Overview

overview

10

Static

static

3

ee1f66c363...18.exe

windows7-x64

10

Resubmissions

20-09-2024 18:03

240920-wmzxcszdrk 10

20-09-2024 18:02

240920-wmjkdazdpr 10

20-09-2024 17:57

240920-wjrrkszcql 10

20-09-2024 17:50

240920-wexf9szbkj 10

Analysis

  • max time kernel
    6s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-09-2024 18:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee1f66c363ea75c297724f7657991525_JaffaCakes118.exe

  • Size

    323KB

  • MD5

    ee1f66c363ea75c297724f7657991525

  • SHA1

    687de3509051640d8e66b8c6499c8697fd0624d6

  • SHA256

    7c65662229d65bd5b6c32a07fe74ab59bb6f45cdd5cc2cb195f9172527f37cc3

  • SHA512

    b864282f1dc555313918df597d343837813d29dc91912f5b64b09add4be0f0951ae5e2eab115e103e5349c28489540485bd998839b052d4d16eaf68569b164aa

  • SSDEEP

    6144:DBxeN/Tdx8YzL+4eBDgelLBL9C53TV5n+yNXavM:DBxe9dx8Yz6nhtL9C53TV5n+4av

Score
10/10
discoveryevasionpersistenceransomwaretrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
    evasion
  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 12 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Disables cmd.exe use via registry modification 12 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
    persistence
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 20 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 47 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 45 IoCs
    evasion
  • Modifies registry class 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 4 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • System policy modification 1 TTPs 48 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee1f66c363ea75c297724f7657991525_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ee1f66c363ea75c297724f7657991525_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Event Triggered Execution: Image File Execution Options Injection
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:548
    • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2028
      • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2964
      • C:\Windows\SysWOW64\Kantuk.exe
        C:\Windows\system32\Kantuk.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • Drops autorun.inf file
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:568
      • C:\Windows\SysWOW64\4K51K4.exe
        C:\Windows\system32\4K51K4.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1900
      • C:\Windows\SysWOW64\K0L4B0R451.exe
        C:\Windows\system32\K0L4B0R451.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:2904
      • C:\Windows\SysWOW64\GoldenGhost.exe
        C:\Windows\system32\GoldenGhost.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1736
    • C:\Windows\SysWOW64\Kantuk.exe
      C:\Windows\system32\Kantuk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2320
    • C:\Windows\SysWOW64\4K51K4.exe
      C:\Windows\system32\4K51K4.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2992
    • C:\Windows\SysWOW64\K0L4B0R451.exe
      C:\Windows\system32\K0L4B0R451.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2144
    • C:\Windows\SysWOW64\GoldenGhost.exe
      C:\Windows\system32\GoldenGhost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Image File Execution Options Injection

1
T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

7
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Aut0exec.bat
    Filesize

    323KB

    MD5

    787ba4a644620e5f0bca84b8ec83a135

    SHA1

    7e20b2a8c633a6776cf2693fdcdc1301f4b5aa36

    SHA256

    54e9a65bdf7956b74f7cb725e1f7c0ee12e37218edbd616fc793eb8f1f13ebc3

    SHA512

    9375f3f85eda364aa1a86e8c6505fe3f9f91204f7273d076d0bfb2c2a3f9426a20a96d7dea89902d0a34e76d8d6ba0ef3fbfbce795e798ba999358cfeed2f421

    Download Submit

  • C:\Aut0exec.bat.tmp
    Filesize

    323KB

    MD5

    84eb9ba4600edfbac5751dce649371ae

    SHA1

    f6e7a5b091c9b4a7b07074290aabddca3188a354

    SHA256

    ba272162a98ef191d2a6fb6158668c6cfa1f4bc38ce7fd443ea67f5dfca694f3

    SHA512

    9824d0817a9550f258324b143532a72e9531d75f710362faed4222454faa53d0ad839325fbdde400a0144c31565a1acdbe69e6ed2288151fd333ba0b956f364d

    Download Submit

  • C:\Aut0exec.bat.tmp
    Filesize

    323KB

    MD5

    eb9d2a20dc0f32bf8a515bb6bf24a895

    SHA1

    0068c26a0a41c90126f06376dc0738f75cd66611

    SHA256

    161002c73557f7e9255562d6598c12569f9f9ba9800114f7bd3095f522d0e838

    SHA512

    e9cdb7df12c3ce3f31cfe924d8143b930cf4b48e6194f4ce8f99c0da8703fdf13aa3f4ebfc73574d823110ca7c74efd10aad8a30c3f5b75bc7c843364da5a4a9

    Download Submit

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif.tmp
    Filesize

    323KB

    MD5

    64ba654c8c3ec7f258ae9d30ae7f55c0

    SHA1

    ca8605e78f6d9803824e55d9ca8f4a8536e596f0

    SHA256

    b9d3560dab4fec977b45b036f9c160257c1f825f8c843455ed426aef7eb1619a

    SHA512

    cf91a98a276e8c72e75b16ca7f0ba558b240a2fd4b96699179cf7b553e751729c4f847bab393366720733d0025f802d6b31b2b6ab6eedeace9e4a5b421e10856

    Download Submit

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif.tmp
    Filesize

    323KB

    MD5

    751fe427aabc79688d198ffa33a03002

    SHA1

    978482299c3a33c61c5b406faad13f996373cf6e

    SHA256

    dc875657f9f9f86c29cc07bc0ac736e31c22fd5af8e237e334567d784967d9de

    SHA512

    b4d65cf864dbbbb41b632e6f65e72054c2c29c7918377c4b21c42085de9bed6ce6b4194db574a5fd5177a045b5a246576581cef1887a274e219c3072258c875e

    Download Submit

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif.tmp
    Filesize

    323KB

    MD5

    d8e9380f322734bf8e5ada30c4c72bf3

    SHA1

    7964380e8ea645ae51238d280c789a892ce1455a

    SHA256

    2a61b41e4fb2955dd4880cacdc3cf74e751d09b82fd0f66e8da6f49628ae6244

    SHA512

    419cce41fefeb74e4c30b849ee33c28b3f99b8fd115df28410f3df3ba32bf7bdff72b86aba6e397f2eeb1de505b671cad78f45e3d51df32502ec7a34da715e5e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr
    Filesize

    323KB

    MD5

    cf7660b783d9f36b519505f4caf014c8

    SHA1

    204b9686121581ca7341e584806d5ee55738c627

    SHA256

    955a7f6742a65081a3d4909e3bd8e0494c9bd3b495756280954d41524b3be29b

    SHA512

    b0e6ce8c1cb29250235c6efa125ab79aaf2de7af49a1311aa23b350e894bbf88fc98111ae32bfd33983efdf9761aa5c9566c6f682ba140e02d28be095af74362

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr
    Filesize

    323KB

    MD5

    fb3a4035109eaeefc1a352c9bbe78e38

    SHA1

    463add8242f4569bd43855058cbcee0ac467f99e

    SHA256

    aa027e40611727c492601ebce736f0aafef253a8a515cc25f011549ee1961ad4

    SHA512

    c878101fcde95af237f3ebd18b7836c83f18d235ada1adc1ba7845671589f0c39aaa47bcba04c201878bc834cbd1541e88567edb39458e50d94c7b7100c8397e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp
    Filesize

    323KB

    MD5

    dfa4998990a2b8860998151e0b8a77a1

    SHA1

    87e875f882e9b641732faa8314539d0a344e7a33

    SHA256

    6039438e3578f4608576c137ac211a517eb7168d7cedf0040b4aae130019f3f9

    SHA512

    b5c05cea98b4d5004502b17f57a84e0d21212fdb54075772d707f8b09eedaaba368f41bdaffeb4a825bee58af4fec9f946336ae5d03a1b94f1d3e829e400ed5d

    Download Submit

  • C:\Windows\SysWOW64\4K51K4.exe
    Filesize

    323KB

    MD5

    b1c6fa1f16356f20f6c1f6a0cc60321e

    SHA1

    0b634553707f0f8ac74c6aa8a33167378cb491d4

    SHA256

    64c902de8fc73a6199ae2cb48739050dc726eccae33c9147886c1ae663472531

    SHA512

    36d9456661436691a46df31c03a47d84bd87108a4d4e52dce74d31c065f6e7786daa07c8c312d2b944ee2dd8b1e2d6383e629d81934cc46fb08c2681c6334b14

    Download Submit

  • C:\Windows\SysWOW64\4K51K4.exe
    Filesize

    323KB

    MD5

    57b87079c403873ccd7769eec147cbf5

    SHA1

    076d9b041cc52d7b9b9335a27b18a5776621ab8e

    SHA256

    b125fc245d260437ac47e177c80da8653c8170cd942b011bff390d26735ae1f2

    SHA512

    5bcf2d5ada6cb43bdffb8aa3a435fb268dc26e0698f49fc327de46506ab38341a6d39aa17a4ca25ecb5685dacde0556ed4b5f274a34215482d3b0a76d4b896ac

    Download Submit

  • C:\Windows\SysWOW64\4K51K4.exe
    Filesize

    323KB

    MD5

    f6d46b4d897ac39ed4269a59ce28d45a

    SHA1

    90c3182f501bc588bd132c1cd3a64beb22acb216

    SHA256

    ce687e416d1610c1681cf44b4472748df84582c6c45dd7b2b2d0c86d2ac79586

    SHA512

    95663bf59f1ff27bbe054b42a5e30c571bff80464513cf9b4cbfa4dc6d3c8c2b6219ebb0c1c5a5de39bde251a1c66686eb9701129e6f587eec6d49352551d53a

    Download Submit

  • C:\Windows\SysWOW64\4K51K4.exe.tmp
    Filesize

    323KB

    MD5

    4b67b1a00ebf964e29ac1d9ef2a72570

    SHA1

    9e806e1692baf5cebc8410f4f42ffcd81d0fb695

    SHA256

    3ad8efd82b381846a510950e398073065178ceef91a04ec407e06f1fbe267118

    SHA512

    a381fcbfb90344d24be19d65a929522286f4dd5a8119b85c0349f93bc4c70f899cecaa5ae10a3ac93009834964ce8dcfa00155add2519dc80d7c94f98d3a2e40

    Download Submit

  • C:\Windows\SysWOW64\Folder.ico
    Filesize

    7KB

    MD5

    d7f9d9553c172cba8825fa161e8e9851

    SHA1

    e45bdc6609d9d719e1cefa846f17d3d66332a3a0

    SHA256

    cd2e513851d519098acef16d191188ac2586d2174dfd1a84f4db7f41a6970086

    SHA512

    a03a806d9db86c0c4f6f8efc4b40008aa51f1625fc1c703a929bfa57a5caf962119b3c76044775af607d4ee1a8a671e1d0a2be66d19ee551717398f9ddc8ad24

    Download Submit

  • C:\Windows\SysWOW64\GoldenGhost.exe
    Filesize

    323KB

    MD5

    1c6a0e0cb00a7e5caacc09b83410e149

    SHA1

    a8d3aa2065c151bee5917169169c20d71eb2cc51

    SHA256

    847ae91585a319ffec27b9edc2439f55e04ec5c7f4e33529261bdc3a09668cb6

    SHA512

    042f63b35a919c9b51594a2a5b3443bd578fbeee1e73d8e8c6bcc73b222ab32edfb47c708738c656ecf4ad7166b5850c0ab4b14ea06b99cd8d9ace010110d1ce

    Download Submit

  • C:\Windows\SysWOW64\GoldenGhost.exe
    Filesize

    323KB

    MD5

    3ff97baeac9a15d328fd5de2ef73e424

    SHA1

    21c1cf808a6405a104ef9869e1e520225eb0d5e8

    SHA256

    7ae0879c2e135d31be7aa05d8ed2e9ba028504403a6a366b2cef9894fd28a3fe

    SHA512

    a56fbf62096963e40c30202b2e1d645bb8597d1c04cea1dc20c7edcfc898706457772b6e158053311c2ceee6b118f80c810744d23798c9bd6f86df0e0f218724

    Download Submit

  • C:\Windows\SysWOW64\GoldenGhost.exe
    Filesize

    323KB

    MD5

    ee1f66c363ea75c297724f7657991525

    SHA1

    687de3509051640d8e66b8c6499c8697fd0624d6

    SHA256

    7c65662229d65bd5b6c32a07fe74ab59bb6f45cdd5cc2cb195f9172527f37cc3

    SHA512

    b864282f1dc555313918df597d343837813d29dc91912f5b64b09add4be0f0951ae5e2eab115e103e5349c28489540485bd998839b052d4d16eaf68569b164aa

    Download Submit

  • C:\Windows\SysWOW64\GoldenGhost.exe.tmp
    Filesize

    323KB

    MD5

    5c27ced42a6a3ba6bb2ad49ffb2a8171

    SHA1

    9eb8386e025360bc5787679d3030f9f1aec59c4f

    SHA256

    9066a9bb3b2f0929af456eb51b85d35855ee0ff9fb197d1fcc6dbd63a50e29e9

    SHA512

    ce3e72cd661e6313685a66c6571511541c157c66914c9c7c79326af622fff035bb1ae2851fb8b42d4c4d40c6889b5ea49195ce8269d2bfef58cb206da99f6a5d

    Download Submit

  • C:\Windows\SysWOW64\K0L4B0R451.exe.tmp
    Filesize

    323KB

    MD5

    3d7b84e585e5a6ac17d51eee627bff27

    SHA1

    5f59aa6861d2cc894993e155e5354111a70c5ecf

    SHA256

    b90d58f8c52cfac33f08f74d0c2399ba2b3f10c62f2d4c025d5a89427ab04f59

    SHA512

    c45bcb1d14aacf74d0c48fb461c5fdb1926dc87f9eaf6470cb8f3d3aeb05de1613964e4d02dfd9bd5c67f0fb60151dc09c093a3eec02a3a55d2f839106ed60cc

    Download Submit

  • C:\Windows\SysWOW64\K0L4B0R451.exe.tmp
    Filesize

    323KB

    MD5

    5711008b0021a1805d9de6f54a3f02de

    SHA1

    5057f800da795680a8bc533c9dad1ae864d48ba4

    SHA256

    a6f5cb026ce7f1ecc04c2c50e7d840ef5eb3dee67c16ce1ca634c1122ee3163a

    SHA512

    274148ae8bb2ce348dee332a3a8da2d60c91925814d5b05305443b79afc49ce5f53bd3a4261f945ab7e2fcd3cf744640de072ac5a31a23fd6023d5ea51afd8a6

    Download Submit

  • C:\Windows\SysWOW64\K0L4B0R451.exe.tmp
    Filesize

    323KB

    MD5

    624b4ed3f6b91b6135242f13673b320c

    SHA1

    da116abed83f2924e876baad56c978797da19245

    SHA256

    c6cf682754332a2ec252f066288bb7c771d00c866a00343e966ec8e50f9d10aa

    SHA512

    8769b015cf9f050018aadf1bdad21b5430d1c2a44a4fd8415f25a02e0850c96b8c31f260e4b0945fdd4c3c171c9f701092dc216469bc5dcb45472cb51881ca3b

    Download Submit

  • C:\Windows\SysWOW64\Kantuk.exe
    Filesize

    323KB

    MD5

    ff81cb44dc72dc4fff542da3724d98d1

    SHA1

    c80a5155a2cdc66b7458463bce49050a7e0a041f

    SHA256

    da389ae8e8411557da8debb746fd95384f86b9b0c1b66ff67a34043164e4429a

    SHA512

    1040f55547d25756d4337911205e838f1d300dafb8971154a54cede1498925dbee96a44efa9efb5056a899430630abd3a26d7bffbe1d32319aa9e9312da57d0f

    Download Submit

  • C:\Windows\SysWOW64\Kantuk.exe
    Filesize

    323KB

    MD5

    ef48e193c65a89ceef66f9e6d0b975bb

    SHA1

    b9e469406fcec60ebbd4956eccf86fd37f4cb136

    SHA256

    9cdcbf17a848cdadbd0d7fd832ca064666ad63805250405dc1c023c8d7732275

    SHA512

    adc1b3b43656766a932d51b0137b1fa4dcbdb8f351c657a7cf9177aefa302838b120806831060b516f364c32dbfdf99d83292002a8320f6542ce380328901e16

    Download Submit

  • C:\Windows\SysWOW64\Kantuk.exe.tmp
    Filesize

    323KB

    MD5

    32c3a5be69b067f0a00c0fbd87f582d1

    SHA1

    d122c0a08848ab3163803a69b8f9351f2ad93778

    SHA256

    dd03cc5bf348a7468dff2f3300e86831c824f2b04654ac89906692fb794d8618

    SHA512

    b559618b7ed50bc681486e5b0506c04c7ea652c65cc71fe2f0af2901da9cc0454d2f9856cff7e8433038e584e24853dfb2b8a8aff3025bd356c864827a72cfdf

    Download Submit

  • C:\Windows\SysWOW64\Kantuk.exe.tmp
    Filesize

    323KB

    MD5

    a9b52927aa262a4817a89d00846877c7

    SHA1

    5896adc9d624ad38bdf77e5ae99c33a402876cb8

    SHA256

    655e66a43cd7ebae446b6cabb5f4465849663c58d469eb2bcdf8565c58a93e4f

    SHA512

    6d9c3188f3cf80d8519c4d1d7f3ea5ae1428ea70c8ff81ce3b24157839e63695d752f352f4af70271c41acf7681b01f7b0201e6ace99a5f46cec7c246cab8840

    Download Submit

  • C:\Windows\SysWOW64\Player.ico
    Filesize

    2KB

    MD5

    43be35d4fb3ebc6ca0970f05365440e3

    SHA1

    87bc28e5d9a6ab0c79a07118ca578726ce61b1bc

    SHA256

    5a15c1aab77f132e7ce5928996919ed66564c6082a7f94d0a42229c480113fc5

    SHA512

    b2e24ff3702805d2ff8ecf3ddde8a8e6258965f992f37104c2ed9b763e1448ab32c7609a607e1d90cfba281e7add1e839855656d6453433a42c0d6c8923c9395

    Download Submit

  • C:\Windows\SysWOW64\Shell32.com.tmp
    Filesize

    323KB

    MD5

    fe266a9e5a1ea0483c638ad5d2c631d2

    SHA1

    44ceccf2d50541c51ec28540a94e3e9dd72cb358

    SHA256

    38453d98b3533194da8789d4b69a889bba6404d0ef735dfc1284f3e0fee0b870

    SHA512

    e0f06e4fe2e88d30444ebf39c3c702614f471434e46209db5143632e1e94c45c1320618b2b21f57cd3cf796e21bf541803ed2fcf14cb1879fe49a25bb6e923b4

    Download Submit

  • C:\Windows\SysWOW64\Shell32.com.tmp
    Filesize

    323KB

    MD5

    3769171afdf46291f0c93c78737922b2

    SHA1

    ac51ce38d6e442b75a35316f3af8ee59b8a16bb5

    SHA256

    6ce52f37a576d001370b84ed6feca63919c2639e72f0fde062f8e626972b46b6

    SHA512

    a3ddeefeaf847973421d18bfc913074f56836c06d04b3a7dc4ccecc2fc09ebcc81733eec3026dde39262cc2ce4cc9c507960c72f84f99923acaa3c06137398e2

    Download Submit

  • C:\Windows\SysWOW64\Shell32.com.tmp
    Filesize

    323KB

    MD5

    527bcaba277334e3a7dac5a9160fe8a0

    SHA1

    ebbad435eb2688c26720b3c292f5cd5d4403e4d7

    SHA256

    d90bec702be14fbe7d6e13e3e20f9cb22cd445a95dd7387b65dc7c16e5467bfd

    SHA512

    d4cc3e26035393ab42238d53fdff7ec653f170f6a28ecc9e9203590bae6d62b71ae8c25433f7fa888e5b330ea56a74556d3b49db21e61d6a582372d044aa3125

    Download Submit

  • C:\Windows\SysWOW64\Word.ico
    Filesize

    3KB

    MD5

    8482935ff2fab6025b44b5a23c750480

    SHA1

    d770c46d210c0fd302fa035a6054f5ac19f3bd13

    SHA256

    dcbcdce04483e9d2d8a5d7779b18b7f64cfc06e758b07f671493e38dfb9ab33c

    SHA512

    00c711d815815a88fc15f73c8cba6a81b2bfc505baff2cc67b456545151fe896029f11127e447c9bbc5a2d5dc561a06a52be9a9f9c0d28e98ea4e174cdd54398

    Download Submit

  • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico
    Filesize

    2KB

    MD5

    62b7610403ea3ac4776df9eb93bf4ba4

    SHA1

    b4a6cd17516f8fba679f15eda654928dc44dc502

    SHA256

    b0fd7ffb4c8f0e4566658a7284ca0652961648aaab44a53c5b9713664b122c29

    SHA512

    fa1995a21ffe073a15fa00a3a8717492b0a67f3615abe4c7e6bce054bb23cf545e10e21cfe3625b665c8bb199577815dbeccc7c6107cdb49f673b8d53f23888d

    Download Submit

  • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
    Filesize

    323KB

    MD5

    1ea9db9377033bf9732659990c0ce4a1

    SHA1

    9fadb703d8dcc8dacdd23f1b59bb4bf3a5a5bfad

    SHA256

    2c182719c9e5e6f56c4a68c63633caddbd4fb2dbc2342c76d6e9bbec52140583

    SHA512

    b3a1791a295409869893a59eb1dceeaeff1d6a6daca4f54ca16c7286bf1170d8da01bf3821ebfc8866a999305d24073ea83df4ed3f6a089e4b9ef5e35bc13332

    Download Submit

  • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp
    Filesize

    323KB

    MD5

    131987ae6531c4043359626332614b96

    SHA1

    9d39af82fd790f84452dd811c2994b1a77e1a2e3

    SHA256

    5c5f8657f1c281aad41dcdf2fae8f2bf193270db9a4afcc0b92e1853f9f70d1d

    SHA512

    2b1daf59c2172844ba616ca6813073bd394de806299a1ffc8f8ce6dee52d29321a9ad0efafa9a870af89538218a75cdc99d164677c6c3ad851dbdadedf741840

    Download Submit

  • memory/548-0-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/568-323-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1736-362-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1900-340-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/2028-211-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/2904-352-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download