Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
64s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2022, 14:35
Static task
static1
Behavioral task
behavioral1
Sample
593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
Resource
win10v2004-20220812-en
General
-
Target
593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe
-
Size
323KB
-
MD5
6f6dabe0ac5d705ded06b13d938ab3ec
-
SHA1
75ecc8f20c9dc3299a6178ba6003c180e05a75b1
-
SHA256
593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0
-
SHA512
bc05e82933984c6e520e7bc1a4eb274e9ba0ec36c3a1c02b1c180270b8e0319ad7e574156835d5292fb3e169ebe2099f57001d3f49e44e76722da36bf472a2bc
-
SSDEEP
6144:lBxeN/Tdx8YzL+4eBDgelLBL9C53TV5n+yNXavM:lBxe9dx8Yz6nhtL9C53TV5n+4av
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" winlogon.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command GoldenGhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 4K51K4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" GoldenGhost.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kantuk.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 4K51K4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" K0L4B0R451.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" GoldenGhost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" 4K51K4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" GoldenGhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe -
Disables RegEdit via registry modification 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kantuk.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4K51K4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" GoldenGhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4K51K4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" GoldenGhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 4K51K4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" K0L4B0R451.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" GoldenGhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Kantuk.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 4K51K4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" GoldenGhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 10 IoCs
pid Process 2148 winlogon.exe 4744 winlogon.exe 1540 Kantuk.exe 1320 4K51K4.exe 3588 K0L4B0R451.exe 3860 GoldenGhost.exe 2016 Kantuk.exe 112 4K51K4.exe 1160 K0L4B0R451.exe 2640 GoldenGhost.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgnt.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe\Debugger = "cmd.exe /c del" K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe\Debugger = "cmd.exe /c del" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe\Debugger = "cmd.exe /c del" 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe\Debugger = "cmd.exe /c del" 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe\Debugger = "cmd.exe /c del" GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe\Debugger = "cmd.exe /c del" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgw.exe Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe\Debugger = "cmd.exe /c del" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgw.exe\Debugger = "cmd.exe /c del" GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "cmd.exe /c del" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe\Debugger = "cmd.exe /c del" GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe\Debugger = "cmd.exe /c del" 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgnt.exe K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe\Debugger = "cmd.exe /c del" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe\Debugger = "cmd.exe /c del" GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe\Debugger = "cmd.exe /c del" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe\Debugger = "notepad.exe" K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe\Debugger = "cmd.exe /c del" Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe\Debugger = "cmd.exe /c del" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe\Debugger = "cmd.exe /c del" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe\Debugger = "cmd.exe /c del" 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgnt.exe GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe\Debugger = "cmd.exe /c del" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe\Debugger = "cmd.exe /c del" K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger = "notepad.exe" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del" Kantuk.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ 4K51K4.