Malware Analysis Report

2025-01-22 20:18

Sample ID 241020-d8gzkayfrq
Target f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65
SHA256 f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65
Tags
discovery evasion persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65

Threat Level: Known bad

The file f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65 was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware trojan

Modifies WinLogon for persistence

UAC bypass

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Disables use of System Restore points

Disables cmd.exe use via registry modification

Event Triggered Execution: Image File Execution Options Injection

Loads dropped DLL

Modifies system executable filetype association

Executes dropped EXE

Enumerates connected drives

Checks whether UAC is enabled

Adds Run key to start application

Sets desktop wallpaper using registry

Drops file in System32 directory

Drops autorun.inf file

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Modifies Control Panel

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

System policy modification

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 03:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 03:40

Reported

2024-10-20 03:43

Platform

win7-20240729-en

Max time kernel

50s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\Kantuk.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A

Disables Task Manager via registry modification

evasion

Disables cmd.exe use via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A

Disables use of System Restore points

evasion

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger = "notepad.exe" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger = "notepad.exe" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe\Debugger = "notepad.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgw.exe C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger = "notepad.exe" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgw.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe\Debugger = "notepad.exe" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe\Debugger = "notepad.exe" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgnt.exe C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe C:\Windows\SysWOW64\GoldenGhost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" C:\Windows\SysWOW64\4K51K4.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\GoldenGhost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\4K51K4.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\K0L4B0R451.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\autorun.inf C:\Windows\SysWOW64\Kantuk.exe N/A
File opened for modification C:\autorun.inf C:\Windows\SysWOW64\Kantuk.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\Folder.ico C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\Asli.ico C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\K0L4B0R451.exe C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File opened for modification C:\Windows\SysWOW64\Shell32.com C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File created C:\Windows\SysWOW64\Folder.ico C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File opened for modification C:\Windows\SysWOW64\K0L4B0R451.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File opened for modification C:\Windows\SysWOW64\GoldenGhost.exe.tmp C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File opened for modification C:\Windows\SysWOW64\Kantuk.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\GoldenGhost.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\Kantuk.exe C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File opened for modification C:\Windows\SysWOW64\Kantuk.exe.tmp C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File opened for modification C:\Windows\SysWOW64\Shell32.com.tmp C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File opened for modification C:\Windows\SysWOW64\Shell32.com C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\Kantuk.exe.tmp C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\Word.ico C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\4K51K4.exe C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File created C:\Windows\SysWOW64\Shell32.com C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File created C:\Windows\SysWOW64\Asli.ico C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\4K51K4.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\GoldenGhost.exe.tmp C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File created C:\Windows\SysWOW64\Kantuk.exe C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File created C:\Windows\SysWOW64\GoldenGhost.exe C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File opened for modification C:\Windows\SysWOW64\K0L4B0R451.exe.tmp C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File created C:\Windows\SysWOW64\Word.ico C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File created C:\Windows\SysWOW64\Rar.ico C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows_3D.scr C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File opened for modification C:\Windows\SysWOW64\4K51K4.exe.tmp C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\Shell32.com.tmp C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\Rar.ico C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows_3D.scr C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\GoldenGhost.exe C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File created C:\Windows\SysWOW64\4K51K4.exe C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File created C:\Windows\SysWOW64\K0L4B0R451.exe C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File created C:\Windows\SysWOW64\Player.ico C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File opened for modification C:\Windows\SysWOW64\4K51K4.exe.tmp C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\K0L4B0R451.exe.tmp C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\Player.ico C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\K0L4B0R451.jpg" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\K0L4B0R451.jpg C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\4K51K4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kantuk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\4K51K4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kantuk.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\ C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\ C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s1159 = "K0L4B0R451" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s1159 = "K0L4B0R451" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s2359 = "K0L4B0R451" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\ C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s2359 = "K0L4B0R451" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\WallpaperStyle = "0" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s2359 = "K0L4B0R451" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\ C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s1159 = "K0L4B0R451" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s2359 = "K0L4B0R451" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\ C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s1159 = "K0L4B0R451" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s2359 = "K0L4B0R451" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s1159 = "K0L4B0R451" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\ C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s1159 = "K0L4B0R451" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s2359 = "K0L4B0R451" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\Kantuk.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "logoff.exe" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Edit\Command\ = "logoff.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\NeverShowExt = "1" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\edit\command\ = "logoff.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\edit\command\ = "logoff.exe" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\NeverShowExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "logoff.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Install\command\ = "logoff.exe" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\edit\command\ = "logoff.exe" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\Shell C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "K0L4B0R451 File" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "K0L4B0R451 File" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Edit\Command\ = "logoff.exe" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "logoff.exe" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "logoff.exe" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command\ = "logoff.exe" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Install\command\ = "logoff.exe" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "logoff.exe" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command\ = "logoff.exe" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command\ = "logoff.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\Kantuk.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\4K51K4.exe N/A
N/A N/A C:\Windows\SysWOW64\GoldenGhost.exe N/A
N/A N/A C:\Windows\SysWOW64\Kantuk.exe N/A
N/A N/A C:\Windows\SysWOW64\K0L4B0R451.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1072 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 1072 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 1072 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 1072 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 1220 wrote to memory of 348 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 1220 wrote to memory of 348 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 1220 wrote to memory of 348 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 1220 wrote to memory of 348 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 1220 wrote to memory of 2952 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\Kantuk.exe
PID 1220 wrote to memory of 2952 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\Kantuk.exe
PID 1220 wrote to memory of 2952 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\Kantuk.exe
PID 1220 wrote to memory of 2952 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\Kantuk.exe
PID 1220 wrote to memory of 1916 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\4K51K4.exe
PID 1220 wrote to memory of 1916 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\4K51K4.exe
PID 1220 wrote to memory of 1916 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\4K51K4.exe
PID 1220 wrote to memory of 1916 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\4K51K4.exe
PID 1220 wrote to memory of 2892 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\K0L4B0R451.exe
PID 1220 wrote to memory of 2892 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\K0L4B0R451.exe
PID 1220 wrote to memory of 2892 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\K0L4B0R451.exe
PID 1220 wrote to memory of 2892 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\K0L4B0R451.exe
PID 1220 wrote to memory of 292 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\GoldenGhost.exe
PID 1220 wrote to memory of 292 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\GoldenGhost.exe
PID 1220 wrote to memory of 292 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\GoldenGhost.exe
PID 1220 wrote to memory of 292 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\GoldenGhost.exe
PID 1072 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\Kantuk.exe
PID 1072 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\Kantuk.exe
PID 1072 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\Kantuk.exe
PID 1072 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\Kantuk.exe
PID 1072 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\4K51K4.exe
PID 1072 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\4K51K4.exe
PID 1072 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\4K51K4.exe
PID 1072 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\4K51K4.exe
PID 1072 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\K0L4B0R451.exe
PID 1072 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\K0L4B0R451.exe
PID 1072 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\K0L4B0R451.exe
PID 1072 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\K0L4B0R451.exe
PID 1072 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\GoldenGhost.exe
PID 1072 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\GoldenGhost.exe
PID 1072 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\GoldenGhost.exe
PID 1072 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\GoldenGhost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe

"C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe"

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\Kantuk.exe

C:\Windows\system32\Kantuk.exe

C:\Windows\SysWOW64\4K51K4.exe

C:\Windows\system32\4K51K4.exe

C:\Windows\SysWOW64\K0L4B0R451.exe

C:\Windows\system32\K0L4B0R451.exe

C:\Windows\SysWOW64\GoldenGhost.exe

C:\Windows\system32\GoldenGhost.exe

C:\Windows\SysWOW64\Kantuk.exe

C:\Windows\system32\Kantuk.exe

C:\Windows\SysWOW64\4K51K4.exe

C:\Windows\system32\4K51K4.exe

C:\Windows\SysWOW64\K0L4B0R451.exe

C:\Windows\system32\K0L4B0R451.exe

C:\Windows\SysWOW64\GoldenGhost.exe

C:\Windows\system32\GoldenGhost.exe

Network

N/A

Files

memory/1072-0-0x0000000000400000-0x0000000000451000-memory.dmp

C:\Windows\SysWOW64\GoldenGhost.exe

MD5 76a99badbb754728d8422274e859fdad
SHA1 77ac04017315a69f6e49693405713427aa522952
SHA256 b09ee6f26a4cf4cd4d23d7be78a612a5284cc56baa923f09347212078152f931
SHA512 291f3816ad9a933e0b0c5d03d57c1f151679bb8bb5827eea3c4e19dba6ffe48c3e450fa972753293b0408554003cd681d9935f88c8ca6ecae2c8330069b7c29c

C:\Aut0exec.bat.tmp

MD5 0a88f5efa3d7d3c062a4550c7fc86b0f
SHA1 ff440391c7cb23d1a2e4c3a59076823a8d1741ee
SHA256 52736efddcfed79f0ed4c50d8d4a52e622351861e9a89122a252565689630c26
SHA512 42985f9834e04d626fc4a2db4c2c269881023dcfeca2a416d7d413c35824fde691e46d32f8d01c79009f8fea3e06c27298bf7c4948e59c4c3ca20ef508a0fb5a

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp

MD5 325fc97d593816075a36532e9a523401
SHA1 93de570bcc059c9f783fb9515ea5d1c56d67a35e
SHA256 37e133ef24fac0497d384907f12470f85b13aa7cae3c88af1d262a8e51cde0ab
SHA512 eae3bebd6e998a50f7614535b8a6027643473df69022ace28a0163c25b6a2e815bb423cf6c26c92b7375879d4dee0b2b1f088df04e72429018023008076dcf3e

C:\Windows\SysWOW64\Kantuk.exe.tmp

MD5 77c1adfcc61476018ad04a8a253a02c1
SHA1 0e7109fa84e9f5e571a3c1efdf0bce4a9fb0eb6c
SHA256 31a26ddb73b44e23f1accf1ac4eb5011671307e1928dad5ceeb9f08e0640363d
SHA512 2065ebd4a5a7e8c92adcf0d7d811111d17cedc08762c058dc4a209738a2d349d53023a11c0776791003cd625d218b2577845ac108ca7f7542aa827955aca2485

C:\Windows\SysWOW64\4K51K4.exe.tmp

MD5 e6023599c93ba4fa5930c842086bb37e
SHA1 f26858ffcf34362f79624d678e6198cb35eb6684
SHA256 911c41fd50dd654590c831c33030ecb5e2f130f35014449f19f96eb0aa658f14
SHA512 973148103d0ec6877920a261a20b3578a16128d3a2ca72320dd40ebcb40ae4a57e70284bae3df226ac36ddc634a5fc3667e291851e6bb5131b65232d4e84b87a

C:\Windows\SysWOW64\GoldenGhost.exe.tmp

MD5 797f37357d4557724cee1e6756471b95
SHA1 cfee9bd86a60fdbf4dbd223a1812a4dad8cfc2fb
SHA256 ed2b1d0ad83f763c5ce3743509217555da4fd8609b483a9915df1237d87092c6
SHA512 ec53a0a896a48b64a393dc84ac1c2c64e1a10f95e53f5a350446f186aabf558ce1fbbb824d1345a3c2996c4e521cb448105d247cac0b6bdb9ef913fd2417f835

