Overview

overview

10

Static

static

3

NEAS.c9004...90.exe

windows7-x64

10

NEAS.c9004...90.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    59s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/11/2023, 13:49

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.c90042e7f31c8a268a331c3f717c3b90.exe

  • Size

    323KB

  • MD5

    c90042e7f31c8a268a331c3f717c3b90

  • SHA1

    707ccf07367221acebee88fc670cf39eb6c0038f

  • SHA256

    8cd0e68f3536147e63202ede9f4bcd5ccb07eecf719fd6d68adcd377a2bf45e6

  • SHA512

    87dfe51a70c39f9ef8aabf657ab0b04354d2d513083c8f6211c12cd9d90c055c697fd254958b2058b574aa1d6596d2d4bd60cddc4a3b5fb2fcd6398b07e4890a

  • SSDEEP

    6144:jBxeN/Tdx8YzL+4eBDgelLBL9C53TV5n+yNXavM:jBxe9dx8Yz6nhtL9C53TV5n+4av

Score
10/10
evasionpersistenceransomwaretrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
    evasion
  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 12 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Disables cmd.exe use via registry modification 12 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • Executes dropped EXE 10 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 47 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 45 IoCs
    evasion
  • Modifies registry class 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 4 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • System policy modification 1 TTPs 48 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.c90042e7f31c8a268a331c3f717c3b90.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.c90042e7f31c8a268a331c3f717c3b90.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Sets file execution options in registry
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3512
    • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Sets file execution options in registry
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1832
      • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4724
      • C:\Windows\SysWOW64\Kantuk.exe
        C:\Windows\system32\Kantuk.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1440
      • C:\Windows\SysWOW64\4K51K4.exe
        C:\Windows\system32\4K51K4.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4444
      • C:\Windows\SysWOW64\K0L4B0R451.exe
        C:\Windows\system32\K0L4B0R451.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2320
      • C:\Windows\SysWOW64\GoldenGhost.exe
        C:\Windows\system32\GoldenGhost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4212
    • C:\Windows\SysWOW64\Kantuk.exe
      C:\Windows\system32\Kantuk.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Sets file execution options in registry
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Enumerates connected drives
      • Drops autorun.inf file
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:3584
    • C:\Windows\SysWOW64\4K51K4.exe
      C:\Windows\system32\4K51K4.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Sets file execution options in registry
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:4140
    • C:\Windows\SysWOW64\K0L4B0R451.exe
      C:\Windows\system32\K0L4B0R451.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Sets file execution options in registry
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Enumerates connected drives
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:4740
    • C:\Windows\SysWOW64\GoldenGhost.exe
      C:\Windows\system32\GoldenGhost.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Sets file execution options in registry
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:3356

Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Replication Through Removable Media

        1
        T1091

        Execution

        Persistence

        Boot or Logon Autostart Execution

        3
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Event Triggered Execution

        1
        T1546

        Change Default File Association

        1
        T1546.001

        Privilege Escalation

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Boot or Logon Autostart Execution

        3
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Event Triggered Execution

        1
        T1546

        Change Default File Association

        1
        T1546.001

        Defense Evasion

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Hide Artifacts

        1
        T1564

        Hidden Files and Directories

        1
        T1564.001

        Impair Defenses

        1
        T1562

        Disable or Modify Tools

        1
        T1562.001

        Modify Registry

        8
        T1112

        Credential Access

        Discovery

        Peripheral Device Discovery

        1
        T1120

        Query Registry

        1
        T1012

        System Information Discovery

        3
        T1082

        Lateral Movement

        Replication Through Removable Media

        1
        T1091

        Collection

        Command and Control

        Exfiltration

        Impact

        Defacement

        1
        T1491

        Inhibit System Recovery

        1
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Aut0exec.bat
          Filesize

          323KB

          MD5

          f8b933b1fcbf0fb25d8550a9648e3219

          SHA1

          4c3ecb5414e6647535332f681bd0d6778ccd315d

          SHA256

          eac695add4a45667aacb101f6ac10d60d2dad21291a0673974fd526aa28f6454

          SHA512

          2b7e0323c92420712d80e03fc6783d83e5f5efc15dc79716c972ecdb616cf4e3719102b0dd38a696ae1c9bf3aa0332357bce7b42d243744c4f33317fb3e34657

