Analysis

  • max time kernel
    50s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    20-10-2024 03:40

General

  • Target

    f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe

  • Size

    323KB

  • MD5

    2ee5d033251bd5e2cd7d054af3776ddf

  • SHA1

    10bd08a006c8bba819a154ba74429cc2a034e7fe

  • SHA256

    f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65

  • SHA512

    fd92a3fe53c84cb0e975b97b2a61ef6442d24b51a9ecfd74169ab28c9c747be6a7ee32fee5093b7e95509f5544b786b49396feb560449800969df3f01358adda

  • SSDEEP

    6144:FBxeN/Tdx8YzL+4eBDgelLBL9C53TV5n+yNXavM:FBxe9dx8Yz6nhtL9C53TV5n+4av

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Disables RegEdit via registry modification 12 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 12 IoCs
  • Disables use of System Restore points 1 TTPs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 20 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 47 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 45 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 4 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • System policy modification 1 TTPs 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe
    "C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Event Triggered Execution: Image File Execution Options Injection
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1072
    • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1220
      • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:348
      • C:\Windows\SysWOW64\Kantuk.exe
        C:\Windows\system32\Kantuk.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • Drops autorun.inf file
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:2952
      • C:\Windows\SysWOW64\4K51K4.exe
        C:\Windows\system32\4K51K4.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1916
      • C:\Windows\SysWOW64\K0L4B0R451.exe
        C:\Windows\system32\K0L4B0R451.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:2892
      • C:\Windows\SysWOW64\GoldenGhost.exe
        C:\Windows\system32\GoldenGhost.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:292
    • C:\Windows\SysWOW64\Kantuk.exe
      C:\Windows\system32\Kantuk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2268
    • C:\Windows\SysWOW64\4K51K4.exe
      C:\Windows\system32\4K51K4.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1284
    • C:\Windows\SysWOW64\K0L4B0R451.exe
      C:\Windows\system32\K0L4B0R451.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2468
    • C:\Windows\SysWOW64\GoldenGhost.exe
      C:\Windows\system32\GoldenGhost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Aut0exec.bat.tmp

    Filesize

    323KB

    MD5

    0a88f5efa3d7d3c062a4550c7fc86b0f

    SHA1

    ff440391c7cb23d1a2e4c3a59076823a8d1741ee

    SHA256

    52736efddcfed79f0ed4c50d8d4a52e622351861e9a89122a252565689630c26

    SHA512

    42985f9834e04d626fc4a2db4c2c269881023dcfeca2a416d7d413c35824fde691e46d32f8d01c79009f8fea3e06c27298bf7c4948e59c4c3ca20ef508a0fb5a

  • C:\Aut0exec.bat.tmp

    Filesize

    323KB

    MD5

    2f3599d5e96b8e7357c07e6a8d74d0bb

    SHA1

    12b2f2406b9129ebc8cf5f633a4678ace862d6ed

    SHA256

    d31e4f65e1f3f1beab753951dbd4ec3cb1aa4329df34639c503838b28a8a3150

    SHA512

    73a8bff922502a029429ad60c55787694a9d7de9049e5bd839c4ca88072b2bed08eb80a9cfbed6c8712a755929aeb22e9c2ed28874f63e6842a72325149c1288

  • C:\Aut0exec.bat.tmp

    Filesize

    323KB

    MD5

    bb901c4619f7e5a5b2869825d72b1855

    SHA1

    d4e50db07897f907e0a72d51d76c2d1e596ece6b

    SHA256

    6af25019a51befd49535fb83ed1cc2400a6c7a88db14df9a8e98ee0e671847d4

    SHA512

    65ad36fdcafa521588a0b0590580b89d6cf0f8faff12f014290d18fb036e58b047f888576347b5e5722bea131932482644df58f8cdd1f2b6b6ac190d864db49e

  • C:\JPG.ico

    Filesize

    2KB

    MD5

    62b7610403ea3ac4776df9eb93bf4ba4

    SHA1

    b4a6cd17516f8fba679f15eda654928dc44dc502

    SHA256

    b0fd7ffb4c8f0e4566658a7284ca0652961648aaab44a53c5b9713664b122c29

    SHA512

    fa1995a21ffe073a15fa00a3a8717492b0a67f3615abe4c7e6bce054bb23cf545e10e21cfe3625b665c8bb199577815dbeccc7c6107cdb49f673b8d53f23888d

