Overview

overview

10

Static

static

3

ee1f66c363...18.exe

windows7-x64

10

ee1f66c363...18.exe

windows10-2004-x64

10

Resubmissions

20-09-2024 18:03

240920-wmzxcszdrk 10

20-09-2024 18:02

240920-wmjkdazdpr 10

20-09-2024 17:57

240920-wjrrkszcql 10

20-09-2024 17:50

240920-wexf9szbkj 10

Analysis

  • max time kernel
    53s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-09-2024 17:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee1f66c363ea75c297724f7657991525_JaffaCakes118.exe

  • Size

    323KB

  • MD5

    ee1f66c363ea75c297724f7657991525

  • SHA1

    687de3509051640d8e66b8c6499c8697fd0624d6

  • SHA256

    7c65662229d65bd5b6c32a07fe74ab59bb6f45cdd5cc2cb195f9172527f37cc3

  • SHA512

    b864282f1dc555313918df597d343837813d29dc91912f5b64b09add4be0f0951ae5e2eab115e103e5349c28489540485bd998839b052d4d16eaf68569b164aa

  • SSDEEP

    6144:DBxeN/Tdx8YzL+4eBDgelLBL9C53TV5n+yNXavM:DBxe9dx8Yz6nhtL9C53TV5n+4av

Score
10/10
discoveryevasionpersistenceransomwaretrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
    evasion
  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 12 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Disables cmd.exe use via registry modification 12 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
    persistence
  • Executes dropped EXE 10 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 47 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 45 IoCs
    evasion
  • Modifies registry class 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 4 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • System policy modification 1 TTPs 48 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee1f66c363ea75c297724f7657991525_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ee1f66c363ea75c297724f7657991525_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Event Triggered Execution: Image File Execution Options Injection
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2012
    • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4568
      • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4912
      • C:\Windows\SysWOW64\Kantuk.exe
        C:\Windows\system32\Kantuk.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • Drops autorun.inf file
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:536
      • C:\Windows\SysWOW64\4K51K4.exe
        C:\Windows\system32\4K51K4.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:4880
      • C:\Windows\SysWOW64\K0L4B0R451.exe
        C:\Windows\system32\K0L4B0R451.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:2304
      • C:\Windows\SysWOW64\GoldenGhost.exe
        C:\Windows\system32\GoldenGhost.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:2876
    • C:\Windows\SysWOW64\Kantuk.exe
      C:\Windows\system32\Kantuk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3428
    • C:\Windows\SysWOW64\4K51K4.exe
      C:\Windows\system32\4K51K4.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1176
    • C:\Windows\SysWOW64\K0L4B0R451.exe
      C:\Windows\system32\K0L4B0R451.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4564
    • C:\Windows\SysWOW64\GoldenGhost.exe
      C:\Windows\system32\GoldenGhost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Image File Execution Options Injection

1
T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

7
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Aut0exec.bat
    Filesize

    323KB

    MD5

    787ba4a644620e5f0bca84b8ec83a135

    SHA1

    7e20b2a8c633a6776cf2693fdcdc1301f4b5aa36

    SHA256

    54e9a65bdf7956b74f7cb725e1f7c0ee12e37218edbd616fc793eb8f1f13ebc3

    SHA512

    9375f3f85eda364aa1a86e8c6505fe3f9f91204f7273d076d0bfb2c2a3f9426a20a96d7dea89902d0a34e76d8d6ba0ef3fbfbce795e798ba999358cfeed2f421

    Download Submit

  • C:\Aut0exec.bat
    Filesize

    323KB

    MD5

    2fa4a3c220c28f1ad92e450714822c4f

    SHA1

    fe7dbe7e6e5439127161fc188be0ac74ab41ec26

    SHA256

    5c41d89eb050ad4ee51b40e48a08f02ec3724d9b4138340d49171dbdafeaa492

    SHA512

    95360a327ddc65f74ffed021eb75b8f50820e097818ab9016e573d6996e6f6aa82a76e9a833b8bc75f59150f8f786130172630b3811821d92444bd6262e07384

    Download Submit

  • C:\Aut0exec.bat.tmp
    Filesize

    323KB

    MD5

    3178ba7728d7d86b27abef215d613ac6

    SHA1

    31958f4fb7bd7bc88e6fc22b46bbac5d7578972b

    SHA256

    537c6f16ea836d5960528e0fc6682c148e06e73a5ea059830fe77ba4a995d01e

    SHA512

    7e7df2bcb105e0510843f8d0317e3113044eec41ec93f37650b0d0f2819aa3c42667352b82c6cec6986383d39b62618ca67d7f274e46ebf1f6e6a24485e50368

    Download Submit

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Empty.pif
    Filesize

    323KB

    MD5

    751fe427aabc79688d198ffa33a03002

    SHA1

    978482299c3a33c61c5b406faad13f996373cf6e

    SHA256

    dc875657f9f9f86c29cc07bc0ac736e31c22fd5af8e237e334567d784967d9de

    SHA512

    b4d65cf864dbbbb41b632e6f65e72054c2c29c7918377c4b21c42085de9bed6ce6b4194db574a5fd5177a045b5a246576581cef1887a274e219c3072258c875e

    Download Submit

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Empty.pif
    Filesize

    323KB

    MD5

    ec08fe4d62525304eeb2e72f36a49950

    SHA1

    81388fe464c3e495fb01dafc91037fb5aa7ce25e

    SHA256

    3517726ff0789c509c20bd71faba489f822b1ff7abf6823b566c1f65e09aa6f6

    SHA512

    5f3950511546f2d6813dfab97b1ff2d560842e9fdd4e2d8f9b0d5b98502248f4461fadcdf11f9d216afd4ef67744f9933a034d683b8c70b7975e92d509556fde

    Download Submit

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Empty.pif.tmp
    Filesize

    323KB

    MD5

    64ba654c8c3ec7f258ae9d30ae7f55c0

    SHA1

    ca8605e78f6d9803824e55d9ca8f4a8536e596f0

    SHA256

    b9d3560dab4fec977b45b036f9c160257c1f825f8c843455ed426aef7eb1619a

    SHA512

    cf91a98a276e8c72e75b16ca7f0ba558b240a2fd4b96699179cf7b553e751729c4f847bab393366720733d0025f802d6b31b2b6ab6eedeace9e4a5b421e10856

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr
    Filesize

    323KB

    MD5

    ea622f5ac87b4e2b4c5591edb8893f9f

    SHA1

    7697c7b7b270a47010d62af235977186e057ef76

    SHA256

    73043921ae20a373e70dec9826f2c06caa657b9d2a8d053b45ac0c96f1fb082e

    SHA512

    c7edce62f49429c5b6b82e193bbade0e40b327542d888d31877b4420cc66285695b93cb9bcdaa003a6ddc7d66c2208cfa54919688c9e707bc398be89f568468c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp
    Filesize

    323KB

    MD5

    2ed34d48caa740619f247a8a3e37d971

    SHA1

    11cd692c89d38cf8c458b0cdfa973901c1c12c99

    SHA256

    d53eaa827a97cca158e13f79db15ecf10424a38dcd302a36cb1d31007de0561e

    SHA512

    8c75f850e616a3e051b7c597677522cc3b133960e1c5751e75fd1dbef7769d2bf737617eb06a7982e7e36747403cf9d8b29dc1aa1cbe2b1b88d5924a097d3ad9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp
    Filesize

    323KB

    MD5

    fb3a4035109eaeefc1a352c9bbe78e38

    SHA1

    463add8242f4569bd43855058cbcee0ac467f99e

    SHA256

    aa027e40611727c492601ebce736f0aafef253a8a515cc25f011549ee1961ad4

    SHA512

    c878101fcde95af237f3ebd18b7836c83f18d235ada1adc1ba7845671589f0c39aaa47bcba04c201878bc834cbd1541e88567edb39458e50d94c7b7100c8397e

    Download Submit

  • C:\Windows\SysWOW64\4K51K4.exe
    Filesize

    323KB

    MD5

    357f0bcf3951938f0e45eed58862185e

    SHA1

    53437483fb87dd1817540e2aa8a273ac125a1d02

    SHA256

    0d4b1b005843ef298c2ac8d2139a55f27f00176eff2a6cb23edaebbb6ac9b7ed

    SHA512

    77894b60ab79b46476caba8cab2909b1ecae667b6e063d5cce95140ac2260425a0cc5ac169f9b827bba77eb48fdd9f03739466e30f429ab34d56159ed9910605

    Download Submit

  • C:\Windows\SysWOW64\4K51K4.exe
    Filesize

    323KB

    MD5

    89b8cc24e015615658835eb0ef9f2508

    SHA1

    fefce5d76999adf10e3fee29adf1ec890a6f5453

    SHA256

    b978ed3862f836dac67a1f56b35f5382cab504356ff709cac6e220e96eabf38c

    SHA512

    594b2cd8c024ccda78e675090ee6489735c2157a4beb7ba67ffa97b38bc008250b4ca1074294261e1046d1dd346bb8966748010ab488408694b76aaba8ea87a6

    Download Submit

  • C:\Windows\SysWOW64\4K51K4.exe.tmp
    Filesize

    323KB

    MD5

    d333cd13da8c1d8aaa1b91338abf3864

    SHA1

    37b9d24e4b944748e10649445dd41767a47e8b56

    SHA256

    1e18c708ecdb00685a57c590497940a2ad83adf44d2831fa0b98f8112745d338

    SHA512

    6ee6974452ca109c9113858451b34783edf74014daba0e5e81e4c850319273ceb0f970fda0a586d4c05a2bac0672097bf30a5c01a71f1a905d51080e6d4cef44

    Download Submit

  • C:\Windows\SysWOW64\4K51K4.exe.tmp
    Filesize

    323KB

    MD5

    8705268975b1554695fad309946d4814

    SHA1

    44ac995e2d23225a26f6410922a01c2bb5fadc24

    SHA256

    10f70b67317a1dd0db67fcd4eccb5b22c967a9b6598740e001b2ffbb50dd35ce

    SHA512

    84f385a54d30ef394834252763876015474e2ff0d5fee8c39be648241b5c4d830a93137cb50cc023f80a2efb97d9d48f700103dea123bea40e22541aab4aafcd

    Download Submit

  • C:\Windows\SysWOW64\4K51K4.exe.tmp
    Filesize

    323KB

    MD5

    a749badcc062064119ce83dd5ecf1744

    SHA1

    253c411d467d8a4b8a98a6fafdaec96475331b70

    SHA256

    99555d6877008c3247afae96253ae88109766808656ac189200db92eb8361c71

    SHA512

    d7ac345fae018fe6c40da283710f10b0f82da42b350e1238e90cb29029c0cf4752a692cae535fc31e25787b8448a9883be01963e5c99a074ff095c9c25b40839

    Download Submit

  • C:\Windows\SysWOW64\Folder.ico
    Filesize

    7KB

    MD5

    d7f9d9553c172cba8825fa161e8e9851

    SHA1

    e45bdc6609d9d719e1cefa846f17d3d66332a3a0

    SHA256

    cd2e513851d519098acef16d191188ac2586d2174dfd1a84f4db7f41a6970086

    SHA512

    a03a806d9db86c0c4f6f8efc4b40008aa51f1625fc1c703a929bfa57a5caf962119b3c76044775af607d4ee1a8a671e1d0a2be66d19ee551717398f9ddc8ad24

    Download Submit

  • C:\Windows\SysWOW64\GoldenGhost.exe
    Filesize

    323KB

    MD5

    e49d1b53710adb43bbdd4aa0df3a8ef3

    SHA1

    4653df127c6499ff0f1ee5e14386d7f4ffa318a0

    SHA256

    531cb07a497f032db00fbc5de69942dbfd1c510fc572cf5d2344826463182432

    SHA512

    117b3ebe52b2cc6ca3b5ed1c1f55f71ce343e75697835f0f740bbbfa0fa152f66ffd4ae097f1543798ed3ef495c7ac8a183bd1fc55199303985496804fe19512

    Download Submit

  • C:\Windows\SysWOW64\GoldenGhost.exe
    Filesize

    323KB

    MD5

    3ff97baeac9a15d328fd5de2ef73e424

    SHA1

    21c1cf808a6405a104ef9869e1e520225eb0d5e8

    SHA256

    7ae0879c2e135d31be7aa05d8ed2e9ba028504403a6a366b2cef9894fd28a3fe

    SHA512

    a56fbf62096963e40c30202b2e1d645bb8597d1c04cea1dc20c7edcfc898706457772b6e158053311c2ceee6b118f80c810744d23798c9bd6f86df0e0f218724

    Download Submit

  • C:\Windows\SysWOW64\GoldenGhost.exe
    Filesize

    323KB

    MD5

    ee1f66c363ea75c297724f7657991525

    SHA1

    687de3509051640d8e66b8c6499c8697fd0624d6

    SHA256

    7c65662229d65bd5b6c32a07fe74ab59bb6f45cdd5cc2cb195f9172527f37cc3

    SHA512

    b864282f1dc555313918df597d343837813d29dc91912f5b64b09add4be0f0951ae5e2eab115e103e5349c28489540485bd998839b052d4d16eaf68569b164aa

    Download Submit

  • C:\Windows\SysWOW64\GoldenGhost.exe.tmp
    Filesize

    323KB

    MD5

    972768055134eca05290b9c260c7e978

    SHA1

    2a786091b6982eef18bffb6e5aefd892d254f976

    SHA256

    ab6c5524e88a2cea540cbf479de5b965e4046da87dc33cb4102b98e41a25bb1f

    SHA512

    2481ffc7960a7d38a062aea419f3b198b6809abb7869e4e1dadd269ad06148029370b44aef7190b7d1c1fb369b2b1b9dfec439b275b07e78ee49280cae13350a

    Download Submit

  • C:\Windows\SysWOW64\GoldenGhost.exe.tmp
    Filesize

    323KB

    MD5

    daa4d57eb800abbb3047529d666b7d84

    SHA1

    696d65856b40c31432deb56138cbe61ccb8e6bd1

    SHA256

    e113f96a735ae438d9dfdb58f71942e388ff83f3cfcc34e0196d127d0f51dafd

    SHA512

    5b15f6060aef7d774af9014a2748e90ec4c4ed3599e1bd31c3feb5f706b09c2945a784af54fd8339852d96953714ac08e1189ad93e46b533459764c1592a11c0

    Download Submit

  • C:\Windows\SysWOW64\GoldenGhost.exe.tmp
    Filesize

    323KB

    MD5

    1c6a0e0cb00a7e5caacc09b83410e149

    SHA1

    a8d3aa2065c151bee5917169169c20d71eb2cc51

    SHA256

    847ae91585a319ffec27b9edc2439f55e04ec5c7f4e33529261bdc3a09668cb6

    SHA512

    042f63b35a919c9b51594a2a5b3443bd578fbeee1e73d8e8c6bcc73b222ab32edfb47c708738c656ecf4ad7166b5850c0ab4b14ea06b99cd8d9ace010110d1ce

    Download Submit

  • C:\Windows\SysWOW64\K0L4B0R451.exe.tmp
    Filesize

    323KB

    MD5

    e31666e1d58d432f1b40f5feb3927490

    SHA1

    bc9bc015411160c68740f340854d3db37ea4ca54

    SHA256

    6db943d27d79d2a3e6a869915e7d90d109957f47c6ffed7b3b8fb4997fa64dc3

    SHA512

    d0110a3dad9df5ea304e533bac96be4fe1e19759a6294aa6f282ae3dde234859baafefb0fd39fea553c89778ea7e3d62c138531459fdc01d0e78ce47a7fa86d2

    Download Submit

  • C:\Windows\SysWOW64\K0L4B0R451.exe.tmp
    Filesize

    323KB

    MD5

    de4cd05a267d45953e29b8e43fee532a

    SHA1

    2b5e573f7bafaf551a1708cd36fdbcbdc05ea5d2

    SHA256

    bc921d0defeeaa6d7903c06410bf965a1ae3c15d1fc4d77460fc6a76e51482c6

    SHA512

    4411aeba1e1537346d716eb3d027c8ddc8634725f9cdf16c3ed1d5962f2c5c7344f21c1224943c87751cc17f7320a7b5e364e9507830953fedb28929bf63fda9

    Download Submit

  • C:\Windows\SysWOW64\K0L4B0R451.exe.tmp
    Filesize

    323KB

    MD5

    4e3d322bf82613420139bdfe2b565a52

    SHA1

    628d4f65b52a759b0c320111cd9b7d26f318f093

    SHA256

    d827b9db0e6a1c47a9dfcad6728d125533a1dc511bcc1d9685994b9fb16ab5b1

    SHA512

    a7592093c24fb0e9dbf896ee01cac51d4abd8f2b729f8a526e8fafa8068a2435fa585d658445be463c0b1bf3b251f5881a1dd5e7812f741dc1a533f57d6f8d02

    Download Submit

  • C:\Windows\SysWOW64\Kantuk.exe
    Filesize

    323KB

    MD5

    2c755ab6778c9150b918d0e46cce9808

    SHA1

    cc1b223372fb14dcfc1d988ea8d2fdc9c0596305

    SHA256

    e4243eff6d1460e629475aab7c8bff99597527b1f8cfcaae0963aca3e4f59290

    SHA512

    b2d530aad3a4eca8b3f134910fb8a0d75116d3cd10b43d4fb9a12739589cb0412855c62065c90ad8981db7924f4525b332cd080ea26efd4dd3711327e80b1722

    Download Submit

  • C:\Windows\SysWOW64\Kantuk.exe
    Filesize

    323KB

    MD5

    4a99add8e1751d416ad75a4b6cd715c6

    SHA1

    729debfbded07edee82d563ba1c7b92fc179ed17

    SHA256

    c07e7d0a6fec53576ef36f11538d3f597e09946753dc6ce6ca757aaeb1960f39

    SHA512

    bdb0af630d0682c868b049ab668ece20c5e27396389dc9a6fdec259c43951b98bf9d0444e765091df896b15a2a08f038461411714162389354c46708c0937970

    Download Submit

  • C:\Windows\SysWOW64\Kantuk.exe.tmp
    Filesize

    323KB

    MD5

    fc31923f9e390297114bc1b48495c573

    SHA1

    1193eaf774806a66b412de94e5bfd3e2241e7493

    SHA256

    a6d041d30be5b1b76e73edf3f1a285a0b960611de3df943e0fabcb70e71037c9

    SHA512

    74c206c8d8a69fc3344b6df75fa4705dc0c361febbe8048396ab53fedb159b85be3117e31512973e485a4a6c8e3b1ef55ee3d2352b93e432e4b038dfa08a7c89

    Download Submit

  • C:\Windows\SysWOW64\Kantuk.exe.tmp
    Filesize

    323KB

    MD5

    b2b4dc77a850b8c01e2efd7b6078df25

    SHA1

    7d64143bc0763997b22be1b3517577d8189c5081

    SHA256

    30758884e0bccaf05c56d598493e41718ed0660c799dba4ace96e3ff2492c065

    SHA512

    af0797bb400894816debfdab5abb5a225618b6da06bebd6ee12e9a283ccc6421216da2e22839e6afd03a407a0bbf04810ef5553850b3d2c02e8c951b95944190

    Download Submit

  • C:\Windows\SysWOW64\Kantuk.exe.tmp
    Filesize

    323KB

    MD5

    ff81cb44dc72dc4fff542da3724d98d1

    SHA1

    c80a5155a2cdc66b7458463bce49050a7e0a041f

    SHA256

    da389ae8e8411557da8debb746fd95384f86b9b0c1b66ff67a34043164e4429a

    SHA512

    1040f55547d25756d4337911205e838f1d300dafb8971154a54cede1498925dbee96a44efa9efb5056a899430630abd3a26d7bffbe1d32319aa9e9312da57d0f

    Download Submit

  • C:\Windows\SysWOW64\Player.ico
    Filesize

    2KB

    MD5

    43be35d4fb3ebc6ca0970f05365440e3

    SHA1

    87bc28e5d9a6ab0c79a07118ca578726ce61b1bc

    SHA256

    5a15c1aab77f132e7ce5928996919ed66564c6082a7f94d0a42229c480113fc5

    SHA512

    b2e24ff3702805d2ff8ecf3ddde8a8e6258965f992f37104c2ed9b763e1448ab32c7609a607e1d90cfba281e7add1e839855656d6453433a42c0d6c8923c9395

    Download Submit

  • C:\Windows\SysWOW64\Shell32.com.tmp
    Filesize

    323KB

    MD5

    282ff002814d7c51187a2d9d27e64636

    SHA1

    53c9e23155080aaa6fecde1d2ce3fc2b48cfdf61

    SHA256

    dde602d69860c6a0818b8eee56e0499e05c81e55dcef944004cbedc4cf5a59f6

    SHA512

    ee6baa196e91b2d9caa0238bb8c5607f3dc8d0a796210ae5276895e4434b34fc6c6412bc4bec70faedd88dfae1e82fc70f0790da8602fba157b77fcf079d1685

    Download Submit

  • C:\Windows\SysWOW64\Shell32.com.tmp
    Filesize

    323KB

    MD5

    7fd5368e2764369ec2d8797cc673063a

    SHA1

    fb6470ced6e6482bf0274b744d830875b61853e8

    SHA256

    b8c1dc1802f0184f1dc2e3cba41f99965a0b7b7e5f80436d86689636e79feba4

    SHA512

    b9d125137677031a4a2819477a4b66e8ac87ee04ade0ea05aba85d53481e7f94e258379287374788fadc8e8e265fc0bbf943135f2157b774a2266e59b714a1f7

    Download Submit

  • C:\Windows\SysWOW64\Shell32.com.tmp
    Filesize

    323KB

    MD5

    fe266a9e5a1ea0483c638ad5d2c631d2

    SHA1

    44ceccf2d50541c51ec28540a94e3e9dd72cb358

    SHA256

    38453d98b3533194da8789d4b69a889bba6404d0ef735dfc1284f3e0fee0b870

    SHA512

    e0f06e4fe2e88d30444ebf39c3c702614f471434e46209db5143632e1e94c45c1320618b2b21f57cd3cf796e21bf541803ed2fcf14cb1879fe49a25bb6e923b4

    Download Submit

  • C:\Windows\SysWOW64\Word.ico
    Filesize

    3KB

    MD5

    8482935ff2fab6025b44b5a23c750480

    SHA1

    d770c46d210c0fd302fa035a6054f5ac19f3bd13

    SHA256

    dcbcdce04483e9d2d8a5d7779b18b7f64cfc06e758b07f671493e38dfb9ab33c

    SHA512

    00c711d815815a88fc15f73c8cba6a81b2bfc505baff2cc67b456545151fe896029f11127e447c9bbc5a2d5dc561a06a52be9a9f9c0d28e98ea4e174cdd54398

    Download Submit

  • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico
    Filesize

    2KB

    MD5

    62b7610403ea3ac4776df9eb93bf4ba4

    SHA1

    b4a6cd17516f8fba679f15eda654928dc44dc502

    SHA256

    b0fd7ffb4c8f0e4566658a7284ca0652961648aaab44a53c5b9713664b122c29

    SHA512

    fa1995a21ffe073a15fa00a3a8717492b0a67f3615abe4c7e6bce054bb23cf545e10e21cfe3625b665c8bb199577815dbeccc7c6107cdb49f673b8d53f23888d

    Download Submit

  • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
    Filesize

    323KB

    MD5

    1ea9db9377033bf9732659990c0ce4a1

    SHA1

    9fadb703d8dcc8dacdd23f1b59bb4bf3a5a5bfad

    SHA256

    2c182719c9e5e6f56c4a68c63633caddbd4fb2dbc2342c76d6e9bbec52140583

    SHA512

    b3a1791a295409869893a59eb1dceeaeff1d6a6daca4f54ca16c7286bf1170d8da01bf3821ebfc8866a999305d24073ea83df4ed3f6a089e4b9ef5e35bc13332

    Download Submit

  • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp
    Filesize

    323KB

    MD5

    ae4afac6f37c1ae1bdf455b6540b1929

    SHA1

    0509074fc27c6aa54dc1220d5c549b5e0714152a

    SHA256

    611e2a21d51600b522602f2a50dca3fa7b7e6af00ff054f71c34fd790d6a326c

    SHA512

    499eb0ea3f510a4a28e81be0fd30e714ff119b3e0ef39946c515e80f58b4e7bab70baa534b88c77e898ed3b83ea79396b638141a46b336d72ab7148a245f4d24

    Download Submit

  • memory/536-312-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/2012-0-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/2304-335-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/2876-341-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/4568-207-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/4880-331-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download