C:\Windows\SysWOW64\K0L4B0R451.exe.tmp

MD5 c682870a91e4755041fd83ee00ec4173
SHA1 e0ec782af54344f15499d3aea77cc78e782b53bb
SHA256 39f11674b5b92dc2e8ef11ab87fb6211c3d5a15ec7562352638fcdc122ef9d76
SHA512 e652848c02da02279364a3a5d3efe1589a98074b2ee39b3364295f28e71484daf3e250c773f6531649ce01833a123581ab89ae98df5b8585eb9b5be1865fbbcd

C:\Windows\SysWOW64\Shell32.com.tmp

MD5 27e53c635e248eb4f0cf91ff11528511
SHA1 615877b6d44d9aa8b5666a692af0787df848aec1
SHA256 b189d35a23b627937722f189f1bba2fcbc76f9cca14a74d6feba486adc4e27c9
SHA512 90ed126b491d1be2399a70e68802b343761076a7c35c913d313e9a1324d2ec974f571e02616c9a1e1f5b469c98b581033deceaf0864c6629ce6632a764238034

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif.tmp

MD5 fa10353c3a55e3ebdb1b8aafabaf022c
SHA1 c29c6aa319a5ff1d2f1529d6dfe44bf98f67f643
SHA256 f657f7ec824caf981868b3f6a5536af20ffb462386f506697f5d764dc7c2a868
SHA512 19977d01270fb574ee8ed449bf1381c4c22b0937c784901a79b18eca4e64877fa272e4bcb4c26e12b379f7fcf9555a52add8743da391af8744c455a55eb7b623

C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp

MD5 da7defb75370807e667bd8cc46be2b74
SHA1 477ed6f118ce88edcd5a8724937fd1f95ef077a6
SHA256 1cbd320229c136f1c59bd2fea5a3bcb7e1489c841ac0b57503c821a4e1b9c55d
SHA512 f128d08b07e2852cfffcdacf1236a033149bfa21fc7213032de79d4a624f5b51e1540161394e57d1e0411dacb80d980199e667a4ce4d3f801c3c94193031c6ec

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp

MD5 db9326532d668817369367bcd64bda31
SHA1 cb691c44ce5a4c783202eb67cf610fe9d58cfc18
SHA256 ad5ae8dc993dc7a9929e7ba533a49875d00f68caed2f6b9db7108b84073fbf6e
SHA512 71a43675a62bc504ab4f4e62397d2df685f50968067ce2446620d598174beefd394e4b821462e386eedd685f03f75deb8424a80b65c33e8b94a39d473d794621

C:\Aut0exec.bat.tmp

MD5 2f3599d5e96b8e7357c07e6a8d74d0bb
SHA1 12b2f2406b9129ebc8cf5f633a4678ace862d6ed
SHA256 d31e4f65e1f3f1beab753951dbd4ec3cb1aa4329df34639c503838b28a8a3150
SHA512 73a8bff922502a029429ad60c55787694a9d7de9049e5bd839c4ca88072b2bed08eb80a9cfbed6c8712a755929aeb22e9c2ed28874f63e6842a72325149c1288

memory/1220-159-0x0000000000400000-0x0000000000451000-memory.dmp

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 9567bc239c76586a73f4be61c2c2a7b6
SHA1 5b313f5580cd2ac815f6cb7bac1f9cc7a4dd45f6
SHA256 8efb2c84d8aa5520931fa50078092234cbb9e0181dfa7ac4ce326833e4630f2f
SHA512 03d45b3612b3822b9e3a7247beb658ebdd3bca21ef44cc23e1502f3f44ae5522f069a603442f268f8bff390f307c977eb71063151aa99950ab77af6570609b43

C:\Aut0exec.bat.tmp

MD5 bb901c4619f7e5a5b2869825d72b1855
SHA1 d4e50db07897f907e0a72d51d76c2d1e596ece6b
SHA256 6af25019a51befd49535fb83ed1cc2400a6c7a88db14df9a8e98ee0e671847d4
SHA512 65ad36fdcafa521588a0b0590580b89d6cf0f8faff12f014290d18fb036e58b047f888576347b5e5722bea131932482644df58f8cdd1f2b6b6ac190d864db49e

C:\Windows\SysWOW64\4K51K4.exe.tmp

MD5 2db65f7aef28b712ab361f7a53ecff78
SHA1 45a93b1c0a8790f3c502fc362b2598eb115c8589
SHA256 72734ce3c2040ed6a3e8f4417374016ad1cfd2b6ff6c46350e76d7d6d139610b
SHA512 970a6f0cc258a70889dbcd516bb786cbcb03678cba0afd00a2253c7359d3ca44c1b96527766758fb8225d441f1c3b1bddb489f6d5b87dee4088c6373ab4b6b4a

C:\Windows\SysWOW64\Word.ico

MD5 8482935ff2fab6025b44b5a23c750480
SHA1 d770c46d210c0fd302fa035a6054f5ac19f3bd13
SHA256 dcbcdce04483e9d2d8a5d7779b18b7f64cfc06e758b07f671493e38dfb9ab33c
SHA512 00c711d815815a88fc15f73c8cba6a81b2bfc505baff2cc67b456545151fe896029f11127e447c9bbc5a2d5dc561a06a52be9a9f9c0d28e98ea4e174cdd54398

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif.tmp

MD5 6e00232b631d61d65c27fd6e0a4bb75e
SHA1 bcdcad3dac22bed40248bde066380b147b6990cf
SHA256 76aec6dd8038a5ab3ee7864342094fef12389b7a87931381aeed71f64628dd45
SHA512 a1c674d5037d581196d54025f56e97df43bcd52d8133c19b05d7d29e7c7ed8f7928b1d65230c207499745f25d06ee2228832232045fc087c716065c1322ddaaa

C:\Windows\SysWOW64\Shell32.com.tmp

MD5 75e493b2029060a2a3179978dfb2af7a
SHA1 e1459915713c6901cefb35848b02dbe7861fb6db
SHA256 98c834d5f21b64d58ab52e043ef4cd8a6b3acb5ede20142a8597c7cd32f4b0e5
SHA512 43c4b626c3d48418bb2b183e3bf302c95f1af4dc9a643251dcbef2fc81ebfb9a95b3f6149975b9bf2b960d0f22551a33217e29d50bda81886c4a37b83430a74c

C:\Windows\SysWOW64\K0L4B0R451.exe.tmp

MD5 6338bb628432233c458f68bb80fba9f2
SHA1 bd4a348f3caea05657da64092727006855a5b641
SHA256 7160481998778a7dee853fdf7324b364c273b45224bac2c43b9ae7807db09ea8
SHA512 a659eaff02dc5eb0bbc9f6457a5a15489469bc37a259a6a6e4adc9b0ba67d56450999d477347bad2851531c1405608512ff7e5af26d6e01ccec10d6183436117

C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp

MD5 78d855807203cd4f670f0ca1f762c3c2
SHA1 471c6763f0aa3f49a0123c223e4b4f78a6e3d183
SHA256 9f8b27c3d9f3440d1d5059de3923d246faca953e5dc9543043f038fbf53fc890
SHA512 e6c24b9b7afb6219160449183de99b899370bfcc27b76666f84b6a19cb3d9372293bd3f7ebb79fa9df0dc89dee3b27ad728771f30c88b7bc5603525eb6938884

C:\Windows\SysWOW64\GoldenGhost.exe.tmp

MD5 57d142a1aa2ed32b1451d3fdb530fabe
SHA1 a6180aa790cee55684251ec46fe1af9a28913145
SHA256 f3088d7209af326aec5c650e93ff3aacfec8f45279b9a7fd4cd5cee8c7aa7689
SHA512 44f563bbdf424fc42c28fc46fcd8a9761eb6db37fa63ab43657c1ede7ea2654b487230a5d36d8c69c17d979a78f47377946b30b9791d0a055fec4c33261aa31f

C:\Windows\SysWOW64\Kantuk.exe.tmp

MD5 de3b6b64671e962dabca1be57ef1b52e
SHA1 1daa4b03de047091df15309c7614a969cc62b651
SHA256 a9cb40df1221ad69a8da42f0650ae94566db803cabeb3ad01503c5239a16e363
SHA512 50ce64d5fed582e0641e188807e14e3553f8b8330eff8ba478918b6b18ea45676bb03978dd825699eed1074a7a2b2da329d5d8da350b82250a314d67edce06ca

C:\Windows\SysWOW64\Folder.ico

MD5 d7f9d9553c172cba8825fa161e8e9851
SHA1 e45bdc6609d9d719e1cefa846f17d3d66332a3a0
SHA256 cd2e513851d519098acef16d191188ac2586d2174dfd1a84f4db7f41a6970086
SHA512 a03a806d9db86c0c4f6f8efc4b40008aa51f1625fc1c703a929bfa57a5caf962119b3c76044775af607d4ee1a8a671e1d0a2be66d19ee551717398f9ddc8ad24

C:\Windows\SysWOW64\Player.ico

MD5 43be35d4fb3ebc6ca0970f05365440e3
SHA1 87bc28e5d9a6ab0c79a07118ca578726ce61b1bc
SHA256 5a15c1aab77f132e7ce5928996919ed66564c6082a7f94d0a42229c480113fc5
SHA512 b2e24ff3702805d2ff8ecf3ddde8a8e6258965f992f37104c2ed9b763e1448ab32c7609a607e1d90cfba281e7add1e839855656d6453433a42c0d6c8923c9395

\Windows\SysWOW64\Kantuk.exe

MD5 e6cfb8b61a79b930851da25468efd3fe
SHA1 db5eae8dd62d71c1e0496a60efae40a0797ad178
SHA256 00c55d39e25b2122ec9c220aeddcc2d906f1af3b644463d44ea944c8b2a5437e
SHA512 c83ef1e2455e51053daa382dcee922804661cb9f403acab415b51a7bf6c6d35b23a06b4ba442cbd29cbac92fa4861cf9dfef9016b27d17fd5537f27c5f9f7a7f

memory/2952-271-0x0000000000400000-0x0000000000451000-memory.dmp

\Windows\SysWOW64\4K51K4.exe

MD5 a42f1536e9e6582d6bf0dfbe38f91e1c
SHA1 386386955044977ed565ad97ec874bb89e7c1041
SHA256 fedc5431c39587e8bc7bf31fe8ce2b4407646a3d1fba5b9a91c560f30bd8df31
SHA512 28bb226d290a9d8c835e09cc76ceedae76ffcae3f9523e232553bc388a75d4fba765c29a0930013fd644c24411313b70604a0b07ea8017f71eae675646a71cb3

memory/1916-292-0x0000000000400000-0x0000000000451000-memory.dmp

C:\JPG.ico

MD5 62b7610403ea3ac4776df9eb93bf4ba4
SHA1 b4a6cd17516f8fba679f15eda654928dc44dc502
SHA256 b0fd7ffb4c8f0e4566658a7284ca0652961648aaab44a53c5b9713664b122c29
SHA512 fa1995a21ffe073a15fa00a3a8717492b0a67f3615abe4c7e6bce054bb23cf545e10e21cfe3625b665c8bb199577815dbeccc7c6107cdb49f673b8d53f23888d

memory/2892-300-0x0000000000400000-0x0000000000451000-memory.dmp

\Windows\SysWOW64\GoldenGhost.exe

MD5 bfb752f0f76bf7830fa155304e05940d
SHA1 fce85c92e0ddd08a23a53a8e643bd9d122ae7fd9
SHA256 cf4148aa434be83c8c7bfc9827d0922d60aa5618761926b93b766ead504ed6af
SHA512 fb6568f4f7a7cc5ace20754c4be46f0bce5e061da8098c3e17e4607f2c7c75bf98ab2ad7027eb700e2c13ba7759645ddaf6654fd889debf5629d37f637403edf

memory/292-310-0x0000000000400000-0x0000000000451000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 03:40

