Overview

overview

10

Static

static

3

ee1f66c363...18.exe

windows7-x64

10

ee1f66c363...18.exe

windows10-2004-x64

10

Resubmissions

20-09-2024 18:03

240920-wmzxcszdrk 10

20-09-2024 18:02

240920-wmjkdazdpr 10

20-09-2024 17:57

240920-wjrrkszcql 10

20-09-2024 17:50

240920-wexf9szbkj 10

Analysis

  • max time kernel
    66s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-09-2024 17:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee1f66c363ea75c297724f7657991525_JaffaCakes118.exe

  • Size

    323KB

  • MD5

    ee1f66c363ea75c297724f7657991525

  • SHA1

    687de3509051640d8e66b8c6499c8697fd0624d6

  • SHA256

    7c65662229d65bd5b6c32a07fe74ab59bb6f45cdd5cc2cb195f9172527f37cc3

  • SHA512

    b864282f1dc555313918df597d343837813d29dc91912f5b64b09add4be0f0951ae5e2eab115e103e5349c28489540485bd998839b052d4d16eaf68569b164aa

  • SSDEEP

    6144:DBxeN/Tdx8YzL+4eBDgelLBL9C53TV5n+yNXavM:DBxe9dx8Yz6nhtL9C53TV5n+4av

Score
10/10
discoveryevasionpersistenceransomwaretrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
    evasion
  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 12 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Disables cmd.exe use via registry modification 12 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
    persistence
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 20 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 47 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 45 IoCs
    evasion
  • Modifies registry class 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 4 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • System policy modification 1 TTPs 48 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee1f66c363ea75c297724f7657991525_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ee1f66c363ea75c297724f7657991525_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Event Triggered Execution: Image File Execution Options Injection
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1800
    • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:592
      • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2584
      • C:\Windows\SysWOW64\Kantuk.exe
        C:\Windows\system32\Kantuk.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • Drops autorun.inf file
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1628
      • C:\Windows\SysWOW64\4K51K4.exe
        C:\Windows\system32\4K51K4.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:2140
      • C:\Windows\SysWOW64\K0L4B0R451.exe
        C:\Windows\system32\K0L4B0R451.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1568
      • C:\Windows\SysWOW64\GoldenGhost.exe
        C:\Windows\system32\GoldenGhost.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:3052
    • C:\Windows\SysWOW64\Kantuk.exe
      C:\Windows\system32\Kantuk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2496
    • C:\Windows\SysWOW64\4K51K4.exe
      C:\Windows\system32\4K51K4.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:572
    • C:\Windows\SysWOW64\K0L4B0R451.exe
      C:\Windows\system32\K0L4B0R451.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1004
    • C:\Windows\SysWOW64\GoldenGhost.exe
      C:\Windows\system32\GoldenGhost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Image File Execution Options Injection

1
T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

7
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Aut0exec.bat.tmp
    Filesize

    323KB

    MD5

    84eb9ba4600edfbac5751dce649371ae

    SHA1

    f6e7a5b091c9b4a7b07074290aabddca3188a354

    SHA256

    ba272162a98ef191d2a6fb6158668c6cfa1f4bc38ce7fd443ea67f5dfca694f3

    SHA512

    9824d0817a9550f258324b143532a72e9531d75f710362faed4222454faa53d0ad839325fbdde400a0144c31565a1acdbe69e6ed2288151fd333ba0b956f364d

    Download Submit

  • C:\Aut0exec.bat.tmp
    Filesize

    323KB

    MD5

    30378f61e9acfe1455bef862138b4452

    SHA1

    73d5b7299a564b5995fa43b6454ca8dd57898d84

    SHA256

    5bd055b28ee1cbea93c66dec221877f5ad8742caaa20e9f4595737da458cf71e

    SHA512

    d6fa576abec27ea47f597c81bbae2567ef8e8fa2f771c136b84708fcbc6eb4ecc6cf8bb1837f310e227d55dc8fd2556d89c9fe011a6fd9840a29dc0e4a610efb

    Download Submit

  • C:\Aut0exec.bat.tmp
    Filesize

    323KB

    MD5

    7b586c0bba24c56aca5b622969860436

    SHA1

    ac6e71bd981d8d7d9754e3735dba778b466d4cca

    SHA256

    eaa3149a4a854503e0a6093f49ffd8f5b4a3d9948a40a28dc96909cfb467156c

    SHA512

    532f2d0cebb43cc61bdc3d2c7e653291938157df02df57de3783c94c48d0785fba6581f10e0d0fcc4bf0cc3418cccdb2bbd927a571c2149b527d1a22c9e216c9

    Download Submit

  • C:\JPG.ico
    Filesize

    2KB

    MD5

    62b7610403ea3ac4776df9eb93bf4ba4

    SHA1

    b4a6cd17516f8fba679f15eda654928dc44dc502

    SHA256

    b0fd7ffb4c8f0e4566658a7284ca0652961648aaab44a53c5b9713664b122c29

    SHA512

    fa1995a21ffe073a15fa00a3a8717492b0a67f3615abe4c7e6bce054bb23cf545e10e21cfe3625b665c8bb199577815dbeccc7c6107cdb49f673b8d53f23888d

    Download Submit

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif.tmp
    Filesize

    323KB

    MD5

    79d4934437e275cabfcb0f8a966d8e52

    SHA1

    72df59d90990a8a8f762423d8ca9ebff2939cee5

    SHA256

    c8e8b2ddd75bcc3a058ccb4b9e7e7fd0e11a52a0afd884f56a3facdadf9ee565

    SHA512

    21c47e609783207639bd862443c3a11054cc3e2380261c23777a2b01664ffd33682c3189a83d270a003e525171c7657cb5d87c760b21bdc82bfee9d1ee1da3cd

    Download Submit

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif.tmp
    Filesize

    323KB

    MD5

    07c89e095456f162a4037829f65cadfc

    SHA1

    6a2edc927ee8504512479b5d973456902baf2e56

    SHA256

    47a524895b41117d92a91963db878e23a0e0e49ad49daebea698aa1dbabc863c

    SHA512

    c94cc98356eb23165158e490817ca7f768a5356e51809723f2e9f36306490a1dd70e2dda09586c7b851bc9d5b413cbdacc6eebac491d5367e766d01b8e329793

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp
    Filesize

    323KB

    MD5

    cf7660b783d9f36b519505f4caf014c8

    SHA1

    204b9686121581ca7341e584806d5ee55738c627

    SHA256

    955a7f6742a65081a3d4909e3bd8e0494c9bd3b495756280954d41524b3be29b

    SHA512

    b0e6ce8c1cb29250235c6efa125ab79aaf2de7af49a1311aa23b350e894bbf88fc98111ae32bfd33983efdf9761aa5c9566c6f682ba140e02d28be095af74362

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp
    Filesize

    323KB

    MD5

    101c8b8479f4eb586a4ac999a66f42fb

    SHA1

    48b3e92897056031cd568547624a759a3916eaad

    SHA256

    b29e22d1e1f5de9a84e509525ec12740961c2215892e517e129f53ec997f00da

    SHA512

    b4028d99e314ad1b29349ad09ab6d0f5bdc1297033bac9fee2a08b7cbcec692ff5cce0211d7a74544aa41394c7be0a5983238f2166f09780390d9e3219f868c9

    Download Submit

  • C:\Windows\SysWOW64\4K51K4.exe.tmp
    Filesize

    323KB

    MD5

    b1c6fa1f16356f20f6c1f6a0cc60321e

    SHA1

    0b634553707f0f8ac74c6aa8a33167378cb491d4

    SHA256

    64c902de8fc73a6199ae2cb48739050dc726eccae33c9147886c1ae663472531

    SHA512

    36d9456661436691a46df31c03a47d84bd87108a4d4e52dce74d31c065f6e7786daa07c8c312d2b944ee2dd8b1e2d6383e629d81934cc46fb08c2681c6334b14

    Download Submit

  • C:\Windows\SysWOW64\4K51K4.exe.tmp
    Filesize

    323KB

    MD5

    dfeefa1237431b4d2d9d18da285e3e65

    SHA1

    e32f98fb225bae43192bbe4d674ef733d8fd1b7e

    SHA256

    5aeaac3048870841bcc7b9d73570967663dc27b1ec94c065c0133a3ae5f64a9e

    SHA512

    2f9b0c3e228debbdf8851d796e27a99c03217ace53e2529945483c552e18a07a478e5d48cd4f7e1293f8aca76035590635ab61917dcad22f91164413720a934a

    Download Submit

  • C:\Windows\SysWOW64\Folder.ico
    Filesize

    7KB

    MD5

    d7f9d9553c172cba8825fa161e8e9851

    SHA1

    e45bdc6609d9d719e1cefa846f17d3d66332a3a0

    SHA256

    cd2e513851d519098acef16d191188ac2586d2174dfd1a84f4db7f41a6970086

    SHA512

    a03a806d9db86c0c4f6f8efc4b40008aa51f1625fc1c703a929bfa57a5caf962119b3c76044775af607d4ee1a8a671e1d0a2be66d19ee551717398f9ddc8ad24

    Download Submit

  • C:\Windows\SysWOW64\GoldenGhost.exe
    Filesize

    323KB

    MD5

    ee1f66c363ea75c297724f7657991525

    SHA1

    687de3509051640d8e66b8c6499c8697fd0624d6

    SHA256

    7c65662229d65bd5b6c32a07fe74ab59bb6f45cdd5cc2cb195f9172527f37cc3

    SHA512

    b864282f1dc555313918df597d343837813d29dc91912f5b64b09add4be0f0951ae5e2eab115e103e5349c28489540485bd998839b052d4d16eaf68569b164aa

