Overview

overview

10

Static

static

3

eacc501779...18.exe

windows7-x64

10

eacc501779...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    68s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2024 06:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe

  • Size

    323KB

  • MD5

    eacc501779cdc2fda21e317648e08d0f

  • SHA1

    d71ca3f7056b48cfa2492861f233e1f3bd507501

  • SHA256

    16f7966200b4ba1364535b144ac53144f4f0e6cba24529a234b6c22f65fbc485

  • SHA512

    b221044d1e68270b671e6844d7693a3e18af494d9cd6517c5c22dfbf78fb839a6a16b054bdf158b50e36a833cd05c125a270f0aaf970b98dd0e2b151d0e5748b

  • SSDEEP

    6144:OBxeN/Tdx8YzL+4eBDgelLBL9C53TV5n+yNXavM:OBxe9dx8Yz6nhtL9C53TV5n+4av

Score
10/10
discoveryevasionpersistenceransomwaretrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
    evasion
  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 12 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Disables cmd.exe use via registry modification 12 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
    persistence
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 20 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 47 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 45 IoCs
    evasion
  • Modifies registry class 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 4 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • System policy modification 1 TTPs 48 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\eacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Event Triggered Execution: Image File Execution Options Injection
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1392
    • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1428
      • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1328
      • C:\Windows\SysWOW64\Kantuk.exe
        C:\Windows\system32\Kantuk.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • Drops autorun.inf file
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1564
      • C:\Windows\SysWOW64\4K51K4.exe
        C:\Windows\system32\4K51K4.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:908
      • C:\Windows\SysWOW64\K0L4B0R451.exe
        C:\Windows\system32\K0L4B0R451.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1948
      • C:\Windows\SysWOW64\GoldenGhost.exe
        C:\Windows\system32\GoldenGhost.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1032
    • C:\Windows\SysWOW64\Kantuk.exe
      C:\Windows\system32\Kantuk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2420
    • C:\Windows\SysWOW64\4K51K4.exe
      C:\Windows\system32\4K51K4.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2840
    • C:\Windows\SysWOW64\K0L4B0R451.exe
      C:\Windows\system32\K0L4B0R451.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1612
    • C:\Windows\SysWOW64\GoldenGhost.exe
      C:\Windows\system32\GoldenGhost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Image File Execution Options Injection

1
T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

7
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Aut0exec.bat
    Filesize

    323KB

    MD5

    6c6f4b5041801599c2ca26b5fe18cba0

    SHA1

    3b43e24fa818795f6336efa50c6b4401c22a934d

    SHA256

    5ef642ad733f61dc46e1079623b0488e6572d3e29b0ee9411d00bfdb233e2d66

    SHA512

    04a01837d5d446d1c0dd5728c0b0cc870cb5f00d5de3dda84bba9dca7df72e62434d807c63bbc6bec2190f2c766513f71041c58ab2de1f696ad178491e09bf17

    Download Submit

  • C:\Aut0exec.bat.tmp
    Filesize

    323KB

    MD5

    ff523a95ced9f92e75fde8e5c51a2bff

    SHA1

    4c731950c3b2b7ca98244fe23a02425da88d201a

    SHA256

    5191de19ed49eebe78f1015426c67714c0173684f2801fd6a44d5363481d0a43

    SHA512

    fbb2c9d18b1d826ecd6e5cfa84a1e09a44b6d16e0cd1a200acc43f59391c5b95ffa444fc07b05d2e31b00193695acd217a28fc2ed29d8cacad2609196ec8c5d6

    Download Submit

  • C:\Aut0exec.bat.tmp
    Filesize

    323KB

    MD5

    6a36d47fc7a23679cae0c478341bdd52

    SHA1

    4c1c5047f777e474abff65d842dc8bf1958c3e67

    SHA256

    b1bcc175fae539f436a4539631faa1bd2dd7adf8746529047f788ded6eca3cca

    SHA512

    c193793fa08566c5e4b44e64559e0c1a8b77bec3e9f6553b83aa3ea4342ffb590d699e83e87b174ce8798d12ab96b21ba3c01d22bb4e13b1246fa7594a6fa626

    Download Submit

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif
    Filesize

    323KB

    MD5

    913d9253e62797891f36b15e1dabac17

    SHA1

    8dc28279d3d992b57541b92d7cf50aee0e25e3e5

    SHA256

    f27122bed9bd77462c8758fe0a9aa3ba18705d777592050fcab2eec81469f975

    SHA512

    92182914d7c6cc9f9413e94132afb8cb4e671ed5fbcd911e98b39ef72ec311e0feac1ece5d3ebb7fc2761101f74eb980bf536c17b7bfe357d2626d69a0881051

    Download Submit

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif.tmp
    Filesize

    323KB

    MD5

    3a4b728d6fcaa9184f787f491cb356b3

    SHA1

    5cc5908cae773eba88f5ae9a05c37c30826e464d

    SHA256

    eec27483d1ac3de8e43b9c36bdbdf4ea6b2407eb7c06b970c0bbe3f3bbf345c8

    SHA512

    3e72ae2d79b1854b1bf36ea433cdf95f13dd30f5920af6bf5f04c2b034f427ba9111e4eb4560c04712d4f0308452c72ddcfff5573228edbe53ae813a252d2997

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp
    Filesize

    323KB

    MD5

    b707efdad1c2af7f0d57cd61b065654e

    SHA1

    981a89b351f6cb60f88c38e59b94316104f446fd

    SHA256

    0ace7487c0e587802a43ccd8bcbb7889371cd278a835347a0c314c487496a88d

    SHA512

    c56d8f55b8fd3a6b2f506b465988ca79c1dd1ecfc09b413bfc8909ee385218d22021269a0ebcf47d6cc3fd87786429f120f612a2089f8afbb64444eb2453cf82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp
    Filesize

    323KB

    MD5

    59ae976f3fc47467187838a290bf388c

    SHA1

    e229b4a37346f8afccea7501b1529ef63be6ba68

    SHA256

    aa7e423a03f75e8222ce5d61f14a1622aadce4b1191a126737e4524ed1d24cf0

    SHA512

    ca52038fe8d9c1d881e6c315c176fe1a6abe862ddb5427fe808ab4ad6c348e9ce46c6c4e8074596d70759251605db7d7f982e465c7456a3fe1d29d00d9ed9796

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp
    Filesize

    323KB

    MD5

    0c8a5b832a5d6010ad21d47f1867ffcc

    SHA1

    7341b29f5acd29d7c9d28e72da7c7220b7d1d223

    SHA256

    deb748ca68c467098d3a4163c4db515e74016364c0d42395bbe7cfa0de27b302

    SHA512

    82335a8d4d0686e5e1bb48973e5236af2c9c34054422193b7aa2a1d1b46c97a919c9b71e364b604cb4f69f074e82f7bc502271fea168705c8d1c016b35842860

    Download Submit

  • C:\Windows\SysWOW64\4K51K4.exe
    Filesize

    323KB

    MD5

    d0aad0521e78bc36a9357fff2a370423

    SHA1

    9b6e522ef5e821710fdbf0d95c980cef92a9bbd4

    SHA256

    3d253bf09201769845139b50e322304f1c8998f790b431f49c0c6c23a52678c6

    SHA512

    f62bd8bf009eb6842c3b3d9f5563a26fcc1cc7a1b7a8a993bce56f2e2fada5d27f6507685e9b69df1ace486e9dfc53c59f60836585901d4dfe0314bc761414a1

    Download Submit

  • C:\Windows\SysWOW64\4K51K4.exe.tmp
    Filesize

    323KB

    MD5

    362fff4ef843d39f100f8d84e4921f97

    SHA1

    9b5b2a16eaf6a38da4d2ba702a5b4e21825ab86d

    SHA256

    9635060d2e19669191d0045fd63c31525c28e50341999d08d059bb4605ade0b4

    SHA512

    7fa2a6516bad1fe30c4d7bc932f696e0106e6a7362b2c6c0faed89435583e17b8b02a590053ab26766451dfb7e61fc66281931dcda273865d8c8aad9478620b2