Reported

2024-10-20 03:43

Platform

win10v2004-20241007-en

Max time kernel

60s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" C:\Windows\SysWOW64\K0L4B0R451.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\Kantuk.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\4K51K4.exe N/A

Disables Task Manager via registry modification

evasion

Disables cmd.exe use via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A

Disables use of System Restore points

evasion

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe\Debugger = "notepad.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgw.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgw.exe C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger = "notepad.exe" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgw.exe C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger = "notepad.exe" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger = "notepad.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger = "notepad.exe" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger = "notepad.exe" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe C:\Windows\SysWOW64\Kantuk.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\K0L4B0R451.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\autorun.inf C:\Windows\SysWOW64\Kantuk.exe N/A
File opened for modification C:\autorun.inf C:\Windows\SysWOW64\Kantuk.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Shell32.com C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows_3D.scr C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\4K51K4.exe.tmp C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File opened for modification C:\Windows\SysWOW64\Shell32.com.tmp C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File created C:\Windows\SysWOW64\Word.ico C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File created C:\Windows\SysWOW64\Asli.ico C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File opened for modification C:\Windows\SysWOW64\Shell32.com.tmp C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File created C:\Windows\SysWOW64\Rar.ico C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File opened for modification C:\Windows\SysWOW64\K0L4B0R451.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\4K51K4.exe.tmp C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\Folder.ico C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\Rar.ico C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\Kantuk.exe C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File created C:\Windows\SysWOW64\4K51K4.exe C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows_3D.scr C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\Kantuk.exe.tmp C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File opened for modification C:\Windows\SysWOW64\GoldenGhost.exe.tmp C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File created C:\Windows\SysWOW64\Player.ico C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File opened for modification C:\Windows\SysWOW64\Kantuk.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\GoldenGhost.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\Asli.ico C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\4K51K4.exe C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File created C:\Windows\SysWOW64\K0L4B0R451.exe C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File opened for modification C:\Windows\SysWOW64\K0L4B0R451.exe.tmp C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File opened for modification C:\Windows\SysWOW64\Kantuk.exe.tmp C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\GoldenGhost.exe.tmp C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\4K51K4.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\K0L4B0R451.exe.tmp C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\K0L4B0R451.exe C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File opened for modification C:\Windows\SysWOW64\GoldenGhost.exe C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File opened for modification C:\Windows\SysWOW64\Shell32.com C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File created C:\Windows\SysWOW64\GoldenGhost.exe C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File created C:\Windows\SysWOW64\Folder.ico C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File created C:\Windows\SysWOW64\Player.ico C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File created C:\Windows\SysWOW64\Kantuk.exe C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
File opened for modification C:\Windows\SysWOW64\Shell32.com C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\Word.ico C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\K0L4B0R451.jpg" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\K0L4B0R451.jpg C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\4K51K4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\4K51K4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kantuk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kantuk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\K0L4B0R451.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s1159 = "K0L4B0R451" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s2359 = "K0L4B0R451" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s1159 = "K0L4B0R451" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s2359 = "K0L4B0R451" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s2359 = "K0L4B0R451" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s2359 = "K0L4B0R451" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\ C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\ C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\ C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s1159 = "K0L4B0R451" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s1159 = "K0L4B0R451" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\ C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s2359 = "K0L4B0R451" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\WallpaperStyle = "0" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\ C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s2359 = "K0L4B0R451" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s1159 = "K0L4B0R451" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\ C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s1159 = "K0L4B0R451" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\K0L4B0R451.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Install\command C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\edit\command\ = "logoff.exe" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "logoff.exe" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\edit\command\ = "logoff.exe" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\NeverShowExt = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Edit\Command\ = "logoff.exe" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Edit\Command\ = "logoff.exe" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\Shell\Edit\Command C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Edit\Command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\shell\Install\command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "logoff.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Edit\Command C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "logoff.exe" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "K0L4B0R451 File" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command\ = "logoff.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command\ = "logoff.exe" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "logoff.exe" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "logoff.exe" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\Shell\Edit\Command C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\NeverShowExt = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\4K51K4.exe N/A
N/A N/A C:\Windows\SysWOW64\GoldenGhost.exe N/A
N/A N/A C:\Windows\SysWOW64\Kantuk.exe N/A
N/A N/A C:\Windows\SysWOW64\K0L4B0R451.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3952 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 3952 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 3952 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 3864 wrote to memory of 4304 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 3864 wrote to memory of 4304 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 3864 wrote to memory of 4304 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 3864 wrote to memory of 2476 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\Kantuk.exe
PID 3864 wrote to memory of 2476 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\Kantuk.exe
PID 3864 wrote to memory of 2476 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\Kantuk.exe
PID 3864 wrote to memory of 5112 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\4K51K4.exe
PID 3864 wrote to memory of 5112 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\4K51K4.exe
PID 3864 wrote to memory of 5112 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\4K51K4.exe
PID 3864 wrote to memory of 4464 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\K0L4B0R451.exe
PID 3864 wrote to memory of 4464 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\K0L4B0R451.exe
PID 3864 wrote to memory of 4464 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\K0L4B0R451.exe
PID 3864 wrote to memory of 1108 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\GoldenGhost.exe
PID 3864 wrote to memory of 1108 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\GoldenGhost.exe
PID 3864 wrote to memory of 1108 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\GoldenGhost.exe
PID 3952 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\Kantuk.exe
PID 3952 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\Kantuk.exe
PID 3952 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\Kantuk.exe
PID 3952 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\4K51K4.exe
PID 3952 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\4K51K4.exe
PID 3952 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\4K51K4.exe
PID 3952 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\K0L4B0R451.exe
PID 3952 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\K0L4B0R451.exe
PID 3952 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\K0L4B0R451.exe
PID 3952 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\GoldenGhost.exe
PID 3952 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\GoldenGhost.exe
PID 3952 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe C:\Windows\SysWOW64\GoldenGhost.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe

"C:\Users\Admin\AppData\Local\Temp\f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65.exe"

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\Kantuk.exe

C:\Windows\system32\Kantuk.exe

C:\Windows\SysWOW64\4K51K4.exe

C:\Windows\system32\4K51K4.exe

C:\Windows\SysWOW64\K0L4B0R451.exe

C:\Windows\system32\K0L4B0R451.exe

C:\Windows\SysWOW64\GoldenGhost.exe

C:\Windows\system32\GoldenGhost.exe

C:\Windows\SysWOW64\Kantuk.exe

C:\Windows\system32\Kantuk.exe

C:\Windows\SysWOW64\4K51K4.exe

C:\Windows\system32\4K51K4.exe

C:\Windows\SysWOW64\K0L4B0R451.exe

C:\Windows\system32\K0L4B0R451.exe

C:\Windows\SysWOW64\GoldenGhost.exe

C:\Windows\system32\GoldenGhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

memory/3952-0-0x0000000000400000-0x0000000000451000-memory.dmp

C:\Windows\SysWOW64\GoldenGhost.exe

MD5 2ee5d033251bd5e2cd7d054af3776ddf
SHA1 10bd08a006c8bba819a154ba74429cc2a034e7fe
SHA256 f11a45d644fc66a168b59bdfd4317cb292e97684c38ae9edf3f3fb138b3b3e65
SHA512 fd92a3fe53c84cb0e975b97b2a61ef6442d24b51a9ecfd74169ab28c9c747be6a7ee32fee5093b7e95509f5544b786b49396feb560449800969df3f01358adda

C:\Aut0exec.bat.tmp

MD5 87e8b7ac13971e17992b59a380c3ae13
SHA1 0f88fb8409441ab2467b28ba9ed9192acb0df8fb
SHA256 9cead2140923e2c2e97e79949ebe31d6ab26882fc77a91e5b2e6c22f544fed37
SHA512 5fd5a7e6fe872038462a95ceb6eae4946d6388c7eb49815202a7e211b0d611acd123ed62c142f03ecfe3551e37c21d7170d3ccfc6b8b9bb5d310c8c518838f6b

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp

MD5 5d4d61e136bf12db7d1f40329be37cee
SHA1 da55c8435bc01ec8e05f080e3c3962913c1cd6eb
SHA256 1ee6f2cb166461bed3557cef773ca5de328970a81584585e6eb9d5a3cd7fc682
SHA512 b29262525b61c91d4d120e2150df85446e10dbbeb877951209b36cca219494b20525324ea7b1f57256709c395465c68a9d07b6e3a76994d51050153086c15b4e

C:\Windows\SysWOW64\4K51K4.exe.tmp

MD5 e6023599c93ba4fa5930c842086bb37e
SHA1 f26858ffcf34362f79624d678e6198cb35eb6684
SHA256 911c41fd50dd654590c831c33030ecb5e2f130f35014449f19f96eb0aa658f14
SHA512 973148103d0ec6877920a261a20b3578a16128d3a2ca72320dd40ebcb40ae4a57e70284bae3df226ac36ddc634a5fc3667e291851e6bb5131b65232d4e84b87a

C:\Windows\SysWOW64\K0L4B0R451.exe.tmp

MD5 437d8d40c129d4c8fea9d08ca360e497
SHA1 208cb77b70cd3c2b5c77f9efa776880f5901005a
SHA256 43d9154b828e4876531688ca4bf8a169c9abfb1530f4941577a6ada4a85c76a9
SHA512 2ec83b614c2b122cc78427953a7b032df9244b18753e851f57d383746f8195d217a99bd5c3729108053d1aaa00f5f3384eca7309ca1a8a14b4ae034a404b069c

C:\Windows\SysWOW64\Shell32.com.tmp

MD5 c2272951c3adf8164ede603400dac5c9
SHA1 e181657d5ce2d96cca10d6978d16bb971eb01448
SHA256 9d09efb16acbb204aa02118cd7f0986aa3a7c6e995cb1ec29dcf905feb6d1cee
SHA512 f59e29a3e273583c06e1048a293ca244c747d2963f69ee003fbf74e4c046d98972edcd77391495c36bd4ede74fe6b0c0842588efb0795b983b969a79762bacd1

C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp

MD5 040a578186422ff0a4e5d67fde32e3ed
SHA1 4e1bf520975c7c362842fbd9f989ae993df576bb
SHA256 1bab0f583a2999f3265f290bf63f97a29c78c0cf88aaab0752ee940580d56306
SHA512 3e399cf3a58c965d21ad607fa9f662d6b6816d282ffc4e0fee73bb82943a5e0d4ae2da2cb76a27f82e106ba3d498c3b41257b8eb6531edff267097daf96c1d71

C:\Windows\SysWOW64\Kantuk.exe.tmp

MD5 ad516115f171c1de7711bf158900cbb8
SHA1 7155b3e198806f2a23b2fad4b1b34cd062d5c679
SHA256 f9219cfcbaba725dab4681f0b334eb35157d566842e56377402bc0bb6aae7554
SHA512 02b1e0afb302738399d91ab90f8700efc736bfadf94d622c6c13d89d0bc2514cabd4f12d894c0662b0422aafcf90749e806614652a7d4e8b8e6044f609c66050

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

MD5 cc885153b41911b0d3b4ce39c285cd6a
SHA1 2b12bba90c35c29fa08955a53d9e35f397ecedb7
SHA256 488d510ccd90a7fea4ffa9d7e8f40ebb7783f91fab8f8d1a193b6adeb2d45a46
SHA512 780eb9f8893956d117b5f701fb9cdd0d2cf9868d189920ebdb834460c1d81ebe71e053cafea5e570c792151f4a6f16bb57a1df7aae86ad152a3e2227603a5dca

memory/3864-207-0x0000000000400000-0x0000000000451000-memory.dmp

C:\Windows\SysWOW64\Shell32.com.tmp

MD5 97ac953fff6138d4b96e34cb743644d7
SHA1 f1a1ab35fd2910eb7152fb8f308421798f58d47f
SHA256 1ffe9186fefed89fb5aff7bfc3a48d05e17357bc6e0083302c7da1edf174d36b
SHA512 2b4c6bd254238c7d35eb8631f24436f1cb0bb074d2ce724c7f1007ba00939de48624957560541fd561a34539824c0c0dd3180317b5a895bf52b35a59170025c1

C:\Windows\SysWOW64\K0L4B0R451.exe.tmp

MD5 31dcb843a894ac83143757cf0c0cd37a
SHA1 4d97ec9d36bc52791c60b9110c9ac2c8ad85f447
SHA256 b9da45f40825c808cca6b4b17f8b10a769b24c4ef4db34b60efb1eca1f5ac890
SHA512 6f8402a0df62dac5d5055fda9e98e2f8a0edfd2a685a0f96b5cc41decb9309fa54d1004775c40894ccf0235e002bc2e7b5af5173fabb801bd26e6ee72a7d3214

C:\Windows\SysWOW64\Shell32.com

MD5 d674ecbd025b128b87a5f74e1624d255
SHA1 eef4af3ae28f2d425168a781cccf1c7365fd32a2
SHA256 7fce944e57975cae620479744601b8ff5c1f95ff13258a2f6a13c3823de7bd3d
SHA512 edead55af22b8c1748be27b2903439e3aa967a3862fe9c510f58d27d4b59da920551b8cce5c446eb86996386374cca58fdaf9a4d82945d1b0a2e46bb9a2d2301

C:\Windows\SysWOW64\GoldenGhost.exe.tmp

MD5 9a85969ec9284972c4f159941ecee304
SHA1 63abb6ea77be97f03e243fb310eb352eb6674114
SHA256 2eff4c9994cb1e9b9c1aa91abf7b2c2b84ffb6a3724b713fcd84271123a75662
SHA512 bf26c84ba62cc4b8a9032249b5bf4246c49c79390bce376ae25b5e08bf000e7a33c8172a11f5132dceb235615b203a9123343839aa85748c66594a3fe97ccd2a

C:\Windows\SysWOW64\Word.ico

MD5 8482935ff2fab6025b44b5a23c750480
SHA1 d770c46d210c0fd302fa035a6054f5ac19f3bd13
SHA256 dcbcdce04483e9d2d8a5d7779b18b7f64cfc06e758b07f671493e38dfb9ab33c
SHA512 00c711d815815a88fc15f73c8cba6a81b2bfc505baff2cc67b456545151fe896029f11127e447c9bbc5a2d5dc561a06a52be9a9f9c0d28e98ea4e174cdd54398

C:\Windows\SysWOW64\Player.ico

MD5 43be35d4fb3ebc6ca0970f05365440e3
SHA1 87bc28e5d9a6ab0c79a07118ca578726ce61b1bc
SHA256 5a15c1aab77f132e7ce5928996919ed66564c6082a7f94d0a42229c480113fc5
SHA512 b2e24ff3702805d2ff8ecf3ddde8a8e6258965f992f37104c2ed9b763e1448ab32c7609a607e1d90cfba281e7add1e839855656d6453433a42c0d6c8923c9395

C:\Windows\SysWOW64\Kantuk.exe

MD5 6b9049d1b4bc55475d602fac84ea1dad
SHA1 e1ba75ff4e3c987c6efd7c7e6352c34262b466ff
SHA256 c3adf46f32ec8507591ddc393459eee75220d0a7a8c8a7520ac7f7594dde5fa9
SHA512 44f8e6eec19acc2f2bbaf30d327e37895ae8efca6a7cb360038116d0e7fdc62a83df0cc0fecff41bbb6cdd03039a8dd8008162cda28bbebe075079b566bb798e

memory/2476-312-0x0000000000400000-0x0000000000451000-memory.dmp

C:\Windows\SysWOW64\K0L4B0R451.exe

MD5 88896ec68addbd4bb3e9c995803abcd9
SHA1 01354852b8193ab3af52f12cc3e09f7b2037826e
SHA256 0de43b001c71ee5db845b1381a500d0dc3e937d05407c77e425b2ce0dfd69333
SHA512 b33c45d1bba97a44c09689af0a70b4c66446251bfd3711861ac0f0a9dcce463a7651c242d900e9fd0acb613141dc13521d3c0cc2a3ec1143392532008cd499df

memory/5112-318-0x0000000000400000-0x0000000000451000-memory.dmp

C:\Windows\SysWOW64\4K51K4.exe

MD5 5cb2b14c8826fe2f7405c78b2f76ac52
SHA1 65f7a5295f040e347f74a10e8ce0d6a9acc07382
SHA256 e33a799dde40114ecbdd8262c51bd08dba3e43f06a8bb8bddd405acb6c5fa79d
SHA512 ae5af821436988aada4ad2cc48510dddc9635cf737d62f2f6fbd4995015b052ce3519938bdb3e48d48e34f65835c370667379b1352a958d9f3db8c60c1a71b7b

C:\Windows\SysWOW64\Folder.ico

MD5 d7f9d9553c172cba8825fa161e8e9851
SHA1 e45bdc6609d9d719e1cefa846f17d3d66332a3a0
SHA256 cd2e513851d519098acef16d191188ac2586d2174dfd1a84f4db7f41a6970086
SHA512 a03a806d9db86c0c4f6f8efc4b40008aa51f1625fc1c703a929bfa57a5caf962119b3c76044775af607d4ee1a8a671e1d0a2be66d19ee551717398f9ddc8ad24

