Overview

overview

10

Static

static

3

eacc501779...18.exe

windows7-x64

10

eacc501779...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    76s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2024 06:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe

  • Size

    323KB

  • MD5

    eacc501779cdc2fda21e317648e08d0f

  • SHA1

    d71ca3f7056b48cfa2492861f233e1f3bd507501

  • SHA256

    16f7966200b4ba1364535b144ac53144f4f0e6cba24529a234b6c22f65fbc485

  • SHA512

    b221044d1e68270b671e6844d7693a3e18af494d9cd6517c5c22dfbf78fb839a6a16b054bdf158b50e36a833cd05c125a270f0aaf970b98dd0e2b151d0e5748b

  • SSDEEP

    6144:OBxeN/Tdx8YzL+4eBDgelLBL9C53TV5n+yNXavM:OBxe9dx8Yz6nhtL9C53TV5n+4av

Score
10/10
discoveryevasionpersistenceransomwaretrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
    evasion
  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 12 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Disables cmd.exe use via registry modification 12 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
    persistence
  • Executes dropped EXE 10 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 47 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 45 IoCs
    evasion
  • Modifies registry class 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 4 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • System policy modification 1 TTPs 48 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\eacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eacc501779cdc2fda21e317648e08d0f_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Event Triggered Execution: Image File Execution Options Injection
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3348
    • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4224
      • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3916
      • C:\Windows\SysWOW64\Kantuk.exe
        C:\Windows\system32\Kantuk.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • Drops autorun.inf file
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:548
      • C:\Windows\SysWOW64\4K51K4.exe
        C:\Windows\system32\4K51K4.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:3628
      • C:\Windows\SysWOW64\K0L4B0R451.exe
        C:\Windows\system32\K0L4B0R451.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:4564
      • C:\Windows\SysWOW64\GoldenGhost.exe
        C:\Windows\system32\GoldenGhost.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:4780
    • C:\Windows\SysWOW64\Kantuk.exe
      C:\Windows\system32\Kantuk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:800
    • C:\Windows\SysWOW64\4K51K4.exe
      C:\Windows\system32\4K51K4.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:928
    • C:\Windows\SysWOW64\K0L4B0R451.exe
      C:\Windows\system32\K0L4B0R451.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1396
    • C:\Windows\SysWOW64\GoldenGhost.exe
      C:\Windows\system32\GoldenGhost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Image File Execution Options Injection

1
T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

7
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Aut0exec.bat.tmp
    Filesize

    323KB

    MD5

    6c6f4b5041801599c2ca26b5fe18cba0

    SHA1

    3b43e24fa818795f6336efa50c6b4401c22a934d

    SHA256

    5ef642ad733f61dc46e1079623b0488e6572d3e29b0ee9411d00bfdb233e2d66

    SHA512

    04a01837d5d446d1c0dd5728c0b0cc870cb5f00d5de3dda84bba9dca7df72e62434d807c63bbc6bec2190f2c766513f71041c58ab2de1f696ad178491e09bf17

    Download Submit

  • C:\Aut0exec.bat.tmp
    Filesize

    323KB

    MD5

    6a36d47fc7a23679cae0c478341bdd52

    SHA1

    4c1c5047f777e474abff65d842dc8bf1958c3e67

    SHA256

    b1bcc175fae539f436a4539631faa1bd2dd7adf8746529047f788ded6eca3cca

    SHA512

    c193793fa08566c5e4b44e64559e0c1a8b77bec3e9f6553b83aa3ea4342ffb590d699e83e87b174ce8798d12ab96b21ba3c01d22bb4e13b1246fa7594a6fa626

    Download Submit

  • C:\Aut0exec.bat.tmp
    Filesize

    323KB

    MD5

    ba49b84305e24393e7d3605fb49ffece

    SHA1

    9385d459f0238cf47653d40a64d49dd59b0eac72

    SHA256

    9508dc3e71210fe63e652e76b892fabad9f7b666d6492e0cbbaed7c1e297dce5

    SHA512

    0acff9daa1ce1e804b0d80cfc390cc352c5dea28344704708a744ba4400ac4179310b47ae42faba7a512af2e800aab25c19e2a3b06f5cf7287748ef3f62c70bc

