Analysis

  • max time kernel
    60s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-10-2024 03:40

General

  • Target

    f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe

  • Size

    323KB

  • MD5

    2ee5d033251bd5e2cd7d054af3776ddf

  • SHA1

    10bd08a006c8bba819a154ba74429cc2a034e7fe

  • SHA256

    f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65

  • SHA512

    fd92a3fe53c84cb0e975b97b2a61ef6442d24b51a9ecfd74169ab28c9c747be6a7ee32fee5093b7e95509f5544b786b49396feb560449800969df3f01358adda

  • SSDEEP

    6144:FBxeN/Tdx8YzL+4eBDgelLBL9C53TV5n+yNXavM:FBxe9dx8Yz6nhtL9C53TV5n+4av

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Disables RegEdit via registry modification 12 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 12 IoCs
  • Disables use of System Restore points 1 TTPs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Executes dropped EXE 10 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 47 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 45 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 4 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • System policy modification 1 TTPs 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe
    "C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Event Triggered Execution: Image File Execution Options Injection
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3952
    • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3864
      • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4304
      • C:\Windows\SysWOW64\Kantuk.exe
        C:\Windows\system32\Kantuk.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • Drops autorun.inf file
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:2476
      • C:\Windows\SysWOW64\4K51K4.exe
        C:\Windows\system32\4K51K4.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:5112
      • C:\Windows\SysWOW64\K0L4B0R451.exe
        C:\Windows\system32\K0L4B0R451.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:4464
      • C:\Windows\SysWOW64\GoldenGhost.exe
        C:\Windows\system32\GoldenGhost.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1108
    • C:\Windows\SysWOW64\Kantuk.exe
      C:\Windows\system32\Kantuk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4444
    • C:\Windows\SysWOW64\4K51K4.exe
      C:\Windows\system32\4K51K4.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4696
    • C:\Windows\SysWOW64\K0L4B0R451.exe
      C:\Windows\system32\K0L4B0R451.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3476
    • C:\Windows\SysWOW64\GoldenGhost.exe
      C:\Windows\system32\GoldenGhost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3168

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Aut0exec.bat.tmp

    Filesize

    323KB

    MD5

    87e8b7ac13971e17992b59a380c3ae13

    SHA1

    0f88fb8409441ab2467b28ba9ed9192acb0df8fb

    SHA256

    9cead2140923e2c2e97e79949ebe31d6ab26882fc77a91e5b2e6c22f544fed37

    SHA512

    5fd5a7e6fe872038462a95ceb6eae4946d6388c7eb49815202a7e211b0d611acd123ed62c142f03ecfe3551e37c21d7170d3ccfc6b8b9bb5d310c8c518838f6b

  • C:\Aut0exec.bat.tmp

    Filesize

    323KB

    MD5

    bb901c4619f7e5a5b2869825d72b1855

    SHA1

    d4e50db07897f907e0a72d51d76c2d1e596ece6b

    SHA256

    6af25019a51befd49535fb83ed1cc2400a6c7a88db14df9a8e98ee0e671847d4

    SHA512

    65ad36fdcafa521588a0b0590580b89d6cf0f8faff12f014290d18fb036e58b047f888576347b5e5722bea131932482644df58f8cdd1f2b6b6ac190d864db49e

  • C:\Aut0exec.bat.tmp

    Filesize

    323KB

    MD5

    2a70e414ca3b4b5a1a18653b306b5334

    SHA1

    4f8b59cb9b3fcfabfcc7a168145d9a9d940f8d2c

    SHA256

    896199a6fb23aaa4cc3a4bce5bc758b7a03ae09062b02ed5fac3afab13928e7a

    SHA512

    ac57e6ed5cefec5c9c0e791da001854c72638acc28cc27c6834796a42e712c9e7e3d190b6472a51fff29c8045b1aa2b95792dd2dc719782de6d1fa710126686f

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Empty.pif

    Filesize

    323KB

    MD5

    db789fe45c9726936e9f222452e6cc88

    SHA1

    e286eeaa8c4acba745d0a7ac4a7d930d0242ad90

    SHA256

    cf117b9e23812598d7332a432d608c9d0b66dc0a74e934fdcece29521e8ccc61

    SHA512

    f316a57734f5bb4d2ae3bc7587efa30bdc6944195e1d7aced138a5f94e461cf0228203945f8b05490799386d77639849b4ca1409cd8a46e75691a16233a5e0ec

  • C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp

    Filesize

    323KB

    MD5

    040a578186422ff0a4e5d67fde32e3ed

    SHA1

    4e1bf520975c7c362842fbd9f989ae993df576bb

    SHA256

    1bab0f583a2999f3265f290bf63f97a29c78c0cf88aaab0752ee940580d56306

    SHA512

    3e399cf3a58c965d21ad607fa9f662d6b6816d282ffc4e0fee73bb82943a5e0d4ae2da2cb76a27f82e106ba3d498c3b41257b8eb6531edff267097daf96c1d71

  • C:\Windows\SysWOW64\4K51K4.exe

    Filesize

    323KB

    MD5

    5cb2b14c8826fe2f7405c78b2f76ac52

    SHA1

    65f7a5295f040e347f74a10e8ce0d6a9acc07382

    SHA256

    e33a799dde40114ecbdd8262c51bd08dba3e43f06a8bb8bddd405acb6c5fa79d

    SHA512

    ae5af821436988aada4ad2cc48510dddc9635cf737d62f2f6fbd4995015b052ce3519938bdb3e48d48e34f65835c370667379b1352a958d9f3db8c60c1a71b7b

  • C:\Windows\SysWOW64\4K51K4.exe.tmp

    Filesize

    323KB

    MD5

    07a32d8131faa9521b187e33f3a445fa

    SHA1

    7819b4b38b3fbc32ffee5feedf55d17c34a130af

    SHA256

    1630c7ac077ab4f47f8c2def6d1925bbad30d45bcc7be83c0c812095de68b153

    SHA512

    f1474e0aefd686e5c3c76c52317f4f39ecbe88d8cd694b0686c19f7c3bc067b4c8a407183f4bb71ce3ac58659e3783420378c14d61c102eef7f1d760a700cb0b

  • C:\Windows\SysWOW64\4K51K4.exe.tmp

    Filesize

    323KB

    MD5

    e6023599c93ba4fa5930c842086bb37e

    SHA1

    f26858ffcf34362f79624d678e6198cb35eb6684

    SHA256

    911c41fd50dd654590c831c33030ecb5e2f130f35014449f19f96eb0aa658f14

    SHA512

    973148103d0ec6877920a261a20b3578a16128d3a2ca72320dd40ebcb40ae4a57e70284bae3df226ac36ddc634a5fc3667e291851e6bb5131b65232d4e84b87a

  • C:\Windows\SysWOW64\Folder.ico

    Filesize

    7KB

    MD5

    d7f9d9553c172cba8825fa161e8e9851

    SHA1

    e45bdc6609d9d719e1cefa846f17d3d66332a3a0

    SHA256

    cd2e513851d519098acef16d191188ac2586d2174dfd1a84f4db7f41a6970086

    SHA512

    a03a806d9db86c0c4f6f8efc4b40008aa51f1625fc1c703a929bfa57a5caf962119b3c76044775af607d4ee1a8a671e1d0a2be66d19ee551717398f9ddc8ad24

  • C:\Windows\SysWOW64\GoldenGhost.exe

    Filesize

    323KB

    MD5

    db5e99743be48658b8f15e49a17d0a04

    SHA1

    0b9e00404e58933c8ed40aa7b492d44bc5f3b8f8

    SHA256

    e9128ac4df407603f6fede5caeed33a05115e51b4c0271a19ca2198ccbd8ba5a

    SHA512

    4db953da9711d6658132c62541462af36560f1fe3d8217cb0d4c8d374ba7eed4041f70f7bdc706597b8e84c30fb9305576aadd28be1f17503b4bca0eeb9afe58