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico

MD5 62b7610403ea3ac4776df9eb93bf4ba4
SHA1 b4a6cd17516f8fba679f15eda654928dc44dc502
SHA256 b0fd7ffb4c8f0e4566658a7284ca0652961648aaab44a53c5b9713664b122c29
SHA512 fa1995a21ffe073a15fa00a3a8717492b0a67f3615abe4c7e6bce054bb23cf545e10e21cfe3625b665c8bb199577815dbeccc7c6107cdb49f673b8d53f23888d

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Empty.pif

MD5 db789fe45c9726936e9f222452e6cc88
SHA1 e286eeaa8c4acba745d0a7ac4a7d930d0242ad90
SHA256 cf117b9e23812598d7332a432d608c9d0b66dc0a74e934fdcece29521e8ccc61
SHA512 f316a57734f5bb4d2ae3bc7587efa30bdc6944195e1d7aced138a5f94e461cf0228203945f8b05490799386d77639849b4ca1409cd8a46e75691a16233a5e0ec

C:\Windows\SysWOW64\4K51K4.exe.tmp

MD5 07a32d8131faa9521b187e33f3a445fa
SHA1 7819b4b38b3fbc32ffee5feedf55d17c34a130af
SHA256 1630c7ac077ab4f47f8c2def6d1925bbad30d45bcc7be83c0c812095de68b153
SHA512 f1474e0aefd686e5c3c76c52317f4f39ecbe88d8cd694b0686c19f7c3bc067b4c8a407183f4bb71ce3ac58659e3783420378c14d61c102eef7f1d760a700cb0b

C:\Windows\SysWOW64\Kantuk.exe.tmp

MD5 77c1adfcc61476018ad04a8a253a02c1
SHA1 0e7109fa84e9f5e571a3c1efdf0bce4a9fb0eb6c
SHA256 31a26ddb73b44e23f1accf1ac4eb5011671307e1928dad5ceeb9f08e0640363d
SHA512 2065ebd4a5a7e8c92adcf0d7d811111d17cedc08762c058dc4a209738a2d349d53023a11c0776791003cd625d218b2577845ac108ca7f7542aa827955aca2485

C:\Aut0exec.bat.tmp

MD5 2a70e414ca3b4b5a1a18653b306b5334
SHA1 4f8b59cb9b3fcfabfcc7a168145d9a9d940f8d2c
SHA256 896199a6fb23aaa4cc3a4bce5bc758b7a03ae09062b02ed5fac3afab13928e7a
SHA512 ac57e6ed5cefec5c9c0e791da001854c72638acc28cc27c6834796a42e712c9e7e3d190b6472a51fff29c8045b1aa2b95792dd2dc719782de6d1fa710126686f

C:\Windows\SysWOW64\GoldenGhost.exe

MD5 db5e99743be48658b8f15e49a17d0a04
SHA1 0b9e00404e58933c8ed40aa7b492d44bc5f3b8f8
SHA256 e9128ac4df407603f6fede5caeed33a05115e51b4c0271a19ca2198ccbd8ba5a
SHA512 4db953da9711d6658132c62541462af36560f1fe3d8217cb0d4c8d374ba7eed4041f70f7bdc706597b8e84c30fb9305576aadd28be1f17503b4bca0eeb9afe58

C:\Windows\SysWOW64\GoldenGhost.exe.tmp

MD5 08bd03410ddfcce3240ade7bf09eff7f
SHA1 3c448345fe1a017926976f574458bcecb54e3ffd
SHA256 e534161b8444d107631d11c4408bee8f509c43b144b78f8564e5ca33016fe8aa
SHA512 680ac6ec5a1c060ea407abc622322ad2cf35d590038e2c146cc2c147c0e4703de5771ca71eec8e56dab3690247a303fdd4d4062c96b8942207ca72fb46f9381e

C:\Aut0exec.bat.tmp

MD5 bb901c4619f7e5a5b2869825d72b1855
SHA1 d4e50db07897f907e0a72d51d76c2d1e596ece6b
SHA256 6af25019a51befd49535fb83ed1cc2400a6c7a88db14df9a8e98ee0e671847d4
SHA512 65ad36fdcafa521588a0b0590580b89d6cf0f8faff12f014290d18fb036e58b047f888576347b5e5722bea131932482644df58f8cdd1f2b6b6ac190d864db49e

C:\Windows\SysWOW64\GoldenGhost.exe.tmp

MD5 797f37357d4557724cee1e6756471b95
SHA1 cfee9bd86a60fdbf4dbd223a1812a4dad8cfc2fb
SHA256 ed2b1d0ad83f763c5ce3743509217555da4fd8609b483a9915df1237d87092c6
SHA512 ec53a0a896a48b64a393dc84ac1c2c64e1a10f95e53f5a350446f186aabf558ce1fbbb824d1345a3c2996c4e521cb448105d247cac0b6bdb9ef913fd2417f835

C:\Windows\SysWOW64\Kantuk.exe.tmp

MD5 5ae79194ff2d3e6e4c11de1ee4e7d486
SHA1 2347db7d3518c70c8f6550738ede60c5461bf05b
SHA256 85f10cd51e3e36c57c6b5bc16074014cd06e7573bd15468666db299c9f6f618b
SHA512 f694d0ff2d62fb5f810c36f9cb6044883d262397b0ec779c6a846bb6763508474736a387970c8081f643b749af5d9c27d70176543409c7aee42fcc110bda5ad3

memory/4464-335-0x0000000000400000-0x0000000000451000-memory.dmp

memory/1108-341-0x0000000000400000-0x0000000000451000-memory.dmp