    Download Submit

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Empty.pif
    Filesize

    323KB

    MD5

    12477a2c2b5198aa8a2f1848d6f4a45e

    SHA1

    764d44b39b2fded40925411c75e1e7dfa5ba2959

    SHA256

    34250bc554d21e7c2a10265ee5aa3d5b357245eb470c16711790f997792d685c

    SHA512

    412ad24034d394f515332ec10f8fe81b4a15a8c2d733aba3885d2f1ede810e1c8c144af1c97e38949fe2da53b752fccf73a387c884866b5d13a84ba7ea731226

    Download Submit

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Empty.pif
    Filesize

    323KB

    MD5

    5c0f69a5adac232f4a38d5d2f3e56844

    SHA1

    ad584e726556fe6a6d2b414fe1512ac81ac627a9

    SHA256

    bf520dbc2bdf02399fa466db72f2a64f6c6e9d3bfc6eda85fbd2c38d9e54b90b

    SHA512

    3d99d04db377ee58cc422812a69310572b1dde6fdf87e522b5dc6c33370418ec897598aa6515cdd6606ec52eafae1c248d0416ee558b09a24a8b068d5f0a8549

    Download Submit

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Empty.pif
    Filesize

    323KB

    MD5

    0b26b4b61ed5eab2751ef59b4b139e48

    SHA1

    9d3e97b988f35e778c7cd79ae3c419e5ebb763a1

    SHA256

    9071db4d5aa88880a067fc3450355c611a81c1997cbd81eca86ece8a831faacf

    SHA512

    83dde3acbf92ad0634d4166d338fedb4bffc199e0bf635857b0569fcb48be3b4b7aab0d11e0dae938b86067e3e32d117e19b5a8e9f5c99f34ba11884d7a4f467

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp
    Filesize

    323KB

    MD5

    b707efdad1c2af7f0d57cd61b065654e

    SHA1

    981a89b351f6cb60f88c38e59b94316104f446fd

    SHA256

    0ace7487c0e587802a43ccd8bcbb7889371cd278a835347a0c314c487496a88d

    SHA512

    c56d8f55b8fd3a6b2f506b465988ca79c1dd1ecfc09b413bfc8909ee385218d22021269a0ebcf47d6cc3fd87786429f120f612a2089f8afbb64444eb2453cf82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp
    Filesize

    323KB

    MD5

    0f10b7276f7e1fc0afc733e901bb8bbb

    SHA1

    d16e9c42a4fa5b50635177700d2f8eeff71c7400

    SHA256

    607f5e6179d3b5cc7142c5ce8ca59ffae6ec9ad8a22b2aaadc116b14aad4e138

    SHA512

    41aad45fc62e57705f1d35538e8a6f0feb4470d70617e8df2bb31209876de8f11bf68da0b9315468deff3ea861c71e76f6ddcc47136bc2daace6faf44983400d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp
    Filesize

    323KB

    MD5

    81e8df452781e21be16e78ef9f2dfd1a

    SHA1

    d11d1c2889b0454b656fda37fb9761dd68cfceae

    SHA256

    d2612be1e6b0537406fe8ffe831a554760377797b4d8a8f8ba3767350cea191c

    SHA512

    8659262ef1ce08129b63610e36f0c057e4b7e06f874c329ec07923ad2068ffbcd0a44e5b23f3180173656ae573bf5a66503147d6316e9d03f7d3d5d87ec2f8f6

    Download Submit

  • C:\Windows\SysWOW64\4K51K4.exe
    Filesize

    323KB

    MD5

    ecc82168b6a598179576373015edaab0

    SHA1

    cf5eae93bb33fe5c6f14426d61f6567204fc0e59

    SHA256

    a47655a8b914a3776855f0374677b374f6f152e20456a43a106e4435084c01ee

    SHA512

    11cc1f03938b4b5a969564e1cda06a6b106259bc01df007939bf25a076036c41b7de2a5ac371ccb0d3036b6adb7e4368eb3510e6457c89a41f4accb6d98dda08

    Download Submit

  • C:\Windows\SysWOW64\4K51K4.exe
    Filesize

    323KB

    MD5

    b6b436e98eaf1142be4150d4b00c65c9

    SHA1

    22316370dc71c0781fe066b3065d77b890f38503

    SHA256

    96247e0e27ce8c7536dff43e3fa892f7ba495c535dccf2caacd1282563c21d81

    SHA512

    d34ea094f2f8d4f5a88fc04713867fdb71ace494175eb95a462e895e5318c003de6531ee4574bb8fecb7060f53bb88059ae96633614349eef25f8fe091a5c680

    Download Submit

  • C:\Windows\SysWOW64\4K51K4.exe.tmp
    Filesize

    323KB

    MD5

    720d963f1672076ef1100b7b3965b5f0

    SHA1

    c1754a4ad08f5a0ef82f227ffc0c3f020d348409

    SHA256

    892dcd0bde114d7272f89ad72ac5809fa41b665201881a3f05ac2ecf49874111

    SHA512

    cbbb14fba34f2a9d8b91707f7a94f399a911824e8d2b46699baa4f4d67759e16de07b90cf6bda376ae19da86d8160c1003d5bd967b520db4c9bb8a4fd6ea3726

    Download Submit

  • C:\Windows\SysWOW64\4K51K4.exe.tmp
    Filesize

    323KB

    MD5

    362fff4ef843d39f100f8d84e4921f97

    SHA1

    9b5b2a16eaf6a38da4d2ba702a5b4e21825ab86d

    SHA256

    9635060d2e19669191d0045fd63c31525c28e50341999d08d059bb4605ade0b4

    SHA512

    7fa2a6516bad1fe30c4d7bc932f696e0106e6a7362b2c6c0faed89435583e17b8b02a590053ab26766451dfb7e61fc66281931dcda273865d8c8aad9478620b2

    Download Submit

  • C:\Windows\SysWOW64\4K51K4.exe.tmp
    Filesize

    323KB

    MD5

    f32525c7624bb4e5c3c45faccc05b186

    SHA1

    ef0df48f2007b8a9df43804c74d9a81a3b62db09

    SHA256

    e89dc2137753c1e3f8e0bc905ed715a14762d7697498eda95ee24bf904c86853

    SHA512

    6d4d30469d15f697516ae85b11b794e18668de6eacc8db8f5c8ba5e5ee8333e2c28a9a2e3d45642177b65eebb5b83ccdda3189593d331a33a45b577a05eeb0c2

    Download Submit

  • C:\Windows\SysWOW64\Folder.ico
    Filesize

    7KB

    MD5

    d7f9d9553c172cba8825fa161e8e9851

    SHA1

    e45bdc6609d9d719e1cefa846f17d3d66332a3a0

    SHA256

    cd2e513851d519098acef16d191188ac2586d2174dfd1a84f4db7f41a6970086

    SHA512

    a03a806d9db86c0c4f6f8efc4b40008aa51f1625fc1c703a929bfa57a5caf962119b3c76044775af607d4ee1a8a671e1d0a2be66d19ee551717398f9ddc8ad24

    Download Submit

  • C:\Windows\SysWOW64\GoldenGhost.exe
    Filesize

    323KB

    MD5

    fbfc939e54022eda796bb425c0f18b06

    SHA1

    d8c453c6887227fa54c0e0eefee6cc65bb2b4371

    SHA256

    8352259413fb03f1b43beb582f805e6970d43a88a6e028a9bdb52f0efdbcd84e

    SHA512

    f087f45b9628a8c39af67382693aa498c411a08befd05871972c0e129399b375c5fb3b63c71ccfa4e3d9bad9cb0c27e7d66e72df53056b15bee1c40e98e4b922

    Download Submit

  • C:\Windows\SysWOW64\GoldenGhost.exe
    Filesize

    323KB

    MD5

    534773ab70aed3aeb64a94482ea1a80a

    SHA1

    7bfc76e70d818822e31fc5d33c4b8436a48f8fcf

    SHA256

    654b5df3a9a93b997ea84defe221165ff035a57d8837055b578e1ddec98bd00f

    SHA512

    fc992c6e65ca122e26b0e22874684892486d6525c1887cc609340602c11b421db579ba6bebeecadb8a46c935bf26d9895c6d789ad1399464e04766f02d3391bf

    Download Submit

  • C:\Windows\SysWOW64\GoldenGhost.exe
    Filesize

    323KB

    MD5

    eacc501779cdc2fda21e317648e08d0f

    SHA1

    d71ca3f7056b48cfa2492861f233e1f3bd507501

    SHA256

    16f7966200b4ba1364535b144ac53144f4f0e6cba24529a234b6c22f65fbc485

    SHA512

    b221044d1e68270b671e6844d7693a3e18af494d9cd6517c5c22dfbf78fb839a6a16b054bdf158b50e36a833cd05c125a270f0aaf970b98dd0e2b151d0e5748b

    Download Submit

  • C:\Windows\SysWOW64\GoldenGhost.exe.tmp
    Filesize

    323KB

    MD5

    dc2e19942a7648838a600aac967ad18e

    SHA1

    a9f510f4573026b0006c1d147e04c8714927231e

    SHA256

    086836134ef0e51635132536e0ed8f27c465574622518e8d8b3b170d89a402d5

    SHA512

    4f6e6cc1f9dc5009ff97ac3d9dc5dc3012c48a526004a3e4217067eaf342b6034bd0cc0204f4588646e8be198d7e34e15de32eae49a3b571212a4bf6f9096604

    Download Submit

  • C:\Windows\SysWOW64\GoldenGhost.exe.tmp
    Filesize

    323KB

    MD5

    35e4b0cf3b584cf191f22c389ced1062

    SHA1

    9be535f568b1a73815eb4ed098203f72212b738b

    SHA256

    c6685a89a3cf0ce6515a990513dcbf854f0b3987b82e5f01e61e03b68029beed

    SHA512

    dafa735b811e5a1996bbf6d0fe21da667a507273d9e4dcd3ea9d2e6a0e85f92bc87753a37a93f59535a8b3a802a8f6fbe37ed080e3a9043c3c1b3ad185428daa

    Download Submit

  • C:\Windows\SysWOW64\GoldenGhost.exe.tmp
    Filesize

    323KB

    MD5

    b1cad08dfff3b093cb98397b3636b4c4

    SHA1

    042bbe0d4bac39c12e7c43e70acad34297e1ebdc

    SHA256

    369c548f750d818b33b729214f60980200bced6a7fb4bdcf1cb5a81c54452e30

    SHA512

    bb40d2b845302e7d457f5c31cb7830fe70643f8f99d68bbf1056955c2bcdb842a8d5cd064531fe61eb5fdbb93288eb942ef26b2c91e76a02e9f396ca8afe5644

    Download Submit

  • C:\Windows\SysWOW64\K0L4B0R451.exe.tmp
    Filesize

    323KB

    MD5

    dc5f59e19ec72eab1e55168d6193d43d

    SHA1

    a49d8233f12bf8786b1351b4d88e27582284b515

    SHA256

    84fc8761e3234979f83a33cf7f80b40354eab8ef3e053bf9e82c777a610a8717

    SHA512

    7e5bc5a6289451ebbce256a55fea830279542041e77aec66a59f73bb37afdf4456037d38a2555b90d9a15d4b1ca045bc5e77daa3d30711bde24fef8975a409c8

    Download Submit

  • C:\Windows\SysWOW64\K0L4B0R451.exe.tmp
    Filesize

    323KB

    MD5

    935fef05a4e825c49e34cb2290d9a90a

    SHA1

    18e7782eb95284d37a2ded6973924a8a52e2ecd1

    SHA256

    c27f798bc0fc27a870d1ad3f1b040a55f8c24544eff28bbed90c8810ca864f43

    SHA512

    24b528eccb32cf14548e59cb9f997b634ad808cdebb0db25b23f45ce99c622338dfdea68fe8163803c26b6738c54ae5361ebc5dc8e802c723fb72e5496f2688d

    Download Submit

  • C:\Windows\SysWOW64\K0L4B0R451.exe.tmp
    Filesize

    323KB

    MD5

    10430c651deda257eef8d6c4abedd376

    SHA1

    84fc413d717f7801be52bd3fbc0188e3a0c6024e

    SHA256

    b2933f95b69cfb007d328ebcfc824ea84a10f1b6bc0848918a75560cbe98f9d4

    SHA512

    4197607cfb9953be38e27b49eaccf412ca637836c1bde64c85a3f17cce18655341cc818e79a4c9ca2eadcb6f4c24c2384939d55a3b162b284d777256b9dabbe4

    Download Submit

  • C:\Windows\SysWOW64\Kantuk.exe
    Filesize

    323KB

    MD5

    3c009b5c863499650b05274d8a644ded

    SHA1

    169b1572798c02691f09e73fc30bc2ff404c96b3

    SHA256

    df6fac6ac4b070767316a6280eca4264b832f97632d7347efd0c5bf2ecb7695a

    SHA512

    b79750fbd1bd0f8059eef2ed4d72659e354b95d34e7037e0dc4e02933934ef10764ff66ad7ec4e18fc47fd17466c0a572f20c664d596cfab753c426d94fe09d1

    Download Submit

  • C:\Windows\SysWOW64\Kantuk.exe
    Filesize

    323KB

    MD5

    a6aeae4687eae0199f793dd68583bd2b

    SHA1

    eaf039ce80b581ed0e23b770e370c7c9b6656f05

    SHA256

    8dc3497957815b3411d47fb70b94eb8fd4a558cf0960c9d04098bfa0b6cf037b

    SHA512

    9d653520286b5e6e9b9a2b8caff6272e09be027a233f8e71d6326e6808688bf61c96d46fa2f2f49d13d472e927e82b6174be02e9377574ea97ad4826b8053438

    Download Submit

  • C:\Windows\SysWOW64\Kantuk.exe
    Filesize

    323KB

    MD5

    192e2ec84438f0ca077e0e51276cc400

    SHA1

    16cd94fd03fa8f76c1e21c19f30c0299c1a0c466

    SHA256

    8e783153ebc026fd9798afce575000d623c796048d3017274ad7bc67aaa46ab4

    SHA512

    45a66370b279e0b5446dfa35a69683b574f54d55d4d16d29d7a93a2590a275bd8b9fbf5d50d9ca81796479a64b2a8ba5b582bffb67509023d992aa47c6d2771f

    Download Submit

  • C:\Windows\SysWOW64\Kantuk.exe.tmp
    Filesize

    323KB

    MD5

    66aa4a8dd711b22c35d2706ac1fd7088

    SHA1

    75b62ee4691b9d84201c894ab04457cfcca99311

    SHA256

    020b6125cbea99d8d36607c45d6151a8fa29087d170ec4f81a2ec4da63ee1106

    SHA512

    9ad88a9e1c986427d64e03804db5c5ffdfd63db5651c5c4bca55cef9cf70cf571e53e64f26bdeee9dbaf3642be2f4d6bacfe824ebcaecf3ee2a8d77ece644c43

    Download Submit

  • C:\Windows\SysWOW64\Kantuk.exe.tmp
    Filesize

    323KB

    MD5

    0d6174197ad2e8c8453d13a1fa173cb6

    SHA1

    4e59d7bdb6db5f5d8ec500f67a8ebac69c22efa0

    SHA256

    b38003e099f9edd0d0a06b853d451e2bdab1d45cbe00e4b3ecd32af5b4dbe7e0

    SHA512

    4a9f870dbd0c13dad81a2be2fc6255efe3198ca80f2fccd1e11091bfdeea681c72e4b2a0e2ca47483d6d749ce6c853c8cb88a11ccdccf720385627f0d270224a

    Download Submit

  • C:\Windows\SysWOW64\Player.ico
    Filesize

    2KB

    MD5

    43be35d4fb3ebc6ca0970f05365440e3

    SHA1

    87bc28e5d9a6ab0c79a07118ca578726ce61b1bc

    SHA256

    5a15c1aab77f132e7ce5928996919ed66564c6082a7f94d0a42229c480113fc5

    SHA512

    b2e24ff3702805d2ff8ecf3ddde8a8e6258965f992f37104c2ed9b763e1448ab32c7609a607e1d90cfba281e7add1e839855656d6453433a42c0d6c8923c9395