          Download Submit

        • C:\Aut0exec.bat.tmp
          Filesize

          323KB

          MD5

          fb62828fe9a0fe84575c46458329ff73

          SHA1

          1121c3bcf23b1d5faff560793c06f5e2d428ec01

          SHA256

          9142f30b4a2825d32a5ae2542f0b801efded14ba3580b09b2c90584b34836df3

          SHA512

          7254b5e5db52a1c56deb684e6ca5bf6814b386911dcfa1de08da63cea96b0a07a8ef466db2c285be1a278ca64c33b4a76d0ed57fb0729c8e7154e57e5c85aaff

          Download Submit

        • C:\Aut0exec.bat.tmp
          Filesize

          323KB

          MD5

          59ddc6de857ad357f3f9d6244e66de10

          SHA1

          b9111b6124b93be02b43b7ff373f5f4b0e0fffce

          SHA256

          ddf063c609bc9dcd601d62890faf0f8aacb89de01c0ea97689976399196e0a27

          SHA512

          3c7cdf984aad74cc166c667419c6daefe89bc0fe8d384f96509c19e17e6094cef8b67aae001cff3c1e4550f42103945c0e520cd59e05276d183651de5a3c3f74

          Download Submit

        • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Empty.pif
          Filesize

          323KB

          MD5

          2e31817170ec63b662c0d770d04409ed

          SHA1

          a7ceee30daae6815b2218e06fee0a1368521b84f

          SHA256

          7a6ab0a907cf1243cc7b8399657de128e395c2ec1a2d998c165a23e70d4731bb

          SHA512

          fe29c5f7132b63870b355ebaea480802fadcc5b75776eef76a63373993f5c98c1dac1b1e4ca2de8f95e0673b13ca1bd63487569d9c6941b2f9184f0a8c5c37ff

          Download Submit

        • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Empty.pif
          Filesize

          323KB

          MD5

          e768b210435bc92a5f9a9193f489b8cb

          SHA1

          87b3958085fbd2d832ed034395a9dc2eaca9669c

          SHA256

          93c8081543bb2d769dfaaf43745548616406e491115557e11c3a59308c087350

          SHA512

          432291fee72cf20b1d1d7c1fefc83f989e2eb3e8b10246bc3c7fe164f371c5e9036e9fdca156b7b5598b44532a59035f406ca2a9593d72ef67aff986fcd83af5

          Download Submit

        • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Empty.pif
          Filesize

          323KB

          MD5

          2d670fabd7f9021cc1972eba387ccc05

          SHA1

          840cec15c39a01715ecb053dbd1da617a3f80855

          SHA256

          8dfd884f407f46054c21b520cfc53e95c219885c2b9f88074a116797743a84ca

          SHA512

          ce28724af527a63b88491ae63d0b3ff4be5603e5fb6b033b15c130a6c1ac704be8692f691dbe0b2532d9ebad22793849d87cb384c44bdda0fbfe90bd0beb084f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr
          Filesize

          323KB

          MD5

          f8b933b1fcbf0fb25d8550a9648e3219

          SHA1

          4c3ecb5414e6647535332f681bd0d6778ccd315d

          SHA256

          eac695add4a45667aacb101f6ac10d60d2dad21291a0673974fd526aa28f6454

          SHA512

          2b7e0323c92420712d80e03fc6783d83e5f5efc15dc79716c972ecdb616cf4e3719102b0dd38a696ae1c9bf3aa0332357bce7b42d243744c4f33317fb3e34657

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp
          Filesize

          323KB

          MD5

          90b43b020affa28ed9608eb2da15a40c

          SHA1

          19f64f942814733a15ee220035110a9e3fcf1d94

          SHA256

          ab3a53f4979329300e42cbc5d8244b461972214851d560c0bf2398af7b038ef6

          SHA512

          0458a5fd386f9aa99ef27d0349ce6d3c08d1998cb6a4e47af2671535cd6dc2908310b846a416781f625d56ae86b224750ec7855e253c5a4f08bb5bca19a819f8

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp
          Filesize

          323KB

          MD5

          2bf51d9f1bab0c4f0a53e430dff3f8a8

          SHA1

          782e117c785ebb672e7a88c1cdadb75a0eb395e0

          SHA256

          cde1c0d6d7c32056d918b8a945c3d1456a74fadf9fc6d1604b82abc43e0e4600

          SHA512

          1f522665c97e5a2ff8e23728e6d0a45df69d501ede0ec8ef03c242d2baf101ca2623c365e86d7f2283b35e1b98a9deb4402655358b882357788d2d4293f9cf4b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp
          Filesize