    Download Submit

  • C:\Windows\SysWOW64\GoldenGhost.exe.tmp
    Filesize

    323KB

    MD5

    7d1b404d437f2c65e0460c47bddfc6a4

    SHA1

    e6c39bdca7aee33445b022676b30ecd84213e4a9

    SHA256

    3b254a62e4fb41648fda93a4dd50f4fd205141526e3851c60054dc68f4c78e57

    SHA512

    0fe3c4ffb7e3cb97889f9da60222c3d09551e31d73cee16696697f70ffa533356a23ee9d1e3b42f91a1c64b862c89ef5802aaaa922ab2d4634a33361d43ccd5a

    Download Submit

  • C:\Windows\SysWOW64\GoldenGhost.exe.tmp
    Filesize

    323KB

    MD5

    f4d4ac0ca69187e0386edc402be815ef

    SHA1

    dde85cc480f57179406118a862033862cd171ac7

    SHA256

    0e98987d2bac038a8efa3a68819f3d656cea7a4c454a158535309fe9c52ad0a5

    SHA512

    d01be36edde8f4c88c1a0b13ae707a549ed376417772f79372f8eeef475c1874f8e3198662ebb50f299e02913b6568790e4bc95f448bf2a2198c2b6efddb75da

    Download Submit

  • C:\Windows\SysWOW64\K0L4B0R451.exe.tmp
    Filesize

    323KB

    MD5

    3d7b84e585e5a6ac17d51eee627bff27

    SHA1

    5f59aa6861d2cc894993e155e5354111a70c5ecf

    SHA256

    b90d58f8c52cfac33f08f74d0c2399ba2b3f10c62f2d4c025d5a89427ab04f59

    SHA512

    c45bcb1d14aacf74d0c48fb461c5fdb1926dc87f9eaf6470cb8f3d3aeb05de1613964e4d02dfd9bd5c67f0fb60151dc09c093a3eec02a3a55d2f839106ed60cc

    Download Submit

  • C:\Windows\SysWOW64\K0L4B0R451.exe.tmp
    Filesize

    323KB

    MD5

    79146b1081cc3cc587ad75a8605cfb86

    SHA1

    a4b59c03f707dec686af833cdbe654a1a0e3a328

    SHA256

    3a0fea5caa2ba8ca81fbec3a4d1d4f52399dfa3d20c6c56de3f552dc9e9a310f

    SHA512

    2dc14c4f9a1078eddd7399e5d60a691d54d8705ac460dba9fd25f5cc7c21a02cf9eb3a7e492c23160b9334b8395762d634c8a2ea4fe631ae2ff1f44198acf4ca

    Download Submit

  • C:\Windows\SysWOW64\Kantuk.exe.tmp
    Filesize

    323KB

    MD5

    ff81cb44dc72dc4fff542da3724d98d1

    SHA1

    c80a5155a2cdc66b7458463bce49050a7e0a041f

    SHA256

    da389ae8e8411557da8debb746fd95384f86b9b0c1b66ff67a34043164e4429a

    SHA512

    1040f55547d25756d4337911205e838f1d300dafb8971154a54cede1498925dbee96a44efa9efb5056a899430630abd3a26d7bffbe1d32319aa9e9312da57d0f

    Download Submit

  • C:\Windows\SysWOW64\Kantuk.exe.tmp
    Filesize

    323KB

    MD5

    f95863835d10a2373373ca2b78a1fb28

    SHA1

    6a9394ab033d89846c68101aff9662802438d203

    SHA256

    f07c43f98aec9be327351df9f20aca741f7e3fbf5b3d4b751032ae5c27650267

    SHA512

    6a2eaca4283af87be7767510c87e474dc0494dbaa665b77ce5f05cd6c0ef4ce6867cda22c9eac6c13b97772ddcd4951adae146d2abff68094f15f4181b4e9b1c

    Download Submit

  • C:\Windows\SysWOW64\Player.ico
    Filesize

    2KB

    MD5

    43be35d4fb3ebc6ca0970f05365440e3

    SHA1

    87bc28e5d9a6ab0c79a07118ca578726ce61b1bc

    SHA256

    5a15c1aab77f132e7ce5928996919ed66564c6082a7f94d0a42229c480113fc5

    SHA512

    b2e24ff3702805d2ff8ecf3ddde8a8e6258965f992f37104c2ed9b763e1448ab32c7609a607e1d90cfba281e7add1e839855656d6453433a42c0d6c8923c9395

    Download Submit

  • C:\Windows\SysWOW64\Shell32.com.tmp
    Filesize

    323KB

    MD5

    fe266a9e5a1ea0483c638ad5d2c631d2

    SHA1

    44ceccf2d50541c51ec28540a94e3e9dd72cb358

    SHA256

    38453d98b3533194da8789d4b69a889bba6404d0ef735dfc1284f3e0fee0b870

    SHA512

    e0f06e4fe2e88d30444ebf39c3c702614f471434e46209db5143632e1e94c45c1320618b2b21f57cd3cf796e21bf541803ed2fcf14cb1879fe49a25bb6e923b4

    Download Submit

  • C:\Windows\SysWOW64\Shell32.com.tmp
    Filesize

    323KB

    MD5

    e06e0279f7bdc1272f8ab4dade874b24

    SHA1

    e157a77cfc5853a6b38bf331e499f7fd438c5f0c

    SHA256

    7db91f8e662a1fa4120412f7f295ddf27cbed51e418797b77bd4036dee5f6281

    SHA512

    5acc67a097e52e0d60834d060213e6833b0c352c2c8397cd7694f73d254db325b258da24701c628ae0db428f18c7583c112b747161609d9e953dde5ae5987242

    Download Submit

  • C:\Windows\SysWOW64\Word.ico
    Filesize

    3KB

    MD5

    8482935ff2fab6025b44b5a23c750480

    SHA1

    d770c46d210c0fd302fa035a6054f5ac19f3bd13

    SHA256

    dcbcdce04483e9d2d8a5d7779b18b7f64cfc06e758b07f671493e38dfb9ab33c

    SHA512

    00c711d815815a88fc15f73c8cba6a81b2bfc505baff2cc67b456545151fe896029f11127e447c9bbc5a2d5dc561a06a52be9a9f9c0d28e98ea4e174cdd54398

    Download Submit

  • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp
    Filesize

    323KB

    MD5

    1ea9db9377033bf9732659990c0ce4a1

    SHA1

    9fadb703d8dcc8dacdd23f1b59bb4bf3a5a5bfad

    SHA256

    2c182719c9e5e6f56c4a68c63633caddbd4fb2dbc2342c76d6e9bbec52140583

    SHA512

    b3a1791a295409869893a59eb1dceeaeff1d6a6daca4f54ca16c7286bf1170d8da01bf3821ebfc8866a999305d24073ea83df4ed3f6a089e4b9ef5e35bc13332

    Download Submit

  • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp
    Filesize

    323KB

    MD5

    37cac27436a594a3d0fc3c955fee676c

    SHA1

    910b9535bcfc84bc7ec3097694329c59652b9a91

    SHA256

    4fb7f5b60607428235d6a8641941058329127ee37d7c07801047dc841a9e6c43

    SHA512

    87472feca6aeb9d838933b531d6019a36111637ec68c0cdeac8e3274151b95ddfddc8a9a74541f71061db23abccc0ebe1fc680bb65c273a701ec072d876be6b9

    Download Submit

  • \Windows\SysWOW64\4K51K4.exe
    Filesize

    323KB

    MD5

    216d023a9cf2c7f94c5544aa71eaa6b8

    SHA1

    e3b37213c235eab9626db47dad2604442f75b416

    SHA256

    38e178902a8035792f65598276c91faf94a8be197fa2593df52c0a3e54750be5

    SHA512

    cd3d70b4d5702f194199400b7a27b459f16933e0a6053a85fa5be9fc6d9a9505456080e055a21bc58e43b86043899950b80b9d1f61f93fc6cd628f331ed57c3a

    Download Submit

  • \Windows\SysWOW64\GoldenGhost.exe
    Filesize

    323KB

    MD5

    23df77ddf9f217a8fe49f53377ac982e

    SHA1

    9d85d98cfc22daf1567e26a2394d2663d2fefbbb

    SHA256

    27766c0ad98091f27a6e04c7fe906c0692f9d2d2cf3044cb7678b436591da88f

    SHA512

    2d9dc63eb1356064991a3a0366097bce7c814d7121708b434f50577c5d566ad82e77cc1e230501e8ad9bc766038ce4d12f205e0216c2f35075b10289fd09fb4c

    Download Submit

  • \Windows\SysWOW64\Kantuk.exe
    Filesize

    323KB

    MD5

    83f40d5ee64808e69e66756401fc5c8e

    SHA1

    671e711f7b88a1cf0c95d1da6376644297046308

    SHA256

    d0449b68e4552fe14a7d69e95e71e316f712222b23f8f8705a8b2b908b660083

    SHA512

    7e9d51d41b0d0a1e2da1c87c828a1e825bb1de979d8eb05779f6ea2847b5750512ebe2feefb448fb78bbfff674cf90c2d2aeab7365a3aad37e8bf63404fe1bdf

    Download Submit

  • memory/592-159-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1568-300-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1628-271-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1800-0-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/2140-294-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/3052-310-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download