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\ K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ K0L4B0R451.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" K0L4B0R451.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" GoldenGhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\ Kantuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" 4K51K4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" 4K51K4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" K0L4B0R451.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\ GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" Kantuk.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" 4K51K4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" GoldenGhost.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: Kantuk.exe File opened (read-only) \??\J: K0L4B0R451.exe File opened (read-only) \??\L: K0L4B0R451.exe File opened (read-only) \??\S: K0L4B0R451.exe File opened (read-only) \??\W: Kantuk.exe File opened (read-only) \??\X: Kantuk.exe File opened (read-only) \??\T: K0L4B0R451.exe File opened (read-only) \??\U: K0L4B0R451.exe File opened (read-only) \??\Y: K0L4B0R451.exe File opened (read-only) \??\G: K0L4B0R451.exe File opened (read-only) \??\Z: K0L4B0R451.exe File opened (read-only) \??\H: Kantuk.exe File opened (read-only) \??\J: Kantuk.exe File opened (read-only) \??\Q: Kantuk.exe File opened (read-only) \??\U: Kantuk.exe File opened (read-only) \??\Y: Kantuk.exe File opened (read-only) \??\M: K0L4B0R451.exe File opened (read-only) \??\N: K0L4B0R451.exe File opened (read-only) \??\B: Kantuk.exe File opened (read-only) \??\E: Kantuk.exe File opened (read-only) \??\K: Kantuk.exe File opened (read-only) \??\S: Kantuk.exe File opened (read-only) \??\F: K0L4B0R451.exe File opened (read-only) \??\X: K0L4B0R451.exe File opened (read-only) \??\P: Kantuk.exe File opened (read-only) \??\Z: Kantuk.exe File opened (read-only) \??\B: K0L4B0R451.exe File opened (read-only) \??\O: K0L4B0R451.exe File opened (read-only) \??\P: K0L4B0R451.exe File opened (read-only) \??\V: Kantuk.exe File opened (read-only) \??\I: K0L4B0R451.exe File opened (read-only) \??\V: K0L4B0R451.exe File opened (read-only) \??\F: Kantuk.exe File opened (read-only) \??\M: Kantuk.exe File opened (read-only) \??\O: Kantuk.exe File opened (read-only) \??\R: Kantuk.exe File opened (read-only) \??\T: Kantuk.exe File opened (read-only) \??\Q: K0L4B0R451.exe File opened (read-only) \??\I: Kantuk.exe File opened (read-only) \??\N: Kantuk.exe File opened (read-only) \??\E: K0L4B0R451.exe File opened (read-only) \??\H: K0L4B0R451.exe File opened (read-only) \??\K: K0L4B0R451.exe File opened (read-only) \??\G: Kantuk.exe File opened (read-only) \??\R: K0L4B0R451.exe File opened (read-only) \??\W: K0L4B0R451.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf Kantuk.exe File opened for modification C:\autorun.inf Kantuk.exe -
Drops file in System32 directory 47 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe File opened for modification C:\Windows\SysWOW64\Kantuk.exe.tmp 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe File created C:\Windows\SysWOW64\Asli.ico 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ winlogon.exe File opened for modification C:\Windows\SysWOW64\Kantuk.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\4K51K4.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Kantuk.exe.tmp winlogon.exe File opened for modification C:\Windows\SysWOW64\4K51K4.exe.tmp winlogon.exe File created C:\Windows\SysWOW64\Player.ico winlogon.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe File created C:\Windows\SysWOW64\K0L4B0R451.exe 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe File opened for modification C:\Windows\SysWOW64\K0L4B0R451.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\GoldenGhost.exe.tmp winlogon.exe File created C:\Windows\SysWOW64\Word.ico winlogon.exe File created C:\Windows\SysWOW64\Folder.ico winlogon.exe File created C:\Windows\SysWOW64\Asli.ico winlogon.exe File opened for modification C:\Windows\SysWOW64\Shell32.com 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe File opened for modification C:\Windows\SysWOW64\K0L4B0R451.exe.tmp 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe File opened for modification C:\Windows\SysWOW64\Shell32.com.tmp 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe File created C:\Windows\SysWOW64\Player.ico 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\Rar.ico winlogon.exe File created C:\Windows\SysWOW64\Kantuk.exe 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe File created C:\Windows\SysWOW64\Shell32.com 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe File opened for modification C:\Windows\SysWOW64\4K51K4.exe.tmp 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp winlogon.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico winlogon.exe File opened for modification C:\Windows\SysWOW64\Windows_3D.scr winlogon.exe File opened for modification C:\Windows\SysWOW64\4K51K4.exe 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe File created C:\Windows\SysWOW64\4K51K4.exe 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe File created C:\Windows\SysWOW64\GoldenGhost.exe 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe File opened for modification C:\Windows\SysWOW64\GoldenGhost.exe.tmp 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe File created C:\Windows\SysWOW64\Folder.ico 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe File opened for modification C:\Windows\SysWOW64\Shell32.com winlogon.exe File opened for modification C:\Windows\SysWOW64\K0L4B0R451.exe.tmp winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe File opened for modification C:\Windows\SysWOW64\K0L4B0R451.exe 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe File opened for modification C:\Windows\SysWOW64\Kantuk.exe 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe File created C:\Windows\SysWOW64\Rar.ico 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe File opened for modification C:\Windows\SysWOW64\Windows_3D.scr 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\GoldenGhost.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\GoldenGhost.exe 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe File created C:\Windows\SysWOW64\Word.ico 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe File opened for modification C:\Windows\SysWOW64\Shell32.com.tmp winlogon.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\K0L4B0R451.jpg" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\K0L4B0R451.jpg 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 45 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ 4K51K4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\s2359 = "K0L4B0R451" K0L4B0R451.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ GoldenGhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ Kantuk.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\ 4K51K4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\s2359 = "K0L4B0R451" 4K51K4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" K0L4B0R451.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\s2359 = "K0L4B0R451" GoldenGhost.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\ 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\s2359 = "K0L4B0R451" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" K0L4B0R451.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" 4K51K4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\s1159 = "K0L4B0R451" Kantuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" GoldenGhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\s1159 = "K0L4B0R451" GoldenGhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\TileWallpaper = "0" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\ Kantuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\s1159 = "K0L4B0R451" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Kantuk.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ K0L4B0R451.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\ K0L4B0R451.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\s1159 = "K0L4B0R451" K0L4B0R451.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" GoldenGhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\s1159 = "K0L4B0R451" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\ GoldenGhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\s2359 = "K0L4B0R451" Kantuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\s1159 = "K0L4B0R451" 4K51K4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" Kantuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" Kantuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 4K51K4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" 4K51K4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\WallpaperStyle = "0" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\s2359 = "K0L4B0R451" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" K0L4B0R451.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" GoldenGhost.