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif.tmp

    Filesize

    323KB

    MD5

    fa10353c3a55e3ebdb1b8aafabaf022c

    SHA1

    c29c6aa319a5ff1d2f1529d6dfe44bf98f67f643

    SHA256

    f657f7ec824caf981868b3f6a5536af20ffb462386f506697f5d764dc7c2a868

    SHA512

    19977d01270fb574ee8ed449bf1381c4c22b0937c784901a79b18eca4e64877fa272e4bcb4c26e12b379f7fcf9555a52add8743da391af8744c455a55eb7b623

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif.tmp

    Filesize

    323KB

    MD5

    6e00232b631d61d65c27fd6e0a4bb75e

    SHA1

    bcdcad3dac22bed40248bde066380b147b6990cf

    SHA256

    76aec6dd8038a5ab3ee7864342094fef12389b7a87931381aeed71f64628dd45

    SHA512

    a1c674d5037d581196d54025f56e97df43bcd52d8133c19b05d7d29e7c7ed8f7928b1d65230c207499745f25d06ee2228832232045fc087c716065c1322ddaaa

  • C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp

    Filesize

    323KB

    MD5

    da7defb75370807e667bd8cc46be2b74

    SHA1

    477ed6f118ce88edcd5a8724937fd1f95ef077a6

    SHA256

    1cbd320229c136f1c59bd2fea5a3bcb7e1489c841ac0b57503c821a4e1b9c55d

    SHA512

    f128d08b07e2852cfffcdacf1236a033149bfa21fc7213032de79d4a624f5b51e1540161394e57d1e0411dacb80d980199e667a4ce4d3f801c3c94193031c6ec

  • C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp

    Filesize

    323KB

    MD5

    78d855807203cd4f670f0ca1f762c3c2

    SHA1

    471c6763f0aa3f49a0123c223e4b4f78a6e3d183

    SHA256

    9f8b27c3d9f3440d1d5059de3923d246faca953e5dc9543043f038fbf53fc890

    SHA512

    e6c24b9b7afb6219160449183de99b899370bfcc27b76666f84b6a19cb3d9372293bd3f7ebb79fa9df0dc89dee3b27ad728771f30c88b7bc5603525eb6938884

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    323KB

    MD5

    9567bc239c76586a73f4be61c2c2a7b6

    SHA1

    5b313f5580cd2ac815f6cb7bac1f9cc7a4dd45f6

    SHA256

    8efb2c84d8aa5520931fa50078092234cbb9e0181dfa7ac4ce326833e4630f2f

    SHA512

    03d45b3612b3822b9e3a7247beb658ebdd3bca21ef44cc23e1502f3f44ae5522f069a603442f268f8bff390f307c977eb71063151aa99950ab77af6570609b43

  • C:\Windows\SysWOW64\4K51K4.exe.tmp

    Filesize

    323KB

    MD5

    e6023599c93ba4fa5930c842086bb37e

    SHA1

    f26858ffcf34362f79624d678e6198cb35eb6684

    SHA256

    911c41fd50dd654590c831c33030ecb5e2f130f35014449f19f96eb0aa658f14

    SHA512

    973148103d0ec6877920a261a20b3578a16128d3a2ca72320dd40ebcb40ae4a57e70284bae3df226ac36ddc634a5fc3667e291851e6bb5131b65232d4e84b87a

  • C:\Windows\SysWOW64\4K51K4.exe.tmp

    Filesize

    323KB

    MD5

    2db65f7aef28b712ab361f7a53ecff78

    SHA1

    45a93b1c0a8790f3c502fc362b2598eb115c8589

    SHA256

    72734ce3c2040ed6a3e8f4417374016ad1cfd2b6ff6c46350e76d7d6d139610b

    SHA512

    970a6f0cc258a70889dbcd516bb786cbcb03678cba0afd00a2253c7359d3ca44c1b96527766758fb8225d441f1c3b1bddb489f6d5b87dee4088c6373ab4b6b4a

  • C:\Windows\SysWOW64\Folder.ico

    Filesize

    7KB

    MD5

    d7f9d9553c172cba8825fa161e8e9851

    SHA1

    e45bdc6609d9d719e1cefa846f17d3d66332a3a0

    SHA256

    cd2e513851d519098acef16d191188ac2586d2174dfd1a84f4db7f41a6970086

    SHA512

    a03a806d9db86c0c4f6f8efc4b40008aa51f1625fc1c703a929bfa57a5caf962119b3c76044775af607d4ee1a8a671e1d0a2be66d19ee551717398f9ddc8ad24

  • C:\Windows\SysWOW64\GoldenGhost.exe

    Filesize

    323KB

    MD5

    76a99badbb754728d8422274e859fdad

    SHA1

    77ac04017315a69f6e49693405713427aa522952

    SHA256

    b09ee6f26a4cf4cd4d23d7be78a612a5284cc56baa923f09347212078152f931

    SHA512

    291f3816ad9a933e0b0c5d03d57c1f151679bb8bb5827eea3c4e19dba6ffe48c3e450fa972753293b0408554003cd681d9935f88c8ca6ecae2c8330069b7c29c

  • C:\Windows\SysWOW64\GoldenGhost.exe.tmp

    Filesize

    323KB

    MD5

    797f37357d4557724cee1e6756471b95

    SHA1

    cfee9bd86a60fdbf4dbd223a1812a4dad8cfc2fb

    SHA256

    ed2b1d0ad83f763c5ce3743509217555da4fd8609b483a9915df1237d87092c6

    SHA512

    ec53a0a896a48b64a393dc84ac1c2c64e1a10f95e53f5a350446f186aabf558ce1fbbb824d1345a3c2996c4e521cb448105d247cac0b6bdb9ef913fd2417f835

  • C:\Windows\SysWOW64\GoldenGhost.exe.tmp

    Filesize

    323KB

    MD5

    57d142a1aa2ed32b1451d3fdb530fabe

    SHA1

    a6180aa790cee55684251ec46fe1af9a28913145

    SHA256

    f3088d7209af326aec5c650e93ff3aacfec8f45279b9a7fd4cd5cee8c7aa7689

    SHA512

    44f563bbdf424fc42c28fc46fcd8a9761eb6db37fa63ab43657c1ede7ea2654b487230a5d36d8c69c17d979a78f47377946b30b9791d0a055fec4c33261aa31f

  • C:\Windows\SysWOW64\K0L4B0R451.exe.tmp

    Filesize

    323KB

    MD5

    c682870a91e4755041fd83ee00ec4173

    SHA1

    e0ec782af54344f15499d3aea77cc78e782b53bb

    SHA256

    39f11674b5b92dc2e8ef11ab87fb6211c3d5a15ec7562352638fcdc122ef9d76

    SHA512

    e652848c02da02279364a3a5d3efe1589a98074b2ee39b3364295f28e71484daf3e250c773f6531649ce01833a123581ab89ae98df5b8585eb9b5be1865fbbcd

  • C:\Windows\SysWOW64\K0L4B0R451.exe.tmp

    Filesize

    323KB

    MD5

    6338bb628432233c458f68bb80fba9f2

    SHA1

    bd4a348f3caea05657da64092727006855a5b641

    SHA256

    7160481998778a7dee853fdf7324b364c273b45224bac2c43b9ae7807db09ea8

    SHA512

    a659eaff02dc5eb0bbc9f6457a5a15489469bc37a259a6a6e4adc9b0ba67d56450999d477347bad2851531c1405608512ff7e5af26d6e01ccec10d6183436117

  • C:\Windows\SysWOW64\Kantuk.exe.tmp

    Filesize

    323KB

    MD5

    77c1adfcc61476018ad04a8a253a02c1

    SHA1

    0e7109fa84e9f5e571a3c1efdf0bce4a9fb0eb6c

    SHA256

    31a26ddb73b44e23f1accf1ac4eb5011671307e1928dad5ceeb9f08e0640363d

    SHA512

    2065ebd4a5a7e8c92adcf0d7d811111d17cedc08762c058dc4a209738a2d349d53023a11c0776791003cd625d218b2577845ac108ca7f7542aa827955aca2485

  • C:\Windows\SysWOW64\Kantuk.exe.tmp

    Filesize

    323KB

    MD5

    de3b6b64671e962dabca1be57ef1b52e

    SHA1

    1daa4b03de047091df15309c7614a969cc62b651

    SHA256

    a9cb40df1221ad69a8da42f0650ae94566db803cabeb3ad01503c5239a16e363

    SHA512

    50ce64d5fed582e0641e188807e14e3553f8b8330eff8ba478918b6b18ea45676bb03978dd825699eed1074a7a2b2da329d5d8da350b82250a314d67edce06ca

  • C:\Windows\SysWOW64\Player.ico

    Filesize

    2KB

    MD5

    43be35d4fb3ebc6ca0970f05365440e3

    SHA1

    87bc28e5d9a6ab0c79a07118ca578726ce61b1bc

    SHA256

    5a15c1aab77f132e7ce5928996919ed66564c6082a7f94d0a42229c480113fc5

    SHA512

    b2e24ff3702805d2ff8ecf3ddde8a8e6258965f992f37104c2ed9b763e1448ab32c7609a607e1d90cfba281e7add1e839855656d6453433a42c0d6c8923c9395

  • C:\Windows\SysWOW64\Shell32.com.tmp

    Filesize

    323KB

    MD5

    27e53c635e248eb4f0cf91ff11528511

    SHA1

    615877b6d44d9aa8b5666a692af0787df848aec1

    SHA256

    b189d35a23b627937722f189f1bba2fcbc76f9cca14a74d6feba486adc4e27c9

    SHA512

    90ed126b491d1be2399a70e68802b343761076a7c35c913d313e9a1324d2ec974f571e02616c9a1e1f5b469c98b581033deceaf0864c6629ce6632a764238034

  • C:\Windows\SysWOW64\Shell32.com.tmp

    Filesize

    323KB

    MD5

    75e493b2029060a2a3179978dfb2af7a

    SHA1

    e1459915713c6901cefb35848b02dbe7861fb6db

    SHA256

    98c834d5f21b64d58ab52e043ef4cd8a6b3acb5ede20142a8597c7cd32f4b0e5

    SHA512

    43c4b626c3d48418bb2b183e3bf302c95f1af4dc9a643251dcbef2fc81ebfb9a95b3f6149975b9bf2b960d0f22551a33217e29d50bda81886c4a37b83430a74c

  • C:\Windows\SysWOW64\Word.ico

    Filesize

    3KB

    MD5

    8482935ff2fab6025b44b5a23c750480

    SHA1

    d770c46d210c0fd302fa035a6054f5ac19f3bd13

    SHA256

    dcbcdce04483e9d2d8a5d7779b18b7f64cfc06e758b07f671493e38dfb9ab33c

    SHA512

    00c711d815815a88fc15f73c8cba6a81b2bfc505baff2cc67b456545151fe896029f11127e447c9bbc5a2d5dc561a06a52be9a9f9c0d28e98ea4e174cdd54398

  • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp

    Filesize

    323KB

    MD5

    325fc97d593816075a36532e9a523401

    SHA1

    93de570bcc059c9f783fb9515ea5d1c56d67a35e

    SHA256

    37e133ef24fac0497d384907f12470f85b13aa7cae3c88af1d262a8e51cde0ab

    SHA512

    eae3bebd6e998a50f7614535b8a6027643473df69022ace28a0163c25b6a2e815bb423cf6c26c92b7375879d4dee0b2b1f088df04e72429018023008076dcf3e

  • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp

    Filesize

    323KB

    MD5

    db9326532d668817369367bcd64bda31

    SHA1

    cb691c44ce5a4c783202eb67cf610fe9d58cfc18

    SHA256

    ad5ae8dc993dc7a9929e7ba533a49875d00f68caed2f6b9db7108b84073fbf6e

    SHA512

    71a43675a62bc504ab4f4e62397d2df685f50968067ce2446620d598174beefd394e4b821462e386eedd685f03f75deb8424a80b65c33e8b94a39d473d794621

  • \Windows\SysWOW64\4K51K4.exe

    Filesize

    323KB

    MD5

    a42f1536e9e6582d6bf0dfbe38f91e1c

    SHA1

    386386955044977ed565ad97ec874bb89e7c1041

    SHA256

    fedc5431c39587e8bc7bf31fe8ce2b4407646a3d1fba5b9a91c560f30bd8df31

    SHA512

    28bb226d290a9d8c835e09cc76ceedae76ffcae3f9523e232553bc388a75d4fba765c29a0930013fd644c24411313b70604a0b07ea8017f71eae675646a71cb3

  • \Windows\SysWOW64\GoldenGhost.exe

    Filesize

    323KB

    MD5

    bfb752f0f76bf7830fa155304e05940d

    SHA1

    fce85c92e0ddd08a23a53a8e643bd9d122ae7fd9

    SHA256

    cf4148aa434be83c8c7bfc9827d0922d60aa5618761926b93b766ead504ed6af

    SHA512

    fb6568f4f7a7cc5ace20754c4be46f0bce5e061da8098c3e17e4607f2c7c75bf98ab2ad7027eb700e2c13ba7759645ddaf6654fd889debf5629d37f637403edf

  • \Windows\SysWOW64\Kantuk.exe

    Filesize

    323KB

    MD5

    e6cfb8b61a79b930851da25468efd3fe

    SHA1

    db5eae8dd62d71c1e0496a60efae40a0797ad178

    SHA256

    00c55d39e25b2122ec9c220aeddcc2d906f1af3b644463d44ea944c8b2a5437e

    SHA512

    c83ef1e2455e51053daa382dcee922804661cb9f403acab415b51a7bf6c6d35b23a06b4ba442cbd29cbac92fa4861cf9dfef9016b27d17fd5537f27c5f9f7a7f

  • memory/292-310-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

  • memory/1072-0-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

  • memory/1220-159-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

  • memory/1916-292-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

  • memory/2892-300-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

  • memory/2952-271-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB