40198adf59531eb9120de5eebd7c4c81e88c2310f28023edbb4b64fd9d756da9d032b8a74df813dfe56c7771c96055a27ed07714325

              Download Submit

            • C:\Users\Admin\Documents\SplitStep.htm
              Filesize

              374B

              MD5

              a959b784b7f1af3944a549de8ef17bbd

              SHA1

              77110d6c1640ae7a1590d904c788a572f6cd71dc

              SHA256

              c75b5e071f1236720782eb069eec8bf8c2712f9d5226b81aa145927b97a401a7

              SHA512

              4bea9bd779433e6d7730a7290ba8ec7e9850fed0e895484ae47ebda075b37144aa4651a2de9ca4b0135927b579e20fc22843c3e3e5d7edd0c1e0e7fc358f4a02

              Download Submit

            • C:\Users\Admin\Documents\These.docx
              Filesize

              1.1MB

              MD5

              e67083c0f40ffd6327119b2afabf3a09

              SHA1

              4be8ca72763b81084d9804ba5e49c74d68dad20d

              SHA256

              bb09aef0e0528f10b1579c28cd8a5568c920597d2a3a83b03fb514a840daf7fe

              SHA512

              6d75d5af444a8f68f1035ee390f14e4e98b2694216073bda28465ad5891205ab87496941f009468f968a18e890d2f4cff4d01d93c9f71c563f07d0c79df00fc3

              Download Submit

            • C:\Users\Admin\Documents\UnprotectSkip.pdf
              Filesize

              1.1MB

              MD5

              8d3cfe152b5290ac6046ef91a2796e2f

              SHA1

              afcaadbf169812ccb2f4101b6c60a7b84651ce49

              SHA256

              debf0be0a4f6d5f799261f01f6cbde12ac2d61c5b30541724f3a11896583fe91

              SHA512

              11319544beef48d372d27f35f605854656e2859c0a0b0a8e9bcf0871f8fd0e2d616fa77b71a821eb5a375d4fda2dd4fc6501fc428b6168943d1a4d718bb1cc20

              Download Submit

            • C:\Users\Public\Desktop\Acrobat Reader DC.lnk
              Filesize

              1.1MB

              MD5

              7c49703413d9856a6b4a2307d82b7198

              SHA1

              c80103bfb2e64047dbbed390dfe6618a17125c4a

              SHA256

              eec05be651069b299aba3b6467d2591001443e0fbdb5139f2bac36f3cad4375d

              SHA512

              09702333ea2e169a27797577749e50a8720b66dd1216e1cdcefb0725916f92dc5fdc0a4bd026bcf2c97eafd55eaa4a252a01bcbbbb87715f81c14b3742ad3107

              Download Submit

            • C:\Users\Public\Desktop\Firefox.lnk
              Filesize

              1.1MB

              MD5

              da72c4f8c2457c67d187dcfaa9403ac7

              SHA1

              fedd737fb8550ce1f1e13b2d9cd520f567412991

              SHA256

              023acf709daf9642a3939f953180946ff2a3ad321cebbfde5393b47d3ab456ed

              SHA512

              c0ef1d91a451cff0aee3dfa3a43f300c31cbcc089174ef3eed53209b5ac3c3590c4d691f616a332e47729a623d9c73924f3ec67aebe62491c1349f3bb8676de0

              Download Submit

            • C:\Users\Public\Desktop\Google Chrome.lnk
              Filesize

              1.1MB

              MD5

              2059662df16049dda65789e8206c9d3d

              SHA1

              b414ab58f739c3833fb8765d28374831b8ee2f6e

              SHA256

              b19461f06b0da3c486bac61836e2797969796a9d3c6f541aa2e83c7ca40b6ca0

              SHA512

              95f88b94565a5b2bf873fdb4f1fe7db380bc0ca1fa130a09f769a4ee16f418d0b9f15929d23536c57300b16a10a2dbee353c18393bd3245674d3c98953a060fd

              Download Submit

            • C:\Users\Public\Desktop\VLC media player.lnk
              Filesize

              1.1MB

              MD5

              b74473350b7d8f881d11595d71166e17

              SHA1

              660340973a5bc749c2f760e19e0e430d96ccb8c2

              SHA256

              52ca99d33f98a7188e1e9ef0c6c05d571f95c26eaf2cdd8f893d0bfc1ed755ee

              SHA512

              a4b0b87bf75708f9c2f7a672d70f73af9025aec0110df8b1eb6fdd8253dcbff5cb1c8811299db380d8793bd537ed4a15e613c7297f53ead1ed25df26dba76cfa

              Download Submit

            • C:\Users\Public\Ghostroot\KillDora.bat
              Filesize

              918B

              MD5

              45fcae4003de1832e478518394c3c0c8

              SHA1

              47c663c601b426748601e4b81c3bcf6a35c12b06

              SHA256

              2244d7c88dc24a9630f1845fda5ab0a3677190d9ce9a0493f58c5d976160eb11

              SHA512

              aa3bab3c6eaa809a55c62e6626edf20e9d8cf97a65e957f4e4d550dc3105a4f28eb3b438fb67cd75105922bd55129f72e2e15355ece892905102dda0050396e9

              Download Submit

            • C:\Users\Public\ghostroot\Player.vbs
              Filesize

              528B

              MD5

              b2ca858d3b7c50e46c226c7db3501cfd

              SHA1

              3410bd8c9e09d694f10bba0051b634009c3f9c2e

              SHA256

              b64d2e53ebcddb6c36cc5429c5483a01abac40def4a3a027f89104156328d41b

              SHA512

              0880c6dd1fe3aa3e00f50d0467281142eb229cea5b8f1e1a0203a681cdb40aef80039fc08fcad6e0608bc4277af7aa65cb0cb84fcc9494d1d76d4116a93a22ca

              Download Submit

            • C:\Users\Public\ghostroot\SOUNDS FROM HELL RECORDING TOTALLY LEGIT.mp3
              Filesize

              501KB

              MD5

              41c89eebb86e4f4b1b0033d8e0214026

              SHA1

              2010f7fc5e3086fef00c42d8660e1534bc95177e

              SHA256

              9dd0d4b5d11a686f9320a306d78b37404a5397e2e0d79628363db348ae9b1c48

              SHA512

              70d8879dd2b840b014c6301927aa43263b40925d8523bed252dc5719fd9a7228c986edece441b402cc64537ca0583d781e9a88431f88188aecb3973824b9f621

              Download Submit

            • C:\Users\Public\ghostroot\god.bmp
              Filesize

              183KB

              MD5

              d81b39d90fd06ab2c25c9cd1e192124e

              SHA1

              95f99c25312736628b73689ff684435b3a0ba272

              SHA256

              1bb633aba7732a3ae144802130b6176ef526ed4772c2169775b1b300b11082fd

              SHA512

              d54c59bf44ff974b012cb492b9229924fb8e3664890287770a4b48be3425de73f5654b318d34f4673db380247e33e6f905c2e5789f838e593726085e03185aad

              Download Submit

            • C:\Users\Public\ghostroot\rpdbfk.exe
              Filesize

              107KB

              MD5

              c26ed4ea9e70f65399aad2447e4aafb4

              SHA1

              4d9ad605e7932646034617ab4e5098e54945c92b

              SHA256

              fba6df310468661daab22c696d2b112ec8441857ad4bbf9ab63673260e2c5740

              SHA512

              8b3632aeb29501a12dc62b66475e2fe0d12833145c6b17278394d5524b944282c3cc2982782d9d7ca7e68b5a941500ff6405ec0ce60b0dd06113bae63454b7fa

              Download Submit

            • C:\Users\Public\ghostroot\rpdbfk.exe
              Filesize

              107KB

              MD5

              c26ed4ea9e70f65399aad2447e4aafb4

              SHA1

              4d9ad605e7932646034617ab4e5098e54945c92b

              SHA256

              fba6df310468661daab22c696d2b112ec8441857ad4bbf9ab63673260e2c5740

              SHA512

              8b3632aeb29501a12dc62b66475e2fe0d12833145c6b17278394d5524b944282c3cc2982782d9d7ca7e68b5a941500ff6405ec0ce60b0dd06113bae63454b7fa

              Download Submit

            • C:\Users\Public\ghostroot\rpdbfk.exe
              Filesize

              107KB

              MD5

              c26ed4ea9e70f65399aad2447e4aafb4

              SHA1

              4d9ad605e7932646034617ab4e5098e54945c92b

              SHA256

              fba6df310468661daab22c696d2b112ec8441857ad4bbf9ab63673260e2c5740

              SHA512

              8b3632aeb29501a12dc62b66475e2fe0d12833145c6b17278394d5524b944282c3cc2982782d9d7ca7e68b5a941500ff6405ec0ce60b0dd06113bae63454b7fa

              Download Submit

            • memory/1012-181-0x0000000004240000-0x0000000004241000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1564-360-0x000000001B560000-0x000000001B570000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1564-359-0x0000000000890000-0x00000000008B2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/4000-188-0x000002D8468C0000-0x000002D8468E0000-memory.dmp

              Filesize

              128KB

              Download

            • memory/4000-190-0x000002D846880000-0x000002D8468A0000-memory.dmp

              Filesize

              128KB

              Download

            • memory/4000-193-0x000002D846EC0000-0x000002D846EE0000-memory.dmp

              Filesize

              128KB

              Download

            • memory/4000-346-0x000002D044E40000-0x000002D0455BA000-memory.dmp

              Filesize

              7.5MB

              Download