Analysis
-
max time kernel
50s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
20-10-2024 03:40
Static task
static1
Behavioral task
behavioral1
Sample
f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe
Resource
win10v2004-20241007-en
General
-
Target
f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe
-
Size
323KB
-
MD5
2ee5d033251bd5e2cd7d054af3776ddf
-
SHA1
10bd08a006c8bba819a154ba74429cc2a034e7fe
-
SHA256
f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65
-
SHA512
fd92a3fe53c84cb0e975b97b2a61ef6442d24b51a9ecfd74169ab28c9c747be6a7ee32fee5093b7e95509f5544b786b49396feb560449800969df3f01358adda
-
SSDEEP
6144:FBxeN/Tdx8YzL+4eBDgelLBL9C53TV5n+yNXavM:FBxe9dx8Yz6nhtL9C53TV5n+4av
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" winlogon.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kantuk.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 4K51K4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" K0L4B0R451.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" GoldenGhost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" 4K51K4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" GoldenGhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" Kantuk.exe -
Disables RegEdit via registry modification 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kantuk.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" K0L4B0R451.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" GoldenGhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4K51K4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4K51K4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" GoldenGhost.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 12 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 4K51K4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" K0L4B0R451.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" GoldenGhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 4K51K4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" GoldenGhost.exe -
Disables use of System Restore points 1 TTPs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe\Debugger = "cmd.exe /c del" Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "cmd.exe /c del" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe\Debugger = "cmd.exe /c del" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe\Debugger = "cmd.exe /c del" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "cmd.exe /c del" Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe\Debugger = "cmd.exe /c del" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "cmd.exe /c del" K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe\Debugger = "cmd.exe /c del" GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger = "notepad.exe" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger = "notepad.exe" K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe\Debugger = "notepad.exe" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgw.exe K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe\Debugger = "cmd.exe /c del" 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger = "notepad.exe" GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe\Debugger = "cmd.exe /c del" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe\Debugger = "cmd.exe /c del" Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del" 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe\Debugger = "cmd.exe /c del" 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "cmd.exe /c del" 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "cmd.exe /c del" 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe\Debugger = "cmd.exe /c del" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe\Debugger = "cmd.exe /c del" 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe\Debugger = "cmd.exe /c del" GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe\Debugger = "cmd.exe /c del" GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe\Debugger = "cmd.exe /c del" 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del" GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe\Debugger = "cmd.exe /c del" GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe\Debugger = "cmd.exe /c del" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgw.exe\Debugger = "cmd.exe /c del" K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe\Debugger = "cmd.exe /c del" 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe\Debugger = "notepad.exe" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe\Debugger = "notepad.exe" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del" K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe\Debugger = "cmd.exe /c del" GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgnt.exe 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe\Debugger = "cmd.exe /c del" 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe\Debugger = "cmd.exe /c del" K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe GoldenGhost.exe -