    Download Submit

  • C:\Windows\SysWOW64\Shell32.com.tmp
    Filesize

    323KB

    MD5

    05b79427151cc8b2f595436320bf1aae

    SHA1

    3ce019cfa1b58ab0c745f57c32caaffea309e949

    SHA256

    956a7bbb0c7e2ab9a2713f1f039cc8c75b29e3ed3a750d356aacfda9d6275068

    SHA512

    c26b3c214b46c0b4b9ac594e111bb0f3802e25a63c18e3110693dc5cec70a290de3a040a890568b2698a658073c961d886601c314a7e721d5cd3b3fa8336df16

    Download Submit

  • C:\Windows\SysWOW64\Shell32.com.tmp
    Filesize

    323KB

    MD5

    1f25dd0327cf8b538de9d3d152a3f6f5

    SHA1

    7555e898d4032cda1b915df03e1d382ee353f806

    SHA256

    cdce6bc730802f4d3bfe2f69f1281b0dcedba2d57b41365fc27e272886da62b7

    SHA512

    a1c6cef9ed15e97a0f0ccb38e01731591ed4d7ba9de82fb13b254cd707f432915881ad6dfb3d2439af63716304b69e3da94d9f48102c4b034e395ab207cd875c

    Download Submit

  • C:\Windows\SysWOW64\Shell32.com.tmp
    Filesize

    323KB

    MD5

    c9e77c55c664567e0bbf17387119a6aa

    SHA1

    40a5c3a527ae80368d4259e7250a821ab3dca1ec

    SHA256

    55fa6d0b9c48204c835aaf6e1167d39c25a80fd66a322321a0db40da159047df

    SHA512

    acbd3a6cd9236af06f10839f228f875a03860d7e0b168c7b2f3fb9ae85629a2dab7878c2d0c44b21c5135f94cdd19443b74f0505052a4ddf1b9aeff6d55318ec

    Download Submit

  • C:\Windows\SysWOW64\Word.ico
    Filesize

    3KB

    MD5

    8482935ff2fab6025b44b5a23c750480

    SHA1

    d770c46d210c0fd302fa035a6054f5ac19f3bd13

    SHA256

    dcbcdce04483e9d2d8a5d7779b18b7f64cfc06e758b07f671493e38dfb9ab33c

    SHA512

    00c711d815815a88fc15f73c8cba6a81b2bfc505baff2cc67b456545151fe896029f11127e447c9bbc5a2d5dc561a06a52be9a9f9c0d28e98ea4e174cdd54398

    Download Submit

  • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico
    Filesize

    2KB

    MD5

    62b7610403ea3ac4776df9eb93bf4ba4

    SHA1

    b4a6cd17516f8fba679f15eda654928dc44dc502

    SHA256

    b0fd7ffb4c8f0e4566658a7284ca0652961648aaab44a53c5b9713664b122c29

    SHA512

    fa1995a21ffe073a15fa00a3a8717492b0a67f3615abe4c7e6bce054bb23cf545e10e21cfe3625b665c8bb199577815dbeccc7c6107cdb49f673b8d53f23888d

    Download Submit

  • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
    Filesize

    323KB

    MD5

    7dba8b25e27347bd5d8006525e123ae8

    SHA1

    55ed2469784db0524b72a8dde00412855bbcf45f

    SHA256

    b1857974cc0503b0f3174d916477b07c01d31d3e1cb0517b382220929ca34d19

    SHA512

    d9c647b0cdda065b112329b1864857580abc6c8468e3d612de89e4806ecde690d3fe5d17cdc5029e6773a94b3f7778ce392477fc48cc6366ef904c776ba020f0

    Download Submit

  • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp
    Filesize

    323KB

    MD5

    d9d2510ba7ebe92f21ce10dc3614ad79

    SHA1

    43895bc2c48c0bf5567054cf3a3ef5738364182f

    SHA256

    76de89770200ff1ad2cc49994aa22147ad307eb029b26c9da8fe143fb50205df

    SHA512

    32b55fb905d21dac267f7dd64bf63fc418081444bbfce5cb53d17547a81e9bc0d55f12b46dbe81ba9de21c3c3c233ba920908d31bf138931f5df952e5c2eeda1

    Download Submit

  • memory/548-312-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/3348-0-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/3628-331-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/4224-207-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/4564-335-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/4780-341-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download