    Download Submit

  • C:\Windows\SysWOW64\4K51K4.exe.tmp
    Filesize

    323KB

    MD5

    62347e62d35bb1b2b3bf781d7a739c90

    SHA1

    48b936b29af0a7e40db3c25aef8f0ab7ccf45919

    SHA256

    5a95f9df69dfecfa0b5906357b19223f12e780e7da3cbdb1a99b72e2f24c820b

    SHA512

    7cdbe521f8d2142d7126ff6b5d7914e56399a08b72e3387d4aa0e2c2b64d5be119126bd693f650098fef256efba369017baaf5ee83114baeb4d5b35d4f25ddc9

    Download Submit

  • C:\Windows\SysWOW64\4K51K4.exe.tmp
    Filesize

    323KB

    MD5

    9d8bce5a3d8b002d616c6a0628bed776

    SHA1

    d3655dde24d4b569e9bbd08971877b62ef9435e0

    SHA256

    389c9a4de3e240d679a43f99f99729b4e1c5efff8bf84a51498eb769e95d9867

    SHA512

    cd34184de8fd1457cfef6d5f0954d2240b4d01c79deb775a0f12b8ca6cf65e5cfd03edb61e28e4bcea4bd8911cf91da73a7e0932805a6d5841b6f5e6080e3c88

    Download Submit

  • C:\Windows\SysWOW64\Folder.ico
    Filesize

    7KB

    MD5

    d7f9d9553c172cba8825fa161e8e9851

    SHA1

    e45bdc6609d9d719e1cefa846f17d3d66332a3a0

    SHA256

    cd2e513851d519098acef16d191188ac2586d2174dfd1a84f4db7f41a6970086

    SHA512

    a03a806d9db86c0c4f6f8efc4b40008aa51f1625fc1c703a929bfa57a5caf962119b3c76044775af607d4ee1a8a671e1d0a2be66d19ee551717398f9ddc8ad24

    Download Submit

  • C:\Windows\SysWOW64\GoldenGhost.exe
    Filesize

    323KB

    MD5

    f3ff5091ed953ef3a3efddf69d0c93b4

    SHA1

    84f71d01e8cf81e199218db6171556c4c09a6117

    SHA256

    fc4dcd44750647b0e8f20440888d3f0e820bb90157aa6f932017330d4fe8711e

    SHA512

    324a2b2519cc15f1e6cbd9ac01c441863deeb23f8e863cab8c0ea9a041fe5906406c25451543bb8796fe15d7b5f8d07155f49fa25894274f1154d9f08588538f

    Download Submit

  • C:\Windows\SysWOW64\GoldenGhost.exe
    Filesize

    323KB

    MD5

    eacc501779cdc2fda21e317648e08d0f

    SHA1

    d71ca3f7056b48cfa2492861f233e1f3bd507501

    SHA256

    16f7966200b4ba1364535b144ac53144f4f0e6cba24529a234b6c22f65fbc485

    SHA512

    b221044d1e68270b671e6844d7693a3e18af494d9cd6517c5c22dfbf78fb839a6a16b054bdf158b50e36a833cd05c125a270f0aaf970b98dd0e2b151d0e5748b

    Download Submit

  • C:\Windows\SysWOW64\GoldenGhost.exe.tmp
    Filesize

    323KB

    MD5

    dc2e19942a7648838a600aac967ad18e

    SHA1

    a9f510f4573026b0006c1d147e04c8714927231e

    SHA256

    086836134ef0e51635132536e0ed8f27c465574622518e8d8b3b170d89a402d5

    SHA512

    4f6e6cc1f9dc5009ff97ac3d9dc5dc3012c48a526004a3e4217067eaf342b6034bd0cc0204f4588646e8be198d7e34e15de32eae49a3b571212a4bf6f9096604

    Download Submit

  • C:\Windows\SysWOW64\GoldenGhost.exe.tmp
    Filesize

    323KB

    MD5

    9a40444ef677be6faccdb95680d06f7f

    SHA1

    94814b9e37c670af0c39c40d7f78b368a92aaba1

    SHA256

    2cf314f27102388be208fd95d775e9c0af1dc694ee5155a8d9140e8acebbe1e5

    SHA512

    1f1a3baf5d77678d99b463f36ad45c3d39a8e06d91935a87ae589ea13c78722630216d6e833454ba2156519e6c91daf8f78ac9fbd0872d5b93e284f1a8fbf29a

    Download Submit

  • C:\Windows\SysWOW64\GoldenGhost.exe.tmp
    Filesize

    323KB

    MD5

    bf52e5a86ac27924a8cb97e642c0099b

    SHA1

    7c13403f38051c5fcbefe78c2609f8d4f32f6bd8

    SHA256

    f8748bbef43d0d7ef6e6bb02d463f5b9dbd8e2e46a6269b2dd0347c735aa9462

    SHA512

    5883bc127903708502fc5fb313803341c8c77954f3762e81ea9f14f1a81d6048abea4b5a74c285c43ad31e4190f2339272bb7ce3151784031d1c5fa0e4d26499

    Download Submit

  • C:\Windows\SysWOW64\K0L4B0R451.exe.tmp
    Filesize

    323KB

    MD5

    dc5f59e19ec72eab1e55168d6193d43d

    SHA1

    a49d8233f12bf8786b1351b4d88e27582284b515

    SHA256

    84fc8761e3234979f83a33cf7f80b40354eab8ef3e053bf9e82c777a610a8717

    SHA512

    7e5bc5a6289451ebbce256a55fea830279542041e77aec66a59f73bb37afdf4456037d38a2555b90d9a15d4b1ca045bc5e77daa3d30711bde24fef8975a409c8

    Download Submit

  • C:\Windows\SysWOW64\K0L4B0R451.exe.tmp
    Filesize

    323KB

    MD5

    4b47326ba8092c0e4739905b85d8435a

    SHA1

    86e151ca245aeb87fe89865f75d3a64e27bc159e

    SHA256

    a6972b820f4b85bc84e75ee292bbda81d529403b1b28640f2f470e25e456cef1

    SHA512

    fb6250fb802c236409f34b3bfbcff8023a4934d460d20cefeeeb69a9c2995b70f6d49ab8a8ee7034c8f6d20b5042aa5f928306d634f482397e7a7265106ad9ce

    Download Submit

  • C:\Windows\SysWOW64\K0L4B0R451.exe.tmp
    Filesize

    323KB

    MD5

    41406c2e4790115b131e4046fab1a998

    SHA1

    a76b188a9ef8ebe4a426ccd5a83d89b1fd50bccd

    SHA256

    8470e0f5a66f29e455a69b99cdbab0b4971aabf1b8887046405162a9972b2ce8

    SHA512

    d85209512c3ef7f87f5f00e8b166c30d5e94d9d4b246c7e018430f979ee030a621bf05029577fb6fc8c387b0f1c0eb70cee583a6ed642955925e77b7342f8d59

    Download Submit

  • C:\Windows\SysWOW64\Kantuk.exe
    Filesize

    323KB

    MD5

    0e1cdd7040d94d640d014755e819a460

    SHA1

    2146688438ea1dc53323350e6e6236e6873d68a1

    SHA256

    a09714883075ef78d687abbc78dd2ec012f57e69e0c065e587148f45e9fcb944

    SHA512

    20789266671105e4ffccc4ee139c38bb34ffdc162e4faff291f973f2a48c4ff376cfe4407a8ef6a8079fd52576adea50bf49a84410b3cecc2d9af81795d63489

    Download Submit

  • C:\Windows\SysWOW64\Kantuk.exe.tmp
    Filesize

    323KB

    MD5

    246ca905ab843e5d0134bcd5a362d9af

    SHA1

    6232aa6a5f80fd79cff8e043b8cbf84b43b30740

    SHA256

    08902ea935f96ca02ecf4953a66a59a1d6d0b7041986185d327a5c0256f41c36

    SHA512

    ef3a58658be685ea8a96d24d25e8df092d6396ede5639d8fcf74863cd861d101c544fda6701718c93a55cdd819faa2a7b90b854650779af2566d8d0454ac8342

    Download Submit

  • C:\Windows\SysWOW64\Kantuk.exe.tmp
    Filesize

    323KB

    MD5

    3c009b5c863499650b05274d8a644ded

    SHA1

    169b1572798c02691f09e73fc30bc2ff404c96b3

    SHA256

    df6fac6ac4b070767316a6280eca4264b832f97632d7347efd0c5bf2ecb7695a

    SHA512

    b79750fbd1bd0f8059eef2ed4d72659e354b95d34e7037e0dc4e02933934ef10764ff66ad7ec4e18fc47fd17466c0a572f20c664d596cfab753c426d94fe09d1

    Download Submit

  • C:\Windows\SysWOW64\Kantuk.exe.tmp
    Filesize

    323KB

    MD5

    2bdecdb567ec5a7cc4546d94ed85a149

    SHA1

    7e5aa3ae4d24500059fabe3b1a376f512b9181a0

    SHA256

    aec3532f7516e38a982dec7c0a1ae83008850d6d8d51603df1c3aacc6552a3b9

    SHA512

    773779fe8b2f50a8f7ce75f613adfe52cbc464abaa7a7df033a5b0a1daacac0fc05d34c846df1e3ca36b524d9a58995772c16b8ba3cfd811cc0fd5c268e51fbf

    Download Submit

  • C:\Windows\SysWOW64\Player.ico
    Filesize

    2KB

    MD5

    43be35d4fb3ebc6ca0970f05365440e3

    SHA1

    87bc28e5d9a6ab0c79a07118ca578726ce61b1bc

    SHA256

    5a15c1aab77f132e7ce5928996919ed66564c6082a7f94d0a42229c480113fc5

    SHA512

    b2e24ff3702805d2ff8ecf3ddde8a8e6258965f992f37104c2ed9b763e1448ab32c7609a607e1d90cfba281e7add1e839855656d6453433a42c0d6c8923c9395

    Download Submit

  • C:\Windows\SysWOW64\Shell32.com.tmp
    Filesize

    323KB

    MD5

    40be0582535a88b309df6d7f8658f0d4

    SHA1

    56a82f341f0fd496c66945ae19364b49ddd2623b

    SHA256

    323d23d477ff156b392420ef4b51e13af77782bc5a0788d7f475cb5d18729bfa

    SHA512

    285141f32df633c12bbf71601d0679925e2489511db80f0b7b9d8a466927e44ccab06f087a80773d4a308f979972d9a70ad87e88fb0a9894e2927a28f500db97

    Download Submit

  • C:\Windows\SysWOW64\Shell32.com.tmp
    Filesize

    323KB

    MD5

    05b79427151cc8b2f595436320bf1aae

    SHA1

    3ce019cfa1b58ab0c745f57c32caaffea309e949

    SHA256

    956a7bbb0c7e2ab9a2713f1f039cc8c75b29e3ed3a750d356aacfda9d6275068

    SHA512

    c26b3c214b46c0b4b9ac594e111bb0f3802e25a63c18e3110693dc5cec70a290de3a040a890568b2698a658073c961d886601c314a7e721d5cd3b3fa8336df16

    Download Submit

  • C:\Windows\SysWOW64\Word.ico
    Filesize

    3KB

    MD5

    8482935ff2fab6025b44b5a23c750480

    SHA1

    d770c46d210c0fd302fa035a6054f5ac19f3bd13

    SHA256

    dcbcdce04483e9d2d8a5d7779b18b7f64cfc06e758b07f671493e38dfb9ab33c

    SHA512

    00c711d815815a88fc15f73c8cba6a81b2bfc505baff2cc67b456545151fe896029f11127e447c9bbc5a2d5dc561a06a52be9a9f9c0d28e98ea4e174cdd54398

    Download Submit

  • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico
    Filesize

    2KB

    MD5

    62b7610403ea3ac4776df9eb93bf4ba4

    SHA1

    b4a6cd17516f8fba679f15eda654928dc44dc502

    SHA256

    b0fd7ffb4c8f0e4566658a7284ca0652961648aaab44a53c5b9713664b122c29

    SHA512

    fa1995a21ffe073a15fa00a3a8717492b0a67f3615abe4c7e6bce054bb23cf545e10e21cfe3625b665c8bb199577815dbeccc7c6107cdb49f673b8d53f23888d

    Download Submit

  • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp
    Filesize

    323KB

    MD5

    8ed94bb6186d16d479f2738aee1316ac

    SHA1

    77aad72453973182becc3f1325571471b620c6e4

    SHA256

    c811783c2a6e788933af9e23b1ee951e16a279b7976862699a04d501ff431222

    SHA512

    2712d0e01bbe1347e8c5ffe3c305c01c61aa0cd759ea361850483af7697578968bbd072062366105dd3369d5fa6362015a87b974fbdb12a4e6a206b6b7b46a25

    Download Submit

  • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp
    Filesize

    323KB

    MD5

    d8591774883b48d479d69603f4c17359

    SHA1

    b80507ad051e223b699117077a24b78f36dd1490

    SHA256

    73cd6b17650fa7cb6a9168b04dcfa5bb6e5e5e42d6f28b4631ec68c2aa53f4dc

    SHA512

    3cc11d7ad39efce964f1449dd815c239f4782b767063bfea53ed2a3b9b7d99c922d14063ba490e650c903d1b547c675de8ecd3830e1a0fff5f1cdf4520d3b09f

    Download Submit

  • \Windows\SysWOW64\4K51K4.exe
    Filesize

    323KB

    MD5

    9fad325e9c55fbc93c68956b78410b59

    SHA1

    dcd14dc6d029ecaebfc57416c3647b31e037626e

    SHA256

    0e3fae2b08d81df1ae79b29f50d966cb5b99245cc1fa32e5e558fd3550563d94

    SHA512

    156ad29b570a3f73f57bef5db1585f28f2743b2a4ad644e58210c4add5328b8759e01324c288eb9befcd3582e7a3facd65d68e2d82688491ee8ab85d4b02e384

    Download Submit

  • \Windows\SysWOW64\GoldenGhost.exe
    Filesize

    323KB

    MD5

    eb935767c4ea38206a2ec83fb47e1e46

    SHA1

    eb8df27dbaac5871340b17fd77d13f64cc3fad23

    SHA256

    1b5a52860f117923ab69b5ebfde0c5c75af60da9738043919397469901fe3c17

    SHA512

    de2c2383ee82383a021027a69ee7d53aab8788b6ba2327deb0b99115b5521770a3dbdbeda3be7e5158dc8d9a8f536ddef762693546cc25bc690cd85645b42e3b

    Download Submit

  • \Windows\SysWOW64\Kantuk.exe
    Filesize

    323KB

    MD5

    e2cd2f4bad38f3de8a132a0d8736c0ab

    SHA1

    5fac18238ef321a3f37c0224a3ffc0df385e8c01

    SHA256

    2406e6e46b3b45863237cf73f8939d3f563e74eb6f84140aafe4d78843743408

    SHA512

    68093acf46142a7d1b62586977236e3966d05581878b6447c8bacb383e5bab3062ed225e0eae127f8a9ebf7789435e6fedb88c8b77d2afff4d7dd01eb4a78909

    Download Submit

  • memory/908-346-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1032-362-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1392-0-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1428-211-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1564-323-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1948-352-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download