          323KB

          MD5

          62fd6347bd97a8e24ada8606e115d39b

          SHA1

          0f9d0e36e7860c3a15ba25c92b850ec2285ed250

          SHA256

          98d91c3c79c7eae2efd271d2791602d850726e201eb6b99c28185cc2dfad7660

          SHA512

          6f2727599123dbe1489fa91823e78ddb114592d204481a2355a0aac3912568c22ca0091080faddf4e9e5c47c27fdd882eb08f08962d9d42853ca25bfe09c6f1d

          Download Submit

        • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif
          Filesize

          323KB

          MD5

          f8b933b1fcbf0fb25d8550a9648e3219

          SHA1

          4c3ecb5414e6647535332f681bd0d6778ccd315d

          SHA256

          eac695add4a45667aacb101f6ac10d60d2dad21291a0673974fd526aa28f6454

          SHA512

          2b7e0323c92420712d80e03fc6783d83e5f5efc15dc79716c972ecdb616cf4e3719102b0dd38a696ae1c9bf3aa0332357bce7b42d243744c4f33317fb3e34657

          Download Submit

        • C:\Windows\SysWOW64\4K51K4.exe
          Filesize

          323KB

          MD5

          f8b933b1fcbf0fb25d8550a9648e3219

          SHA1

          4c3ecb5414e6647535332f681bd0d6778ccd315d

          SHA256

          eac695add4a45667aacb101f6ac10d60d2dad21291a0673974fd526aa28f6454

          SHA512

          2b7e0323c92420712d80e03fc6783d83e5f5efc15dc79716c972ecdb616cf4e3719102b0dd38a696ae1c9bf3aa0332357bce7b42d243744c4f33317fb3e34657

          Download Submit

        • C:\Windows\SysWOW64\4K51K4.exe
          Filesize

          323KB

          MD5

          2fe45e2bb624368ce351c4969e26b8f3

          SHA1

          cf43f5edf270d78878b28d93c5e70c291d3b3cb5

          SHA256

          39626935fdd9f2f038a3534d3c349d0fe65b26680ef0cfc4c643344a69206fbb

          SHA512

          50b441fe97ea31c9cfcbf2a886d416b28e3105d7ec63da70ac1c82ff7fb6b8e7aeb466270356a1183fead663f864e3748161f65da3cc27704e758e6d0f7b2b82

          Download Submit

        • C:\Windows\SysWOW64\4K51K4.exe
          Filesize

          323KB

          MD5

          2fe45e2bb624368ce351c4969e26b8f3

          SHA1

          cf43f5edf270d78878b28d93c5e70c291d3b3cb5

          SHA256

          39626935fdd9f2f038a3534d3c349d0fe65b26680ef0cfc4c643344a69206fbb

          SHA512

          50b441fe97ea31c9cfcbf2a886d416b28e3105d7ec63da70ac1c82ff7fb6b8e7aeb466270356a1183fead663f864e3748161f65da3cc27704e758e6d0f7b2b82

          Download Submit

        • C:\Windows\SysWOW64\4K51K4.exe
          Filesize

          323KB

          MD5

          2fe45e2bb624368ce351c4969e26b8f3

          SHA1

          cf43f5edf270d78878b28d93c5e70c291d3b3cb5

          SHA256

          39626935fdd9f2f038a3534d3c349d0fe65b26680ef0cfc4c643344a69206fbb

          SHA512

          50b441fe97ea31c9cfcbf2a886d416b28e3105d7ec63da70ac1c82ff7fb6b8e7aeb466270356a1183fead663f864e3748161f65da3cc27704e758e6d0f7b2b82

          Download Submit

        • C:\Windows\SysWOW64\4K51K4.exe.tmp
          Filesize

          323KB

          MD5

          28de18d0516834e0f8c361ff095b95c5

          SHA1

          747edd8456161128d161ed1ac00d19804ba617c3

          SHA256

          9cda2c5f9a6ed0c9e59d8b42723bc40a761c10241b85770eb08e1b32c4e6f98e

          SHA512

          9a6a7dadb7ebd027b3f10b5933e76bcbc32ae844125dd445ca0a8d8e5a9b7f400fc0920f707d8bec6bc66386f18af426f662651a236020aa0e1c028d97442264

          Download Submit

        • C:\Windows\SysWOW64\4K51K4.exe.tmp
          Filesize

          323KB

          MD5

          e305d16d7afad665e1f0982696c6b616

          SHA1

          55ea8a843c1510b050478cdfe1314c5a00b43260

          SHA256

          599e2a810f315ef7af0a594f8330b2decbc82bd991299798688c6412e729ba6c

          SHA512

          fab8e6eb384174e205ee1145716f0457f7cb2e7f8d3d03c4985ff0a9c6a4a9e1b9ac8ace83976b024f46fab2e006c67fd2f5789e6c4cdbbd3d10eb005ee9f980

          Download Submit

        • C:\Windows\SysWOW64\4K51K4.exe.tmp
          Filesize

          323KB

          MD5

          c6f1121e5570290ca8d401ccf23b05c6

          SHA1

          e33ec764c5eb9b06b3b782fbb0f3598dad9a6552

          SHA256

          4f2dc0a6c4048ace0d3932e0120c5408e3c6657e5b5c32ef5ae4cd0fc2720e4f

          SHA512

          e3c24b5a8662b9b907206e58795d21af2d9d3fe54b81b1259bd923fbffa18ffbbdacd5f75d6700befc835a6f39b803ffcb227447bc37e3463aedc1c857a73885

          Download Submit

        • C:\Windows\SysWOW64\Folder.ico
          Filesize

          7KB

          MD5

          d7f9d9553c172cba8825fa161e8e9851

          SHA1

          e45bdc6609d9d719e1cefa846f17d3d66332a3a0

          SHA256

          cd2e513851d519098acef16d191188ac2586d2174dfd1a84f4db7f41a6970086

          SHA512

          a03a806d9db86c0c4f6f8efc4b40008aa51f1625fc1c703a929bfa57a5caf962119b3c76044775af607d4ee1a8a671e1d0a2be66d19ee551717398f9ddc8ad24

          Download Submit

        • C:\Windows\SysWOW64\GoldenGhost.exe
          Filesize

          323KB

          MD5

          f8b933b1fcbf0fb25d8550a9648e3219

          SHA1

          4c3ecb5414e6647535332f681bd0d6778ccd315d

          SHA256

          eac695add4a45667aacb101f6ac10d60d2dad21291a0673974fd526aa28f6454

          SHA512

          2b7e0323c92420712d80e03fc6783d83e5f5efc15dc79716c972ecdb616cf4e3719102b0dd38a696ae1c9bf3aa0332357bce7b42d243744c4f33317fb3e34657

          Download Submit

        • C:\Windows\SysWOW64\GoldenGhost.exe
          Filesize

          323KB

          MD5

          c39f4f57b45b166a9658dcd1de02442d

          SHA1

          b3edc09209d992973e43d7a0efaf3221fbe98a68

          SHA256

          7cf89df579733bbf3ea9935c8ddf78954b114fc8f94549a902c68a9a2b401f59

          SHA512

          9eb86c156e84f2f57541c26b75b81df7a8feaf28983f485cdda3a4c16231e9b08d86716369cb5c9638267ec587058a111962807a94b3cf20c254f8f6cb6a5ac0

          Download Submit

        • C:\Windows\SysWOW64\GoldenGhost.exe
          Filesize

          323KB

          MD5

          c39f4f57b45b166a9658dcd1de02442d

          SHA1

          b3edc09209d992973e43d7a0efaf3221fbe98a68

          SHA256

          7cf89df579733bbf3ea9935c8ddf78954b114fc8f94549a902c68a9a2b401f59

          SHA512

          9eb86c156e84f2f57541c26b75b81df7a8feaf28983f485cdda3a4c16231e9b08d86716369cb5c9638267ec587058a111962807a94b3cf20c254f8f6cb6a5ac0

          Download Submit

        • C:\Windows\SysWOW64\GoldenGhost.exe
          Filesize

          323KB

          MD5

          c39f4f57b45b166a9658dcd1de02442d

          SHA1

          b3edc09209d992973e43d7a0efaf3221fbe98a68

          SHA256

          7cf89df579733bbf3ea9935c8ddf78954b114fc8f94549a902c68a9a2b401f59

          SHA512

          9eb86c156e84f2f57541c26b75b81df7a8feaf28983f485cdda3a4c16231e9b08d86716369cb5c9638267ec587058a111962807a94b3cf20c254f8f6cb6a5ac0

          Download Submit

        • C:\Windows\SysWOW64\GoldenGhost.exe
          Filesize

          323KB

          MD5

          c90042e7f31c8a268a331c3f717c3b90

          SHA1

          707ccf07367221acebee88fc670cf39eb6c0038f

          SHA256

          8cd0e68f3536147e63202ede9f4bcd5ccb07eecf719fd6d68adcd377a2bf45e6

          SHA512

          87dfe51a70c39f9ef8aabf657ab0b04354d2d513083c8f6211c12cd9d90c055c697fd254958b2058b574aa1d6596d2d4bd60cddc4a3b5fb2fcd6398b07e4890a

          Download Submit

        • C:\Windows\SysWOW64\GoldenGhost.exe.tmp
          Filesize

          323KB

          MD5

          46d58c288f5759b0e92639f20559cc80

          SHA1

          8983289287fa48b59edeaeeaca12b97191a04084

          SHA256

          ba6ed688b92ce47fd81a90259c60c96dadd4affb0eab2a60a88d1d47d1194d55

          SHA512

          ea13ee6ed35397e9d09104a6221ddcb711294f7932ddf048f121ed970a719351d7b1069179e7cd56d455d562745731d166175d0e8553d56e5d156cf2da66d916

          Download Submit

        • C:\Windows\SysWOW64\GoldenGhost.exe.tmp
          Filesize

          323KB

          MD5

          fde101cdd7bc4a9901f0679e2df246d8

          SHA1

          c0dbaba660e70f6b633d52a9c1bf019d3fd8b90c

          SHA256

          260545747a9292a3c750d7f47f09ca862f0f150e8c41c1a43514455b61b4455a

          SHA512

          d62b392233b2fdf16820a38580d8d27518b3d912ec3a883da81dee090f1e48d73f11f3276262175d715ad1081182256e6d00a3a8f7abb55f31c4351ba687af2a

          Download Submit

        • C:\Windows\SysWOW64\GoldenGhost.exe.tmp
          Filesize

          323KB

          MD5

          9eb50cdb838a7a3b1f6b42d1a35abe7c

          SHA1

          dba5a4023fdd29093dd6e9a0ecf10f25a9093727

          SHA256

          a95f565ba1ba60357a6b9a35930764b2b31581669d6c33d697c550db7af7c672

          SHA512

          5f2f0157454b2dd803163d5d6fd90ed4f9b0dc92df019df14b48d257a14c3ba6abed0deec1a0c4495636108f8ad63735f7b276f5948263b5eadfc0aed502a616

          Download Submit

        • C:\Windows\SysWOW64\K0L4B0R451.exe
          Filesize

          323KB

          MD5

          800af4059c83abd04b5d0e9e8c500712

          SHA1

          1dc9a896ba622ab8e94d38621a95edee2ba665f3

          SHA256

          638ca68309096f91d3e127dde08805934d1ecb6bce0adedeb4a52cfd5b8e8795

          SHA512

          327393d586f804bb5aa85dd7f8167d485d39c9123be93225c6a6d87cc58be8ae5df0ad0c4a8b0d90aae90852d0e46837b55dbff2dcab4b6f0ed17b934fa5c525

          Download Submit

        • C:\Windows\SysWOW64\K0L4B0R451.exe
          Filesize

          323KB

          MD5

          b00d3e4c516ffe5b38294fa6155f9ed1

          SHA1

          593e8bf38e9e4e4c4133bdb34711f0b931da0d07

          SHA256

          6ecd33d0d96936cdae90943df8b56293a9fb0461a505fb7c98952bf58a38ca79

          SHA512

          97855979576792b5a24ab976f8c292ff196ea190582935dcc8bec2154550c3f39460d636d1dce82d0545930049a0b52355bef7b69196a94e7f795f5bb6117152

          Download Submit

        • C:\Windows\SysWOW64\K0L4B0R451.exe
          Filesize

          323KB

          MD5

          b00d3e4c516ffe5b38294fa6155f9ed1

          SHA1

          593e8bf38e9e4e4c4133bdb34711f0b931da0d07

          SHA256

          6ecd33d0d96936cdae90943df8b56293a9fb0461a505fb7c98952bf58a38ca79

          SHA512

          97855979576792b5a24ab976f8c292ff196ea190582935dcc8bec2154550c3f39460d636d1dce82d0545930049a0b52355bef7b69196a94e7f795f5bb6117152

          Download Submit

        • C:\Windows\SysWOW64\K0L4B0R451.exe
          Filesize

          323KB

          MD5

          b00d3e4c516ffe5b38294fa6155f9ed1

          SHA1

          593e8bf38e9e4e4c4133bdb34711f0b931da0d07

          SHA256

          6ecd33d0d96936cdae90943df8b56293a9fb0461a505fb7c98952bf58a38ca79

          SHA512

          97855979576792b5a24ab976f8c292ff196ea190582935dcc8bec2154550c3f39460d636d1dce82d0545930049a0b52355bef7b69196a94e7f795f5bb6117152

          Download Submit

        • C:\Windows\SysWOW64\K0L4B0R451.exe.tmp
          Filesize

          323KB

          MD5

          106db36c2e1b0436813a9d8b4cc6b941

          SHA1

          9d3a4ddd198fdff47619ef858694d1e7ae882530

          SHA256

          f7f29520e637ce81bc4f485c26d0e22e7f9768400e7a74410e29f88d95a88511

          SHA512

          e6196ef2774b3762b008b08d52253b91c65621a600290755c22a873418bd212946040d2aa61ddebcbb68b68481e2fedc4eae9bc27bb5d2d10543e40a48cff109

          Download Submit

        • C:\Windows\SysWOW64\K0L4B0R451.exe.tmp
          Filesize

          323KB

          MD5

          b00d3e4c516ffe5b38294fa6155f9ed1

          SHA1

          593e8bf38e9e4e4c4133bdb34711f0b931da0d07

          SHA256

          6ecd33d0d96936cdae90943df8b56293a9fb0461a505fb7c98952bf58a38ca79

          SHA512

          97855979576792b5a24ab976f8c292ff196ea190582935dcc8bec2154550c3f39460d636d1dce82d0545930049a0b52355bef7b69196a94e7f795f5bb6117152

          Download Submit

        • C:\Windows\SysWOW64\K0L4B0R451.exe.tmp
          Filesize

          323KB

          MD5

          800af4059c83abd04b5d0e9e8c500712

          SHA1

          1dc9a896ba622ab8e94d38621a95edee2ba665f3

          SHA256

          638ca68309096f91d3e127dde08805934d1ecb6bce0adedeb4a52cfd5b8e8795

          SHA512

          327393d586f804bb5aa85dd7f8167d485d39c9123be93225c6a6d87cc58be8ae5df0ad0c4a8b0d90aae90852d0e46837b55dbff2dcab4b6f0ed17b934fa5c525

          Download Submit

        • C:\Windows\SysWOW64\Kantuk.exe
          Filesize

          323KB

          MD5

          f8b933b1fcbf0fb25d8550a9648e3219

          SHA1

          4c3ecb5414e6647535332f681bd0d6778ccd315d

          SHA256

          eac695add4a45667aacb101f6ac10d60d2dad21291a0673974fd526aa28f6454

          SHA512

          2b7e0323c92420712d80e03fc6783d83e5f5efc15dc79716c972ecdb616cf4e3719102b0dd38a696ae1c9bf3aa0332357bce7b42d243744c4f33317fb3e34657

          Download Submit

        • C:\Windows\SysWOW64\Kantuk.exe
          Filesize

          323KB

          MD5

          c8230db760516fb3db01e7ce117a88ce

          SHA1

          81e77503444c50bb2f03bf49107c4baa39acd470

          SHA256

          7e0b00fb0abda96b54d248b5758ee9880a7fa39f8c1a27377d5cbed8220ec519

          SHA512

          68699c844dc7a828617332194f6a9eb88b07cd5ac6d39f72e3c1ae2d146561ea237b1c016bfe61fa8bc5d9842da2abe0c5161ec7c153c544bc030c2ae6010249

          Download Submit

        • C:\Windows\SysWOW64\Kantuk.exe
          Filesize

          323KB

          MD5

          c8230db760516fb3db01e7ce117a88ce

          SHA1

          81e77503444c50bb2f03bf49107c4baa39acd470

          SHA256

          7e0b00fb0abda96b54d248b5758ee9880a7fa39f8c1a27377d5cbed8220ec519

          SHA512

          68699c844dc7a828617332194f6a9eb88b07cd5ac6d39f72e3c1ae2d146561ea237b1c016bfe61fa8bc5d9842da2abe0c5161ec7c153c544bc030c2ae6010249

          Download Submit

        • C:\Windows\SysWOW64\Kantuk.exe
          Filesize

          323KB

          MD5

          c8230db760516fb3db01e7ce117a88ce

          SHA1

          81e77503444c50bb2f03bf49107c4baa39acd470

          SHA256

          7e0b00fb0abda96b54d248b5758ee9880a7fa39f8c1a27377d5cbed8220ec519

          SHA512

          68699c844dc7a828617332194f6a9eb88b07cd5ac6d39f72e3c1ae2d146561ea237b1c016bfe61fa8bc5d9842da2abe0c5161ec7c153c544bc030c2ae6010249

          Download Submit

        • C:\Windows\SysWOW64\Kantuk.exe.tmp
          Filesize

          323KB

          MD5

          96770f97d9e7ab77bbca0a6b98a64504

          SHA1

          aaa0de6fc8c611c40e39757d1b3ff9bd3bceb336

          SHA256

          db83a5da649435c91c0a72d079b9f2c1eb922144ba750468d79a5d722d7e9207

          SHA512

          17330233509854843bb78aa14d9dc928ec68fbcba2f3571ed0c7a99dff6a32e9ea3907d869dec23936c887cd018692e2a749dffa8848a945ad9a18e0c3d2bf07

          Download Submit

        • C:\Windows\SysWOW64\Kantuk.exe.tmp
          Filesize

          323KB

          MD5

          c8230db760516fb3db01e7ce117a88ce

          SHA1

          81e77503444c50bb2f03bf49107c4baa39acd470

          SHA256

          7e0b00fb0abda96b54d248b5758ee9880a7fa39f8c1a27377d5cbed8220ec519

          SHA512

          68699c844dc7a828617332194f6a9eb88b07cd5ac6d39f72e3c1ae2d146561ea237b1c016bfe61fa8bc5d9842da2abe0c5161ec7c153c544bc030c2ae6010249

          Download Submit

        • C:\Windows\SysWOW64\Player.ico
          Filesize

          2KB

          MD5

          43be35d4fb3ebc6ca0970f05365440e3

          SHA1

          87bc28e5d9a6ab0c79a07118ca578726ce61b1bc

          SHA256

          5a15c1aab77f132e7ce5928996919ed66564c6082a7f94d0a42229c480113fc5

          SHA512

          b2e24ff3702805d2ff8ecf3ddde8a8e6258965f992f37104c2ed9b763e1448ab32c7609a607e1d90cfba281e7add1e839855656d6453433a42c0d6c8923c9395

          Download Submit

        • C:\Windows\SysWOW64\Shell32.com
          Filesize

          323KB

          MD5

          f8b933b1fcbf0fb25d8550a9648e3219

          SHA1

          4c3ecb5414e6647535332f681bd0d6778ccd315d

          SHA256

          eac695add4a45667aacb101f6ac10d60d2dad21291a0673974fd526aa28f6454

          SHA512

          2b7e0323c92420712d80e03fc6783d83e5f5efc15dc79716c972ecdb616cf4e3719102b0dd38a696ae1c9bf3aa0332357bce7b42d243744c4f33317fb3e34657

          Download Submit

        • C:\Windows\SysWOW64\Shell32.com.tmp
          Filesize

          323KB

          MD5

          ac8547068a4d88f961622a7ac385592b

          SHA1

          c60bdfbfa11cdba9030600cdbb5ba79b27fe3b9a

          SHA256

          e27b44e131fc550c3697d67b0f9cf215130f3ed26b640d5ea93f38c1061d2073

          SHA512

          320d2ec92c39829f73d9c0449299c221048b285d50e3d1dcbaaf93636af3ab997b59bfa49fc83004f65bf182b7b8b8edbec51defc9e77fdd8e15a9168780c6a5

          Download Submit

        • C:\Windows\SysWOW64\Shell32.com.tmp
          Filesize

          323KB

          MD5

          fe46b8c5ba4d5514f83196f517a77ee9

          SHA1

          e319ec11257d6e04a1a765f656eb7ddbc0864b8e

          SHA256

          7af6a416e70cbf5acfa14ae7c177a4c66057b76191af2b981172947fef82a025

          SHA512

          81224ac92571aebaa01cb9576b4038ec19c665bf73818ac9368d8770ac05d9661ab6c2f3ef5b2e2d36ef4c59a8d58fc55cce71ecb79b33150973e180e836db6a

          Download Submit

        • C:\Windows\SysWOW64\Shell32.com.tmp
          Filesize

          323KB

          MD5

          68dfac834eef62afc45d383b4cfb7262

          SHA1

          7d50db3c3e44d41bd2de488aa2886ea7a69e9920

          SHA256

          0631120254d184e5041fb4adfce54d54140478eba28808c6df0514cc8a7523fa

          SHA512

          5b32c63553ef66d4439da3354487a31a595db09d3b4de452db17400b44b0278d31b61fde2d81f1e906f5daf6d0f70a8d990eece4716c694e70e3b769d977f9f4

          Download Submit

        • C:\Windows\SysWOW64\Word.ico
          Filesize

          3KB

          MD5

          8482935ff2fab6025b44b5a23c750480

          SHA1

          d770c46d210c0fd302fa035a6054f5ac19f3bd13

          SHA256

          dcbcdce04483e9d2d8a5d7779b18b7f64cfc06e758b07f671493e38dfb9ab33c

          SHA512

          00c711d815815a88fc15f73c8cba6a81b2bfc505baff2cc67b456545151fe896029f11127e447c9bbc5a2d5dc561a06a52be9a9f9c0d28e98ea4e174cdd54398

          Download Submit

        • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico
          Filesize

          2KB

          MD5

          62b7610403ea3ac4776df9eb93bf4ba4

          SHA1

          b4a6cd17516f8fba679f15eda654928dc44dc502

          SHA256

          b0fd7ffb4c8f0e4566658a7284ca0652961648aaab44a53c5b9713664b122c29

          SHA512

          fa1995a21ffe073a15fa00a3a8717492b0a67f3615abe4c7e6bce054bb23cf545e10e21cfe3625b665c8bb199577815dbeccc7c6107cdb49f673b8d53f23888d

          Download Submit

        • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
          Filesize

          323KB

          MD5

          f8b933b1fcbf0fb25d8550a9648e3219

          SHA1

          4c3ecb5414e6647535332f681bd0d6778ccd315d

          SHA256

          eac695add4a45667aacb101f6ac10d60d2dad21291a0673974fd526aa28f6454

          SHA512

          2b7e0323c92420712d80e03fc6783d83e5f5efc15dc79716c972ecdb616cf4e3719102b0dd38a696ae1c9bf3aa0332357bce7b42d243744c4f33317fb3e34657

          Download Submit

        • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
          Filesize

          323KB

          MD5

          f8b933b1fcbf0fb25d8550a9648e3219

          SHA1

          4c3ecb5414e6647535332f681bd0d6778ccd315d

          SHA256

          eac695add4a45667aacb101f6ac10d60d2dad21291a0673974fd526aa28f6454

          SHA512

          2b7e0323c92420712d80e03fc6783d83e5f5efc15dc79716c972ecdb616cf4e3719102b0dd38a696ae1c9bf3aa0332357bce7b42d243744c4f33317fb3e34657

          Download Submit

        • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
          Filesize

          323KB

          MD5

          f8b933b1fcbf0fb25d8550a9648e3219

          SHA1

          4c3ecb5414e6647535332f681bd0d6778ccd315d

          SHA256

          eac695add4a45667aacb101f6ac10d60d2dad21291a0673974fd526aa28f6454

          SHA512

          2b7e0323c92420712d80e03fc6783d83e5f5efc15dc79716c972ecdb616cf4e3719102b0dd38a696ae1c9bf3aa0332357bce7b42d243744c4f33317fb3e34657

          Download Submit

        • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp
          Filesize

          323KB

          MD5

          23b4e1823e7a68b5eacf19badc4a29b7

          SHA1

          df3700bc6e2902c0bca4cc59c81ef17dcb6343ea

          SHA256

          57d57a08e21d8246b8f58bed49a234a2bab5235176a5a85ec8ae5379860fe62a

          SHA512

          6a32f51dc3ad7bee5b4c178661855d79fa874b7de6eda47f396f6541ba0f859e18fe194d58b7686fb1ae7b68cff4f7ff66e462007d87351abd6609861ac45d1d

          Download Submit

        • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp
          Filesize

          323KB

          MD5

          f8b933b1fcbf0fb25d8550a9648e3219

          SHA1

          4c3ecb5414e6647535332f681bd0d6778ccd315d

          SHA256

          eac695add4a45667aacb101f6ac10d60d2dad21291a0673974fd526aa28f6454

          SHA512

          2b7e0323c92420712d80e03fc6783d83e5f5efc15dc79716c972ecdb616cf4e3719102b0dd38a696ae1c9bf3aa0332357bce7b42d243744c4f33317fb3e34657

          Download Submit

        • memory/1832-207-0x0000000000400000-0x0000000000451000-memory.dmp

          Filesize

          324KB

          Download

        • memory/3512-0-0x0000000000400000-0x0000000000451000-memory.dmp

          Filesize

          324KB

          Download

        • memory/3584-280-0x0000000000400000-0x0000000000451000-memory.dmp

          Filesize

          324KB

          Download

        • memory/4140-331-0x0000000000400000-0x0000000000451000-memory.dmp

          Filesize

          324KB

          Download

        • memory/4212-353-0x0000000000400000-0x0000000000451000-memory.dmp

          Filesize

          324KB

          Download

        • memory/4740-341-0x0000000000400000-0x0000000000451000-memory.dmp

          Filesize

          324KB

          Download