  • C:\Windows\SysWOW64\GoldenGhost.exe

    Filesize

    323KB

    MD5

    2ee5d033251bd5e2cd7d054af3776ddf

    SHA1

    10bd08a006c8bba819a154ba74429cc2a034e7fe

    SHA256

    f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65

    SHA512

    fd92a3fe53c84cb0e975b97b2a61ef6442d24b51a9ecfd74169ab28c9c747be6a7ee32fee5093b7e95509f5544b786b49396feb560449800969df3f01358adda

  • C:\Windows\SysWOW64\GoldenGhost.exe.tmp

    Filesize

    323KB

    MD5

    08bd03410ddfcce3240ade7bf09eff7f

    SHA1

    3c448345fe1a017926976f574458bcecb54e3ffd

    SHA256

    e534161b8444d107631d11c4408bee8f509c43b144b78f8564e5ca33016fe8aa

    SHA512

    680ac6ec5a1c060ea407abc622322ad2cf35d590038e2c146cc2c147c0e4703de5771ca71eec8e56dab3690247a303fdd4d4062c96b8942207ca72fb46f9381e

  • C:\Windows\SysWOW64\GoldenGhost.exe.tmp

    Filesize

    323KB

    MD5

    797f37357d4557724cee1e6756471b95

    SHA1

    cfee9bd86a60fdbf4dbd223a1812a4dad8cfc2fb

    SHA256

    ed2b1d0ad83f763c5ce3743509217555da4fd8609b483a9915df1237d87092c6

    SHA512

    ec53a0a896a48b64a393dc84ac1c2c64e1a10f95e53f5a350446f186aabf558ce1fbbb824d1345a3c2996c4e521cb448105d247cac0b6bdb9ef913fd2417f835

  • C:\Windows\SysWOW64\GoldenGhost.exe.tmp

    Filesize

    323KB

    MD5

    9a85969ec9284972c4f159941ecee304

    SHA1

    63abb6ea77be97f03e243fb310eb352eb6674114

    SHA256

    2eff4c9994cb1e9b9c1aa91abf7b2c2b84ffb6a3724b713fcd84271123a75662

    SHA512

    bf26c84ba62cc4b8a9032249b5bf4246c49c79390bce376ae25b5e08bf000e7a33c8172a11f5132dceb235615b203a9123343839aa85748c66594a3fe97ccd2a

  • C:\Windows\SysWOW64\K0L4B0R451.exe

    Filesize

    323KB

    MD5

    88896ec68addbd4bb3e9c995803abcd9

    SHA1

    01354852b8193ab3af52f12cc3e09f7b2037826e

    SHA256

    0de43b001c71ee5db845b1381a500d0dc3e937d05407c77e425b2ce0dfd69333

    SHA512

    b33c45d1bba97a44c09689af0a70b4c66446251bfd3711861ac0f0a9dcce463a7651c242d900e9fd0acb613141dc13521d3c0cc2a3ec1143392532008cd499df

  • C:\Windows\SysWOW64\K0L4B0R451.exe.tmp

    Filesize

    323KB

    MD5

    31dcb843a894ac83143757cf0c0cd37a

    SHA1

    4d97ec9d36bc52791c60b9110c9ac2c8ad85f447

    SHA256

    b9da45f40825c808cca6b4b17f8b10a769b24c4ef4db34b60efb1eca1f5ac890

    SHA512

    6f8402a0df62dac5d5055fda9e98e2f8a0edfd2a685a0f96b5cc41decb9309fa54d1004775c40894ccf0235e002bc2e7b5af5173fabb801bd26e6ee72a7d3214