Executes dropped EXE 10 IoCs
pid Process 1220 winlogon.exe 348 winlogon.exe 2952 Kantuk.exe 1916 4K51K4.exe 2892 K0L4B0R451.exe 292 GoldenGhost.exe 2268 Kantuk.exe 1284 4K51K4.exe 2468 K0L4B0R451.exe 2068 GoldenGhost.exe -
Loads dropped DLL 20 IoCs
pid Process 1072 f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe 1072 f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe 1220 winlogon.exe 1220 winlogon.exe 1220 winlogon.exe 1220 winlogon.exe 1220 winlogon.exe 1220 winlogon.exe 1220 winlogon.exe 1220 winlogon.exe 1220 winlogon.exe 1220 winlogon.exe 1072 f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe 1072 f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe 1072 f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe 1072 f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe 1072 f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe 1072 f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe 1072 f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe 1072 f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command GoldenGhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" GoldenGhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 4K51K4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" 4K51K4.exe -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" 4K51K4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" Kantuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" 4K51K4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" K0L4B0R451.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" GoldenGhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" GoldenGhost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" GoldenGhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" 4K51K4.exe -
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: Kantuk.exe File opened (read-only) \??\M: K0L4B0R451.exe File opened (read-only) \??\X: K0L4B0R451.exe File opened (read-only) \??\E: Kantuk.exe File opened (read-only) \??\K: K0L4B0R451.exe File opened (read-only) \??\P: K0L4B0R451.exe File opened (read-only) \??\Q: K0L4B0R451.exe File opened (read-only) \??\V: K0L4B0R451.exe File opened (read-only) \??\W: K0L4B0R451.exe File opened (read-only) \??\N: Kantuk.exe File opened (read-only) \??\Q: Kantuk.exe File opened (read-only) \??\Z: Kantuk.exe File opened (read-only) \??\E: K0L4B0R451.exe File opened (read-only) \??\R: Kantuk.exe File opened (read-only) \??\U: Kantuk.exe File opened (read-only) \??\V: Kantuk.exe File opened (read-only) \??\J: K0L4B0R451.exe File opened (read-only) \??\K: Kantuk.exe File opened (read-only) \??\L: Kantuk.exe File opened (read-only) \??\M: Kantuk.exe File opened (read-only) \??\O: Kantuk.exe File opened (read-only) \??\N: K0L4B0R451.exe File opened (read-only) \??\T: K0L4B0R451.exe File opened (read-only) \??\Z: K0L4B0R451.exe File opened (read-only) \??\H: K0L4B0R451.exe File opened (read-only) \??\Y: K0L4B0R451.exe File opened (read-only) \??\I: Kantuk.exe File opened (read-only) \??\T: Kantuk.exe File opened (read-only) \??\Y: Kantuk.exe File opened (read-only) \??\B: K0L4B0R451.exe File opened (read-only) \??\S: Kantuk.exe File opened (read-only) \??\W: Kantuk.exe File opened (read-only) \??\I: K0L4B0R451.exe File opened (read-only) \??\R: K0L4B0R451.exe File opened (read-only) \??\B: Kantuk.exe File opened (read-only) \??\G: Kantuk.exe File opened (read-only) \??\J: Kantuk.exe File opened (read-only) \??\P: Kantuk.exe File opened (read-only) \??\S: K0L4B0R451.exe File opened (read-only) \??\X: Kantuk.exe File opened (read-only) \??\G: K0L4B0R451.exe File opened (read-only) \??\L: K0L4B0R451.exe File opened (read-only) \??\O: K0L4B0R451.exe File opened (read-only) \??\U: K0L4B0R451.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf Kantuk.exe File opened for modification C:\autorun.inf Kantuk.exe -
Drops file in System32 directory 47 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\Folder.ico winlogon.exe File created C:\Windows\SysWOW64\Asli.ico winlogon.exe File opened for modification C:\Windows\SysWOW64\K0L4B0R451.exe f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe File opened for modification C:\Windows\SysWOW64\Shell32.com f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe File created C:\Windows\SysWOW64\Folder.ico f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe File opened for modification C:\Windows\SysWOW64\K0L4B0R451.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe File opened for modification C:\Windows\SysWOW64\GoldenGhost.exe.tmp f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe File opened for modification C:\Windows\SysWOW64\Kantuk.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\GoldenGhost.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Kantuk.exe f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe File opened for modification C:\Windows\SysWOW64\Kantuk.exe.tmp f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe File opened for modification C:\Windows\SysWOW64\Shell32.com.tmp f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe File opened for modification C:\Windows\SysWOW64\Shell32.com winlogon.exe File opened for modification C:\Windows\SysWOW64\Kantuk.exe.tmp winlogon.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico winlogon.exe File created C:\Windows\SysWOW64\Word.ico winlogon.exe File opened for modification C:\Windows\SysWOW64\4K51K4.exe f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe File created C:\Windows\SysWOW64\Shell32.com f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe File created C:\Windows\SysWOW64\Asli.ico f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ winlogon.exe File opened for modification C:\Windows\SysWOW64\4K51K4.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp winlogon.exe File opened for modification C:\Windows\SysWOW64\GoldenGhost.exe.tmp winlogon.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe File created C:\Windows\SysWOW64\Kantuk.exe f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe File created C:\Windows\SysWOW64\GoldenGhost.exe f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe File opened for modification C:\Windows\SysWOW64\K0L4B0R451.exe.tmp f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe File created C:\Windows\SysWOW64\Word.ico f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe File created C:\Windows\SysWOW64\Rar.ico f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe File opened for modification C:\Windows\SysWOW64\Windows_3D.scr f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe File opened for modification C:\Windows\SysWOW64\4K51K4.exe.tmp f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Shell32.com.tmp winlogon.exe File created C:\Windows\SysWOW64\Rar.ico winlogon.exe File opened for modification C:\Windows\SysWOW64\Windows_3D.scr winlogon.exe File opened for modification C:\Windows\SysWOW64\GoldenGhost.exe f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe File created C:\Windows\SysWOW64\4K51K4.exe f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe File created C:\Windows\SysWOW64\K0L4B0R451.exe f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe File created C:\Windows\SysWOW64\Player.ico f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe File opened for modification C:\Windows\SysWOW64\4K51K4.exe.tmp winlogon.exe File opened for modification C:\Windows\SysWOW64\K0L4B0R451.exe.tmp winlogon.exe File created C:\Windows\SysWOW64\Player.ico winlogon.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\K0L4B0R451.jpg" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\K0L4B0R451.jpg f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4K51K4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoldenGhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language K0L4B0R451.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language K0L4B0R451.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kantuk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4K51K4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoldenGhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kantuk.exe -
Modifies Control Panel 45 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\ K0L4B0R451.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s1159 = "K0L4B0R451" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s1159 = "K0L4B0R451" Kantuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s2359 = "K0L4B0R451" Kantuk.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\ 4K51K4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" GoldenGhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s2359 = "K0L4B0R451" GoldenGhost.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" K0L4B0R451.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" K0L4B0R451.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\WallpaperStyle = "0" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s2359 = "K0L4B0R451" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" Kantuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" 4K51K4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" K0L4B0R451.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" GoldenGhost.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\ GoldenGhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s1159 = "K0L4B0R451" GoldenGhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s2359 = "K0L4B0R451" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\ Kantuk.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ K0L4B0R451.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s1159 = "K0L4B0R451" K0L4B0R451.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s2359 = "K0L4B0R451" K0L4B0R451.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ 4K51K4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" 4K51K4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s1159 = "K0L4B0R451" 4K51K4.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\ f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s1159 = "K0L4B0R451" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" GoldenGhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ Kantuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 4K51K4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s2359 = "K0L4B0R451" 4K51K4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\TileWallpaper = "0" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" Kantuk.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ GoldenGhost.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Kantuk.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "logoff.exe" GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Edit\Command\ = "logoff.exe" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\NeverShowExt = "1" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\edit\command\ = "logoff.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 4K51K4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\Shell\Edit\Command f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\edit\command\ = "logoff.exe" GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command GoldenGhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\NeverShowExt = "1" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "logoff.exe" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Install\command\ = "logoff.exe" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\edit\command\ = "logoff.exe" K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\Shell f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "K0L4B0R451 File" 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "K0L4B0R451 File" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Edit\Command\ = "logoff.exe" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "logoff.exe" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "logoff.exe" 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command\ = "logoff.exe" K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Install\command\ = "logoff.exe" GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "logoff.exe" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command\ = "logoff.exe" GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command\ = "logoff.exe" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Kantuk.exe -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
pid Process 1916 4K51K4.exe 292 GoldenGhost.exe 2952 Kantuk.exe 2892 K0L4B0R451.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 1072 f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe 1220 winlogon.exe 348 winlogon.exe 2952 Kantuk.exe 1916 4K51K4.exe 2892 K0L4B0R451.exe 292 GoldenGhost.exe 2268 Kantuk.exe 1284 4K51K4.exe 2468 K0L4B0R451.exe 2068 GoldenGhost.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 1072 wrote to memory of 1220 1072 f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe 30 PID 1072 wrote to memory of 1220 1072 f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe 30 PID 1072 wrote to memory of 1220 1072 f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe 30 PID 1072 wrote to memory of 1220 1072 f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe 30 PID 1220 wrote to memory of 348 1220 winlogon.exe 31 PID 1220 wrote to memory of 348 1220 winlogon.exe 31 PID 1220 wrote to memory of 348 1220 winlogon.exe 31 PID 1220 wrote to memory of 348 1220 winlogon.exe 31 PID 1220 wrote to memory of 2952 1220 winlogon.exe 32 PID 1220 wrote to memory of 2952 1220 winlogon.exe 32 PID 1220 wrote to memory of 2952 1220 winlogon.exe 32 PID 1220 wrote to memory of 2952 1220 winlogon.exe 32 PID 1220 wrote to memory of 1916 1220 winlogon.exe 33 PID 1220 wrote to memory of 1916 1220 winlogon.exe 33 PID 1220 wrote to memory of 1916 1220 winlogon.exe 33 PID 1220 wrote to memory of 1916 1220 winlogon.exe 33 PID 1220 wrote to memory of 2892 1220 winlogon.exe 34 PID 1220 wrote to memory of 2892 1220 winlogon.exe 34 PID 1220 wrote to memory of 2892 1220 winlogon.exe 34 PID 1220 wrote to memory of 2892 1220 winlogon.exe 34 PID 1220 wrote to memory of 292 1220 winlogon.exe 35 PID 1220 wrote to memory of 292 1220 winlogon.exe 35 PID 1220 wrote to memory of 292 1220 winlogon.exe 35 PID 1220 wrote to memory of 292 1220 winlogon.exe 35 PID 1072 wrote to memory of 2268 1072 f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe 36 PID 1072 wrote to memory of 2268 1072 f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe 36 PID 1072 wrote to memory of 2268 1072 f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe 36 PID 1072 wrote to memory of 2268 1072 f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe 36 PID 1072 wrote to memory of 1284 1072 f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe 37 PID 1072 wrote to memory of 1284 1072 f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe 37 PID 1072 wrote to memory of 1284 1072 f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe 37 PID 1072 wrote to memory of 1284 1072 f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe 37 PID 1072 wrote to memory of 2468 1072 f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe 38 PID 1072 wrote to memory of 2468 1072 f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe 38 PID 1072 wrote to memory of 2468 1072 f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe 38 PID 1072 wrote to memory of 2468 1072 f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe 38 PID 1072 wrote to memory of 2068 1072 f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe 39 PID 1072 wrote to memory of 2068 1072 f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe 39 PID 1072 wrote to memory of 2068 1072 f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe 39 PID 1072 wrote to memory of 2068 1072 f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe 39 -
System policy modification 1 TTPs 48 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System GoldenGhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" 4K51K4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer GoldenGhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" 4K51K4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" GoldenGhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" GoldenGhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 4K51K4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 4K51K4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" GoldenGhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" GoldenGhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 4K51K4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" 4K51K4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" GoldenGhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" K0L4B0R451.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe"C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1072 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1220 -
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:348
-
-
C:\Windows\SysWOW64\Kantuk.exeC:\Windows\system32\Kantuk.exe3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2952
-
-
C:\Windows\SysWOW64\4K51K4.exeC:\Windows\system32\4K51K4.exe3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1916
-
-
C:\Windows\SysWOW64\K0L4B0R451.exeC:\Windows\system32\K0L4B0R451.exe3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2892
-
-
C:\Windows\SysWOW64\GoldenGhost.exeC:\Windows\system32\GoldenGhost.exe3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:292
-
-
-
C:\Windows\SysWOW64\Kantuk.exeC:\Windows\system32\Kantuk.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2268
-
-
C:\Windows\SysWOW64\4K51K4.exeC:\Windows\system32\4K51K4.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1284
-
-
C:\Windows\SysWOW64\K0L4B0R451.exeC:\Windows\system32\K0L4B0R451.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2468
-
-
C:\Windows\SysWOW64\GoldenGhost.exeC:\Windows\system32\GoldenGhost.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2068
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
323KB
MD50a88f5efa3d7d3c062a4550c7fc86b0f
SHA1ff440391c7cb23d1a2e4c3a59076823a8d1741ee
SHA25652736efddcfed79f0ed4c50d8d4a52e622351861e9a89122a252565689630c26
SHA51242985f9834e04d626fc4a2db4c2c269881023dcfeca2a416d7d413c35824fde691e46d32f8d01c79009f8fea3e06c27298bf7c4948e59c4c3ca20ef508a0fb5a
-
Filesize
323KB
MD52f3599d5e96b8e7357c07e6a8d74d0bb
SHA112b2f2406b9129ebc8cf5f633a4678ace862d6ed
SHA256d31e4f65e1f3f1beab753951dbd4ec3cb1aa4329df34639c503838b28a8a3150
SHA51273a8bff922502a029429ad60c55787694a9d7de9049e5bd839c4ca88072b2bed08eb80a9cfbed6c8712a755929aeb22e9c2ed28874f63e6842a72325149c1288
-
Filesize
323KB
MD5bb901c4619f7e5a5b2869825d72b1855
SHA1d4e50db07897f907e0a72d51d76c2d1e596ece6b
SHA2566af25019a51befd49535fb83ed1cc2400a6c7a88db14df9a8e98ee0e671847d4
SHA51265ad36fdcafa521588a0b0590580b89d6cf0f8faff12f014290d18fb036e58b047f888576347b5e5722bea131932482644df58f8cdd1f2b6b6ac190d864db49e
-
Filesize
2KB
MD562b7610403ea3ac4776df9eb93bf4ba4
SHA1b4a6cd17516f8fba679f15eda654928dc44dc502
SHA256b0fd7ffb4c8f0e4566658a7284ca0652961648aaab44a53c5b9713664b122c29
SHA512fa1995a21ffe073a15fa00a3a8717492b0a67f3615abe4c7e6bce054bb23cf545e10e21cfe3625b665c8bb199577815dbeccc7c6107cdb49f673b8d53f23888d
-
Filesize
323KB
MD5fa10353c3a55e3ebdb1b8aafabaf022c
SHA1c29c6aa319a5ff1d2f1529d6dfe44bf98f67f643
SHA256f657f7ec824caf981868b3f6a5536af20ffb462386f506697f5d764dc7c2a868
SHA51219977d01270fb574ee8ed449bf1381c4c22b0937c784901a79b18eca4e64877fa272e4bcb4c26e12b379f7fcf9555a52add8743da391af8744c455a55eb7b623
-
Filesize
323KB
MD56e00232b631d61d65c27fd6e0a4bb75e
SHA1bcdcad3dac22bed40248bde066380b147b6990cf
SHA25676aec6dd8038a5ab3ee7864342094fef12389b7a87931381aeed71f64628dd45
SHA512a1c674d5037d581196d54025f56e97df43bcd52d8133c19b05d7d29e7c7ed8f7928b1d65230c207499745f25d06ee2228832232045fc087c716065c1322ddaaa
-
Filesize
323KB
MD5da7defb75370807e667bd8cc46be2b74
SHA1477ed6f118ce88edcd5a8724937fd1f95ef077a6
SHA2561cbd320229c136f1c59bd2fea5a3bcb7e1489c841ac0b57503c821a4e1b9c55d
SHA512f128d08b07e2852cfffcdacf1236a033149bfa21fc7213032de79d4a624f5b51e1540161394e57d1e0411dacb80d980199e667a4ce4d3f801c3c94193031c6ec
-
Filesize
323KB
MD578d855807203cd4f670f0ca1f762c3c2
SHA1471c6763f0aa3f49a0123c223e4b4f78a6e3d183
SHA2569f8b27c3d9f3440d1d5059de3923d246faca953e5dc9543043f038fbf53fc890
SHA512e6c24b9b7afb6219160449183de99b899370bfcc27b76666f84b6a19cb3d9372293bd3f7ebb79fa9df0dc89dee3b27ad728771f30c88b7bc5603525eb6938884
-
Filesize
323KB
MD59567bc239c76586a73f4be61c2c2a7b6
SHA15b313f5580cd2ac815f6cb7bac1f9cc7a4dd45f6
SHA2568efb2c84d8aa5520931fa50078092234cbb9e0181dfa7ac4ce326833e4630f2f
SHA51203d45b3612b3822b9e3a7247beb658ebdd3bca21ef44cc23e1502f3f44ae5522f069a603442f268f8bff390f307c977eb71063151aa99950ab77af6570609b43
-
Filesize
323KB
MD5e6023599c93ba4fa5930c842086bb37e
SHA1f26858ffcf34362f79624d678e6198cb35eb6684
SHA256911c41fd50dd654590c831c33030ecb5e2f130f35014449f19f96eb0aa658f14
SHA512973148103d0ec6877920a261a20b3578a16128d3a2ca72320dd40ebcb40ae4a57e70284bae3df226ac36ddc634a5fc3667e291851e6bb5131b65232d4e84b87a
-
Filesize
323KB
MD52db65f7aef28b712ab361f7a53ecff78
SHA145a93b1c0a8790f3c502fc362b2598eb115c8589
SHA25672734ce3c2040ed6a3e8f4417374016ad1cfd2b6ff6c46350e76d7d6d139610b
SHA512970a6f0cc258a70889dbcd516bb786cbcb03678cba0afd00a2253c7359d3ca44c1b96527766758fb8225d441f1c3b1bddb489f6d5b87dee4088c6373ab4b6b4a
-
Filesize
7KB
MD5d7f9d9553c172cba8825fa161e8e9851
SHA1e45bdc6609d9d719e1cefa846f17d3d66332a3a0
SHA256cd2e513851d519098acef16d191188ac2586d2174dfd1a84f4db7f41a6970086
SHA512a03a806d9db86c0c4f6f8efc4b40008aa51f1625fc1c703a929bfa57a5caf962119b3c76044775af607d4ee1a8a671e1d0a2be66d19ee551717398f9ddc8ad24
-
Filesize
323KB
MD576a99badbb754728d8422274e859fdad
SHA177ac04017315a69f6e49693405713427aa522952
SHA256b09ee6f26a4cf4cd4d23d7be78a612a5284cc56baa923f09347212078152f931
SHA512291f3816ad9a933e0b0c5d03d57c1f151679bb8bb5827eea3c4e19dba6ffe48c3e450fa972753293b0408554003cd681d9935f88c8ca6ecae2c8330069b7c29c
-
Filesize
323KB
MD5797f37357d4557724cee1e6756471b95
SHA1cfee9bd86a60fdbf4dbd223a1812a4dad8cfc2fb
SHA256ed2b1d0ad83f763c5ce3743509217555da4fd8609b483a9915df1237d87092c6
SHA512ec53a0a896a48b64a393dc84ac1c2c64e1a10f95e53f5a350446f186aabf558ce1fbbb824d1345a3c2996c4e521cb448105d247cac0b6bdb9ef913fd2417f835
-
Filesize
323KB
MD557d142a1aa2ed32b1451d3fdb530fabe
SHA1a6180aa790cee55684251ec46fe1af9a28913145
SHA256f3088d7209af326aec5c650e93ff3aacfec8f45279b9a7fd4cd5cee8c7aa7689
SHA51244f563bbdf424fc42c28fc46fcd8a9761eb6db37fa63ab43657c1ede7ea2654b487230a5d36d8c69c17d979a78f47377946b30b9791d0a055fec4c33261aa31f
-
Filesize
323KB
MD5c682870a91e4755041fd83ee00ec4173
SHA1e0ec782af54344f15499d3aea77cc78e782b53bb
SHA25639f11674b5b92dc2e8ef11ab87fb6211c3d5a15ec7562352638fcdc122ef9d76
SHA512e652848c02da02279364a3a5d3efe1589a98074b2ee39b3364295f28e71484daf3e250c773f6531649ce01833a123581ab89ae98df5b8585eb9b5be1865fbbcd
-
Filesize
323KB
MD56338bb628432233c458f68bb80fba9f2
SHA1bd4a348f3caea05657da64092727006855a5b641
SHA2567160481998778a7dee853fdf7324b364c273b45224bac2c43b9ae7807db09ea8
SHA512a659eaff02dc5eb0bbc9f6457a5a15489469bc37a259a6a6e4adc9b0ba67d56450999d477347bad2851531c1405608512ff7e5af26d6e01ccec10d6183436117
-
Filesize
323KB
MD577c1adfcc61476018ad04a8a253a02c1
SHA10e7109fa84e9f5e571a3c1efdf0bce4a9fb0eb6c
SHA25631a26ddb73b44e23f1accf1ac4eb5011671307e1928dad5ceeb9f08e0640363d
SHA5122065ebd4a5a7e8c92adcf0d7d811111d17cedc08762c058dc4a209738a2d349d53023a11c0776791003cd625d218b2577845ac108ca7f7542aa827955aca2485
-
Filesize
323KB
MD5de3b6b64671e962dabca1be57ef1b52e
SHA11daa4b03de047091df15309c7614a969cc62b651
SHA256a9cb40df1221ad69a8da42f0650ae94566db803cabeb3ad01503c5239a16e363
SHA51250ce64d5fed582e0641e188807e14e3553f8b8330eff8ba478918b6b18ea45676bb03978dd825699eed1074a7a2b2da329d5d8da350b82250a314d67edce06ca
-
Filesize
2KB
MD543be35d4fb3ebc6ca0970f05365440e3
SHA187bc28e5d9a6ab0c79a07118ca578726ce61b1bc
SHA2565a15c1aab77f132e7ce5928996919ed66564c6082a7f94d0a42229c480113fc5
SHA512b2e24ff3702805d2ff8ecf3ddde8a8e6258965f992f37104c2ed9b763e1448ab32c7609a607e1d90cfba281e7add1e839855656d6453433a42c0d6c8923c9395
-
Filesize
323KB
MD527e53c635e248eb4f0cf91ff11528511
SHA1615877b6d44d9aa8b5666a692af0787df848aec1
SHA256b189d35a23b627937722f189f1bba2fcbc76f9cca14a74d6feba486adc4e27c9
SHA51290ed126b491d1be2399a70e68802b343761076a7c35c913d313e9a1324d2ec974f571e02616c9a1e1f5b469c98b581033deceaf0864c6629ce6632a764238034
-
Filesize
323KB
MD575e493b2029060a2a3179978dfb2af7a
SHA1e1459915713c6901cefb35848b02dbe7861fb6db
SHA25698c834d5f21b64d58ab52e043ef4cd8a6b3acb5ede20142a8597c7cd32f4b0e5
SHA51243c4b626c3d48418bb2b183e3bf302c95f1af4dc9a643251dcbef2fc81ebfb9a95b3f6149975b9bf2b960d0f22551a33217e29d50bda81886c4a37b83430a74c
-
Filesize
3KB
MD58482935ff2fab6025b44b5a23c750480
SHA1d770c46d210c0fd302fa035a6054f5ac19f3bd13
SHA256dcbcdce04483e9d2d8a5d7779b18b7f64cfc06e758b07f671493e38dfb9ab33c
SHA51200c711d815815a88fc15f73c8cba6a81b2bfc505baff2cc67b456545151fe896029f11127e447c9bbc5a2d5dc561a06a52be9a9f9c0d28e98ea4e174cdd54398
-
Filesize
323KB
MD5325fc97d593816075a36532e9a523401
SHA193de570bcc059c9f783fb9515ea5d1c56d67a35e
SHA25637e133ef24fac0497d384907f12470f85b13aa7cae3c88af1d262a8e51cde0ab
SHA512eae3bebd6e998a50f7614535b8a6027643473df69022ace28a0163c25b6a2e815bb423cf6c26c92b7375879d4dee0b2b1f088df04e72429018023008076dcf3e
-
Filesize
323KB
MD5db9326532d668817369367bcd64bda31
SHA1cb691c44ce5a4c783202eb67cf610fe9d58cfc18
SHA256ad5ae8dc993dc7a9929e7ba533a49875d00f68caed2f6b9db7108b84073fbf6e
SHA51271a43675a62bc504ab4f4e62397d2df685f50968067ce2446620d598174beefd394e4b821462e386eedd685f03f75deb8424a80b65c33e8b94a39d473d794621
-
Filesize
323KB
MD5a42f1536e9e6582d6bf0dfbe38f91e1c
SHA1386386955044977ed565ad97ec874bb89e7c1041
SHA256fedc5431c39587e8bc7bf31fe8ce2b4407646a3d1fba5b9a91c560f30bd8df31
SHA51228bb226d290a9d8c835e09cc76ceedae76ffcae3f9523e232553bc388a75d4fba765c29a0930013fd644c24411313b70604a0b07ea8017f71eae675646a71cb3
-
Filesize
323KB
MD5bfb752f0f76bf7830fa155304e05940d
SHA1fce85c92e0ddd08a23a53a8e643bd9d122ae7fd9
SHA256cf4148aa434be83c8c7bfc9827d0922d60aa5618761926b93b766ead504ed6af
SHA512fb6568f4f7a7cc5ace20754c4be46f0bce5e061da8098c3e17e4607f2c7c75bf98ab2ad7027eb700e2c13ba7759645ddaf6654fd889debf5629d37f637403edf
-
Filesize
323KB
MD5e6cfb8b61a79b930851da25468efd3fe
SHA1db5eae8dd62d71c1e0496a60efae40a0797ad178
SHA25600c55d39e25b2122ec9c220aeddcc2d906f1af3b644463d44ea944c8b2a5437e
SHA512c83ef1e2455e51053daa382dcee922804661cb9f403acab415b51a7bf6c6d35b23a06b4ba442cbd29cbac92fa4861cf9dfef9016b27d17fd5537f27c5f9f7a7f