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\NeverShowExt = "1" 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Edit 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Edit\Command\ = "logoff.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Edit\Command\ = "logoff.exe" Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\Shell\Edit\Command GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\Shell\Edit\Command 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\Shell 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "K0L4B0R451 File" K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Edit\Command\ = "logoff.exe" GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\shell\Install\command GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "K0L4B0R451 File" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "logoff.exe" K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "logoff.exe" Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Edit\Command\ = "logoff.exe" 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\shell\Install\command 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Install\command 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "logoff.exe" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\edit\command\ = "logoff.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\NeverShowExt = "1" GoldenGhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\NeverShowExt = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Edit\Command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Install\command\ = "logoff.exe" winlogon.exe -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
pid Process 1320 4K51K4.exe 3860 GoldenGhost.exe 1540 Kantuk.exe 3588 K0L4B0R451.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 4772 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe 2148 winlogon.exe 4744 winlogon.exe 1540 Kantuk.exe 1320 4K51K4.exe 3588 K0L4B0R451.exe 3860 GoldenGhost.exe 2016 Kantuk.exe 112 4K51K4.exe 1160 K0L4B0R451.exe 2640 GoldenGhost.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 4772 wrote to memory of 2148 4772 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe 83 PID 4772 wrote to memory of 2148 4772 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe 83 PID 4772 wrote to memory of 2148 4772 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe 83 PID 2148 wrote to memory of 4744 2148 winlogon.exe 84 PID 2148 wrote to memory of 4744 2148 winlogon.exe 84 PID 2148 wrote to memory of 4744 2148 winlogon.exe 84 PID 2148 wrote to memory of 1540 2148 winlogon.exe 85 PID 2148 wrote to memory of 1540 2148 winlogon.exe 85 PID 2148 wrote to memory of 1540 2148 winlogon.exe 85 PID 2148 wrote to memory of 1320 2148 winlogon.exe 86 PID 2148 wrote to memory of 1320 2148 winlogon.exe 86 PID 2148 wrote to memory of 1320 2148 winlogon.exe 86 PID 2148 wrote to memory of 3588 2148 winlogon.exe 87 PID 2148 wrote to memory of 3588 2148 winlogon.exe 87 PID 2148 wrote to memory of 3588 2148 winlogon.exe 87 PID 2148 wrote to memory of 3860 2148 winlogon.exe 88 PID 2148 wrote to memory of 3860 2148 winlogon.exe 88 PID 2148 wrote to memory of 3860 2148 winlogon.exe 88 PID 4772 wrote to memory of 2016 4772 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe 89 PID 4772 wrote to memory of 2016 4772 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe 89 PID 4772 wrote to memory of 2016 4772 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe 89 PID 4772 wrote to memory of 112 4772 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe 90 PID 4772 wrote to memory of 112 4772 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe 90 PID 4772 wrote to memory of 112 4772 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe 90 PID 4772 wrote to memory of 1160 4772 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe 91 PID 4772 wrote to memory of 1160 4772 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe 91 PID 4772 wrote to memory of 1160 4772 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe 91 PID 4772 wrote to memory of 2640 4772 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe 93 PID 4772 wrote to memory of 2640 4772 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe 93 PID 4772 wrote to memory of 2640 4772 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe 93 -
System policy modification 1 TTPs 48 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" 4K51K4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" GoldenGhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 4K51K4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 4K51K4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4K51K4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" GoldenGhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" GoldenGhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 4K51K4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer GoldenGhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" GoldenGhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" 4K51K4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System GoldenGhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe"C:\Users\Admin\AppData\Local\Temp\593de4103c039863adf317f3e1fa0bbdfd77d7bafb5135e0135babd523da90a0.exe"1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4772 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2148 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4744
-
-
C:\Windows\SysWOW64\Kantuk.exeC:\Windows\system32\Kantuk.exe3⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1540
-
-
C:\Windows\SysWOW64\4K51K4.exeC:\Windows\system32\4K51K4.exe3⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1320
-
-
C:\Windows\SysWOW64\K0L4B0R451.exeC:\Windows\system32\K0L4B0R451.exe3⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3588
-
-
C:\Windows\SysWOW64\GoldenGhost.exeC:\Windows\system32\GoldenGhost.exe3⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3860
-
-
-
C:\Windows\SysWOW64\Kantuk.exeC:\Windows\system32\Kantuk.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2016
-
-
C:\Windows\SysWOW64\4K51K4.exeC:\Windows\system32\4K51K4.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:112
-
-
C:\Windows\SysWOW64\K0L4B0R451.exeC:\Windows\system32\K0L4B0R451.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1160
-
-
C:\Windows\SysWOW64\GoldenGhost.exeC:\Windows\system32\GoldenGhost.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2640
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Change Default File Association
1Hidden Files and Directories
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Bypass User Account Control
1Disabling Security Tools
1Hidden Files and Directories
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
323KB
MD5753ee19695ec41faaf3efd1dae613599
SHA17d2721a3972cc76938b09add6bff678f5d508ae9
SHA256d8e45d8f5ffde77db9d4b65f09e7d533e0352af99a930f9a929f2aa050ae71cd
SHA512c78a6088f56c0ecccbb96c62c22f409cd0443fa4b57e35d4b2e8f470196295d392a27ccaeec1dcae8b700c79702e966dbd0a490e3df2503fe0aae4472a2c2a6b
-
Filesize
323KB
MD513f1419ead7e5094d280072f7e9ddbdf
SHA138c50722ea31b277741d885667051b9600b55814
SHA256a4617da1068e1bc2fee98658bdaecad0d9df44a0af5a03d940f8f48304336503
SHA5122a5c45114eb8d08d7cc29d82ed4c9fbee89e1be244851043afed2aaa0ac036ba21f223b5d7346aa889de121295c6fcae6d746f76df649e751f5e7b994d79903c
-
Filesize
323KB
MD513f1419ead7e5094d280072f7e9ddbdf
SHA138c50722ea31b277741d885667051b9600b55814
SHA256a4617da1068e1bc2fee98658bdaecad0d9df44a0af5a03d940f8f48304336503
SHA5122a5c45114eb8d08d7cc29d82ed4c9fbee89e1be244851043afed2aaa0ac036ba21f223b5d7346aa889de121295c6fcae6d746f76df649e751f5e7b994d79903c
-
Filesize
323KB
MD513f1419ead7e5094d280072f7e9ddbdf
SHA138c50722ea31b277741d885667051b9600b55814
SHA256a4617da1068e1bc2fee98658bdaecad0d9df44a0af5a03d940f8f48304336503
SHA5122a5c45114eb8d08d7cc29d82ed4c9fbee89e1be244851043afed2aaa0ac036ba21f223b5d7346aa889de121295c6fcae6d746f76df649e751f5e7b994d79903c
-
Filesize
323KB
MD520a0dc94f72b6491e7f3bcc62ce4d5df
SHA1a5af557c61e7e2994f57060c1debfafe4999b9df
SHA256f7066d89bd624ca64b3e391822dcf1a8fc15a000898ea77917cc39a2eb6415ea
SHA5121c15a05c676711b42ca652e3fb4f1db3c56395e307d0268d2b328a8f121f67864e4c950426f88d721b65b11ab577700a266a2da382a00795b46aea2371eb311f
-
Filesize
323KB
MD520a0dc94f72b6491e7f3bcc62ce4d5df
SHA1a5af557c61e7e2994f57060c1debfafe4999b9df
SHA256f7066d89bd624ca64b3e391822dcf1a8fc15a000898ea77917cc39a2eb6415ea
SHA5121c15a05c676711b42ca652e3fb4f1db3c56395e307d0268d2b328a8f121f67864e4c950426f88d721b65b11ab577700a266a2da382a00795b46aea2371eb311f
-
Filesize
323KB
MD520a0dc94f72b6491e7f3bcc62ce4d5df
SHA1a5af557c61e7e2994f57060c1debfafe4999b9df
SHA256f7066d89bd624ca64b3e391822dcf1a8fc15a000898ea77917cc39a2eb6415ea
SHA5121c15a05c676711b42ca652e3fb4f1db3c56395e307d0268d2b328a8f121f67864e4c950426f88d721b65b11ab577700a266a2da382a00795b46aea2371eb311f
-
Filesize
323KB
MD513f1419ead7e5094d280072f7e9ddbdf
SHA138c50722ea31b277741d885667051b9600b55814
SHA256a4617da1068e1bc2fee98658bdaecad0d9df44a0af5a03d940f8f48304336503
SHA5122a5c45114eb8d08d7cc29d82ed4c9fbee89e1be244851043afed2aaa0ac036ba21f223b5d7346aa889de121295c6fcae6d746f76df649e751f5e7b994d79903c
-
Filesize
323KB
MD523ad0d64a4d2c9d5da20149efc0eb89a
SHA1208b76893f687cda1761627fa71267a80762842a
SHA25674449f91f35356a9054d83e05b9374a4f2864ab173489d5653470c9d1eb99ce4
SHA5125a95a427d27d18d0753d2c4e00dc0b61c402bfabdddbfa0a4c2cd6e5dad649386fbfe4a0a5524804d666050688c1bc883f20c3e80bc9221712d04797ffa7512f
-
Filesize
323KB
MD523ad0d64a4d2c9d5da20149efc0eb89a
SHA1208b76893f687cda1761627fa71267a80762842a
SHA25674449f91f35356a9054d83e05b9374a4f2864ab173489d5653470c9d1eb99ce4
SHA5125a95a427d27d18d0753d2c4e00dc0b61c402bfabdddbfa0a4c2cd6e5dad649386fbfe4a0a5524804d666050688c1bc883f20c3e80bc9221712d04797ffa7512f
-
Filesize
323KB
MD523ad0d64a4d2c9d5da20149efc0eb89a
SHA1208b76893f687cda1761627fa71267a80762842a
SHA25674449f91f35356a9054d83e05b9374a4f2864ab173489d5653470c9d1eb99ce4
SHA5125a95a427d27d18d0753d2c4e00dc0b61c402bfabdddbfa0a4c2cd6e5dad649386fbfe4a0a5524804d666050688c1bc883f20c3e80bc9221712d04797ffa7512f
-
Filesize
323KB
MD5ec9cccdc9412119375f16d5749562025
SHA10a10f355e8de1e8d8f50cc575d557df7ff996a6e
SHA256e32d1bc355222ae366cfd8f7f44793e0111177dda75ee4a9dbebee7cc186b50e
SHA5125d652cc38956ef9528d73fa51c4849768649e6d52058933b2c4acce07c413cf97154f716c957aa1542869aace5372ed0e0490f1bc4cd809e42b858fc5b918c4c
-
Filesize
323KB
MD5587523a657b62a4e0591c849c63c8015
SHA1d170667bc3d7791acc6900031e21f92b207249df
SHA2563530fbace97cd7b043d250c11b8d7ed4abd6b67da675c358d6ca89d6ad7d7c5d
SHA5123343fe9cbd7de4266f8bfae85160237177c73fbd510afefa8c706947298fa275cc4b042f4ebc609a8c406141d1a68499feb0b727257a7896db8b12df99668650
-
Filesize
323KB
MD5587523a657b62a4e0591c849c63c8015
SHA1d170667bc3d7791acc6900031e21f92b207249df
SHA2563530fbace97cd7b043d250c11b8d7ed4abd6b67da675c358d6ca89d6ad7d7c5d
SHA5123343fe9cbd7de4266f8bfae85160237177c73fbd510afefa8c706947298fa275cc4b042f4ebc609a8c406141d1a68499feb0b727257a7896db8b12df99668650
-
Filesize
323KB
MD5587523a657b62a4e0591c849c63c8015
SHA1d170667bc3d7791acc6900031e21f92b207249df
SHA2563530fbace97cd7b043d250c11b8d7ed4abd6b67da675c358d6ca89d6ad7d7c5d
SHA5123343fe9cbd7de4266f8bfae85160237177c73fbd510afefa8c706947298fa275cc4b042f4ebc609a8c406141d1a68499feb0b727257a7896db8b12df99668650
-
Filesize
323KB
MD513f1419ead7e5094d280072f7e9ddbdf
SHA138c50722ea31b277741d885667051b9600b55814
SHA256a4617da1068e1bc2fee98658bdaecad0d9df44a0af5a03d940f8f48304336503
SHA5122a5c45114eb8d08d7cc29d82ed4c9fbee89e1be244851043afed2aaa0ac036ba21f223b5d7346aa889de121295c6fcae6d746f76df649e751f5e7b994d79903c
-
Filesize
323KB
MD59008487477b451aa90adc2007350afbf
SHA1e203941d1a9fb048aa7c3e262b4b008ff2edb1d4
SHA25686cea177c7b56c8f23bea656fa10a8bdf4a12c5751193c4e15aeb50700d6ea3b
SHA512f06e91da767fad1ee3d4a02c619fea4739d1b2385c4a3fb39cfb68a6e4ce6c51897e117e484530c1d654d73b9defc559dcd86d9ed0e368851f4c4ddbf5b7501b
-
Filesize
323KB
MD59008487477b451aa90adc2007350afbf
SHA1e203941d1a9fb048aa7c3e262b4b008ff2edb1d4
SHA25686cea177c7b56c8f23bea656fa10a8bdf4a12c5751193c4e15aeb50700d6ea3b
SHA512f06e91da767fad1ee3d4a02c619fea4739d1b2385c4a3fb39cfb68a6e4ce6c51897e117e484530c1d654d73b9defc559dcd86d9ed0e368851f4c4ddbf5b7501b
-
Filesize
323KB
MD59008487477b451aa90adc2007350afbf
SHA1e203941d1a9fb048aa7c3e262b4b008ff2edb1d4
SHA25686cea177c7b56c8f23bea656fa10a8bdf4a12c5751193c4e15aeb50700d6ea3b
SHA512f06e91da767fad1ee3d4a02c619fea4739d1b2385c4a3fb39cfb68a6e4ce6c51897e117e484530c1d654d73b9defc559dcd86d9ed0e368851f4c4ddbf5b7501b
-
Filesize
323KB
MD513f1419ead7e5094d280072f7e9ddbdf
SHA138c50722ea31b277741d885667051b9600b55814
SHA256a4617da1068e1bc2fee98658bdaecad0d9df44a0af5a03d940f8f48304336503
SHA5122a5c45114eb8d08d7cc29d82ed4c9fbee89e1be244851043afed2aaa0ac036ba21f223b5d7346aa889de121295c6fcae6d746f76df649e751f5e7b994d79903c
-
Filesize
323KB
MD513f1419ead7e5094d280072f7e9ddbdf
SHA138c50722ea31b277741d885667051b9600b55814
SHA256a4617da1068e1bc2fee98658bdaecad0d9df44a0af5a03d940f8f48304336503
SHA5122a5c45114eb8d08d7cc29d82ed4c9fbee89e1be244851043afed2aaa0ac036ba21f223b5d7346aa889de121295c6fcae6d746f76df649e751f5e7b994d79903c
-
Filesize
323KB
MD513f1419ead7e5094d280072f7e9ddbdf
SHA138c50722ea31b277741d885667051b9600b55814
SHA256a4617da1068e1bc2fee98658bdaecad0d9df44a0af5a03d940f8f48304336503
SHA5122a5c45114eb8d08d7cc29d82ed4c9fbee89e1be244851043afed2aaa0ac036ba21f223b5d7346aa889de121295c6fcae6d746f76df649e751f5e7b994d79903c
-
Filesize
323KB
MD513f1419ead7e5094d280072f7e9ddbdf
SHA138c50722ea31b277741d885667051b9600b55814
SHA256a4617da1068e1bc2fee98658bdaecad0d9df44a0af5a03d940f8f48304336503
SHA5122a5c45114eb8d08d7cc29d82ed4c9fbee89e1be244851043afed2aaa0ac036ba21f223b5d7346aa889de121295c6fcae6d746f76df649e751f5e7b994d79903c