  • C:\Windows\SysWOW64\K0L4B0R451.exe.tmp

    Filesize

    323KB

    MD5

    437d8d40c129d4c8fea9d08ca360e497

    SHA1

    208cb77b70cd3c2b5c77f9efa776880f5901005a

    SHA256

    43d9154b828e4876531688ca4bf8a169c9abfb1530f4941577a6ada4a85c76a9

    SHA512

    2ec83b614c2b122cc78427953a7b032df9244b18753e851f57d383746f8195d217a99bd5c3729108053d1aaa00f5f3384eca7309ca1a8a14b4ae034a404b069c

  • C:\Windows\SysWOW64\Kantuk.exe

    Filesize

    323KB

    MD5

    6b9049d1b4bc55475d602fac84ea1dad

    SHA1

    e1ba75ff4e3c987c6efd7c7e6352c34262b466ff

    SHA256

    c3adf46f32ec8507591ddc393459eee75220d0a7a8c8a7520ac7f7594dde5fa9

    SHA512

    44f8e6eec19acc2f2bbaf30d327e37895ae8efca6a7cb360038116d0e7fdc62a83df0cc0fecff41bbb6cdd03039a8dd8008162cda28bbebe075079b566bb798e

  • C:\Windows\SysWOW64\Kantuk.exe.tmp

    Filesize

    323KB

    MD5

    5ae79194ff2d3e6e4c11de1ee4e7d486

    SHA1

    2347db7d3518c70c8f6550738ede60c5461bf05b

    SHA256

    85f10cd51e3e36c57c6b5bc16074014cd06e7573bd15468666db299c9f6f618b

    SHA512

    f694d0ff2d62fb5f810c36f9cb6044883d262397b0ec779c6a846bb6763508474736a387970c8081f643b749af5d9c27d70176543409c7aee42fcc110bda5ad3

  • C:\Windows\SysWOW64\Kantuk.exe.tmp

    Filesize

    323KB

    MD5

    ad516115f171c1de7711bf158900cbb8

    SHA1

    7155b3e198806f2a23b2fad4b1b34cd062d5c679

    SHA256

    f9219cfcbaba725dab4681f0b334eb35157d566842e56377402bc0bb6aae7554

    SHA512

    02b1e0afb302738399d91ab90f8700efc736bfadf94d622c6c13d89d0bc2514cabd4f12d894c0662b0422aafcf90749e806614652a7d4e8b8e6044f609c66050

  • C:\Windows\SysWOW64\Kantuk.exe.tmp

    Filesize

    323KB

    MD5

    77c1adfcc61476018ad04a8a253a02c1

    SHA1

    0e7109fa84e9f5e571a3c1efdf0bce4a9fb0eb6c

    SHA256

    31a26ddb73b44e23f1accf1ac4eb5011671307e1928dad5ceeb9f08e0640363d

    SHA512

    2065ebd4a5a7e8c92adcf0d7d811111d17cedc08762c058dc4a209738a2d349d53023a11c0776791003cd625d218b2577845ac108ca7f7542aa827955aca2485

  • C:\Windows\SysWOW64\Player.ico

    Filesize

    2KB

    MD5

    43be35d4fb3ebc6ca0970f05365440e3

    SHA1

    87bc28e5d9a6ab0c79a07118ca578726ce61b1bc

    SHA256

    5a15c1aab77f132e7ce5928996919ed66564c6082a7f94d0a42229c480113fc5

    SHA512

    b2e24ff3702805d2ff8ecf3ddde8a8e6258965f992f37104c2ed9b763e1448ab32c7609a607e1d90cfba281e7add1e839855656d6453433a42c0d6c8923c9395

  • C:\Windows\SysWOW64\Shell32.com

    Filesize

    323KB

    MD5

    d674ecbd025b128b87a5f74e1624d255

    SHA1

    eef4af3ae28f2d425168a781cccf1c7365fd32a2

    SHA256

    7fce944e57975cae620479744601b8ff5c1f95ff13258a2f6a13c3823de7bd3d

    SHA512

    edead55af22b8c1748be27b2903439e3aa967a3862fe9c510f58d27d4b59da920551b8cce5c446eb86996386374cca58fdaf9a4d82945d1b0a2e46bb9a2d2301

  • C:\Windows\SysWOW64\Shell32.com.tmp

    Filesize

    323KB

    MD5

    c2272951c3adf8164ede603400dac5c9

    SHA1

    e181657d5ce2d96cca10d6978d16bb971eb01448

    SHA256

    9d09efb16acbb204aa02118cd7f0986aa3a7c6e995cb1ec29dcf905feb6d1cee

    SHA512

    f59e29a3e273583c06e1048a293ca244c747d2963f69ee003fbf74e4c046d98972edcd77391495c36bd4ede74fe6b0c0842588efb0795b983b969a79762bacd1

  • C:\Windows\SysWOW64\Shell32.com.tmp

    Filesize

    323KB

    MD5

    97ac953fff6138d4b96e34cb743644d7

    SHA1

    f1a1ab35fd2910eb7152fb8f308421798f58d47f

    SHA256

    1ffe9186fefed89fb5aff7bfc3a48d05e17357bc6e0083302c7da1edf174d36b

    SHA512

    2b4c6bd254238c7d35eb8631f24436f1cb0bb074d2ce724c7f1007ba00939de48624957560541fd561a34539824c0c0dd3180317b5a895bf52b35a59170025c1

  • C:\Windows\SysWOW64\Word.ico

    Filesize

    3KB

    MD5

    8482935ff2fab6025b44b5a23c750480

    SHA1

    d770c46d210c0fd302fa035a6054f5ac19f3bd13

    SHA256

    dcbcdce04483e9d2d8a5d7779b18b7f64cfc06e758b07f671493e38dfb9ab33c

    SHA512

    00c711d815815a88fc15f73c8cba6a81b2bfc505baff2cc67b456545151fe896029f11127e447c9bbc5a2d5dc561a06a52be9a9f9c0d28e98ea4e174cdd54398

  • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico

    Filesize

    2KB

    MD5

    62b7610403ea3ac4776df9eb93bf4ba4

    SHA1

    b4a6cd17516f8fba679f15eda654928dc44dc502

    SHA256

    b0fd7ffb4c8f0e4566658a7284ca0652961648aaab44a53c5b9713664b122c29

    SHA512

    fa1995a21ffe073a15fa00a3a8717492b0a67f3615abe4c7e6bce054bb23cf545e10e21cfe3625b665c8bb199577815dbeccc7c6107cdb49f673b8d53f23888d

  • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

    Filesize

    323KB

    MD5

    cc885153b41911b0d3b4ce39c285cd6a

    SHA1

    2b12bba90c35c29fa08955a53d9e35f397ecedb7

    SHA256

    488d510ccd90a7fea4ffa9d7e8f40ebb7783f91fab8f8d1a193b6adeb2d45a46

    SHA512

    780eb9f8893956d117b5f701fb9cdd0d2cf9868d189920ebdb834460c1d81ebe71e053cafea5e570c792151f4a6f16bb57a1df7aae86ad152a3e2227603a5dca

  • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp

    Filesize

    323KB

    MD5

    5d4d61e136bf12db7d1f40329be37cee

    SHA1

    da55c8435bc01ec8e05f080e3c3962913c1cd6eb

    SHA256

    1ee6f2cb166461bed3557cef773ca5de328970a81584585e6eb9d5a3cd7fc682

    SHA512

    b29262525b61c91d4d120e2150df85446e10dbbeb877951209b36cca219494b20525324ea7b1f57256709c395465c68a9d07b6e3a76994d51050153086c15b4e

  • memory/1108-341-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

  • memory/2476-312-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

  • memory/3864-207-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

  • memory/3952-0-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

  • memory/4464-335-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

  • memory/5112-318-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB