Malware Analysis Report

2025-03-15 08:28

Sample ID 241020-whcw2a1gqh
Target 623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN
SHA256 623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344d
Tags
discovery evasion persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344d

Threat Level: Known bad

The file 623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware trojan

Modifies visibility of file extensions in Explorer

UAC bypass

Modifies WinLogon for persistence

Event Triggered Execution: Image File Execution Options Injection

Disables cmd.exe use via registry modification

Disables Task Manager via registry modification

Disables RegEdit via registry modification

Disables use of System Restore points

Executes dropped EXE

Modifies system executable filetype association

Loads dropped DLL

Enumerates connected drives

Adds Run key to start application

Checks whether UAC is enabled

Sets desktop wallpaper using registry

Drops autorun.inf file

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

System policy modification

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Modifies Control Panel

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 17:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 17:54

Reported

2024-10-20 17:57

Platform

win7-20240903-en

Max time kernel

42s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\GoldenGhost.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\4K51K4.exe N/A

Disables Task Manager via registry modification

evasion

Disables cmd.exe use via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\4K51K4.exe N/A

Disables use of System Restore points

evasion

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger = "notepad.exe" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger = "notepad.exe" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgw.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger = "notepad.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgnt.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgw.exe C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger = "notepad.exe" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgw.exe C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe\Debugger = "notepad.exe" C:\Windows\SysWOW64\K0L4B0R451.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\K0L4B0R451.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\K0L4B0R451.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\K0L4B0R451.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\autorun.inf C:\Windows\SysWOW64\Kantuk.exe N/A
File opened for modification C:\autorun.inf C:\Windows\SysWOW64\Kantuk.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\K0L4B0R451.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\Shell32.com C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\Kantuk.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File opened for modification C:\Windows\SysWOW64\GoldenGhost.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File created C:\Windows\SysWOW64\4K51K4.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File created C:\Windows\SysWOW64\K0L4B0R451.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File opened for modification C:\Windows\SysWOW64\4K51K4.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\GoldenGhost.exe.tmp C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\Kantuk.exe.tmp C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File opened for modification C:\Windows\SysWOW64\4K51K4.exe.tmp C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File created C:\Windows\SysWOW64\Word.ico C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File created C:\Windows\SysWOW64\Asli.ico C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows_3D.scr C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File created C:\Windows\SysWOW64\Folder.ico C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\K0L4B0R451.exe.tmp C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File opened for modification C:\Windows\SysWOW64\Shell32.com.tmp C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File opened for modification C:\Windows\SysWOW64\4K51K4.exe.tmp C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File opened for modification C:\Windows\SysWOW64\4K51K4.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File opened for modification C:\Windows\SysWOW64\Shell32.com C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File opened for modification C:\Windows\SysWOW64\GoldenGhost.exe.tmp C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File opened for modification C:\Windows\SysWOW64\Shell32.com.tmp C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\Word.ico C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows_3D.scr C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\Player.ico C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File opened for modification C:\Windows\SysWOW64\K0L4B0R451.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File created C:\Windows\SysWOW64\GoldenGhost.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\Kantuk.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File created C:\Windows\SysWOW64\Player.ico C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File created C:\Windows\SysWOW64\Rar.ico C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\Kantuk.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\GoldenGhost.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\Kantuk.exe.tmp C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\K0L4B0R451.exe.tmp C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\Rar.ico C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\Folder.ico C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File created C:\Windows\SysWOW64\Asli.ico C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\Shell32.com C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\K0L4B0R451.jpg" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\K0L4B0R451.jpg C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kantuk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\4K51K4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\4K51K4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kantuk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\WallpaperStyle = "0" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s2359 = "K0L4B0R451" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s2359 = "K0L4B0R451" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\ C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s1159 = "K0L4B0R451" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s2359 = "K0L4B0R451" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\ C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s2359 = "K0L4B0R451" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s2359 = "K0L4B0R451" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s2359 = "K0L4B0R451" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\ C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s1159 = "K0L4B0R451" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s1159 = "K0L4B0R451" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s1159 = "K0L4B0R451" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s1159 = "K0L4B0R451" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\ C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\ C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\ C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s1159 = "K0L4B0R451" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\shell\Install\command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "logoff.exe" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command\ = "logoff.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "K0L4B0R451 File" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "logoff.exe" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\Shell\Edit\Command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Edit\Command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "logoff.exe" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "logoff.exe" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\Shell\Edit\Command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\NeverShowExt = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "K0L4B0R451 File" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "logoff.exe" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\edit\command\ = "logoff.exe" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Install\command\ = "logoff.exe" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Edit\Command\ = "logoff.exe" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\shell C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Install\command\ = "logoff.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\edit\command\ = "logoff.exe" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "logoff.exe" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "logoff.exe" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command\ = "logoff.exe" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\4K51K4.exe N/A
N/A N/A C:\Windows\SysWOW64\GoldenGhost.exe N/A
N/A N/A C:\Windows\SysWOW64\Kantuk.exe N/A
N/A N/A C:\Windows\SysWOW64\K0L4B0R451.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1036 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 1036 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 1036 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 1036 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 2912 wrote to memory of 1176 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 2912 wrote to memory of 1176 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 2912 wrote to memory of 1176 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 2912 wrote to memory of 1176 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 2912 wrote to memory of 2244 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\Kantuk.exe
PID 2912 wrote to memory of 2244 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\Kantuk.exe
PID 2912 wrote to memory of 2244 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\Kantuk.exe
PID 2912 wrote to memory of 2244 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\Kantuk.exe
PID 2912 wrote to memory of 792 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\4K51K4.exe
PID 2912 wrote to memory of 792 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\4K51K4.exe
PID 2912 wrote to memory of 792 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\4K51K4.exe
PID 2912 wrote to memory of 792 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\4K51K4.exe
PID 2912 wrote to memory of 1052 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\K0L4B0R451.exe
PID 2912 wrote to memory of 1052 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\K0L4B0R451.exe
PID 2912 wrote to memory of 1052 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\K0L4B0R451.exe
PID 2912 wrote to memory of 1052 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\K0L4B0R451.exe
PID 2912 wrote to memory of 3044 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\GoldenGhost.exe
PID 2912 wrote to memory of 3044 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\GoldenGhost.exe
PID 2912 wrote to memory of 3044 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\GoldenGhost.exe
PID 2912 wrote to memory of 3044 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\GoldenGhost.exe
PID 1036 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\Kantuk.exe
PID 1036 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\Kantuk.exe
PID 1036 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\Kantuk.exe
PID 1036 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\Kantuk.exe
PID 1036 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\4K51K4.exe
PID 1036 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\4K51K4.exe
PID 1036 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\4K51K4.exe
PID 1036 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\4K51K4.exe
PID 1036 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\K0L4B0R451.exe
PID 1036 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\K0L4B0R451.exe
PID 1036 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\K0L4B0R451.exe
PID 1036 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\K0L4B0R451.exe
PID 1036 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\GoldenGhost.exe
PID 1036 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\GoldenGhost.exe
PID 1036 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\GoldenGhost.exe
PID 1036 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\GoldenGhost.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe

"C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe"

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\Kantuk.exe

C:\Windows\system32\Kantuk.exe

C:\Windows\SysWOW64\4K51K4.exe

C:\Windows\system32\4K51K4.exe

C:\Windows\SysWOW64\K0L4B0R451.exe

C:\Windows\system32\K0L4B0R451.exe

C:\Windows\SysWOW64\GoldenGhost.exe

C:\Windows\system32\GoldenGhost.exe

C:\Windows\SysWOW64\Kantuk.exe

C:\Windows\system32\Kantuk.exe

C:\Windows\SysWOW64\4K51K4.exe

C:\Windows\system32\4K51K4.exe

C:\Windows\SysWOW64\K0L4B0R451.exe

C:\Windows\system32\K0L4B0R451.exe

C:\Windows\SysWOW64\GoldenGhost.exe

C:\Windows\system32\GoldenGhost.exe

Network

N/A

Files

memory/1036-0-0x0000000000400000-0x0000000000451000-memory.dmp

C:\Windows\SysWOW64\GoldenGhost.exe

MD5 9d84816304edd977f6562e4dc27ed660
SHA1 de0b1053cdf13bdad55c059950c57d627fe20558
SHA256 623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344d
SHA512 0ca5f5f40f96f2df68aa3a5ac61a596d3e0c879b0599c96274d071e5bc15c04589f0bfddab745f4e81c75e539268f44fa03b4e19072d112e589502f61a9d5392

C:\Aut0exec.bat.tmp

MD5 8adc1390286d84330b7e5afa854864f6
SHA1 76a0c97467ffb7c6768db1a583925f4ac5d343ea
SHA256 258fc246ae48ad041ef48dd2a254d8963e2dd3ca9a6193c7f8c8f2c10c5ac8d1
SHA512 cc757ba68e4bcbd6e17f2ebb59c65efb52efd13b4963f544ec62d233a82345d18900a2120408265fad87c6db132ae6938cf0ada80ea2feafbbd0b2db0cf017fb

memory/2912-159-0x0000000000400000-0x0000000000451000-memory.dmp

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

MD5 ff4a2253150d5b39bc4ba5776d1f7cbc
SHA1 173fcb5fc7fda44f8a223a211e3075889639fe24
SHA256 2dfeb957bfee54c073f2eac8c849155178cbc83b4669a31f405d15e8433385b0
SHA512 950c26cdeb5794c54a2f11eb3ff7ea8d98b20914651645d933b4012eeedd2f2a2a9069bdfa9d4ab43c36482819f67a88c40a11d4a3ef9b7720709717fb5a63ad

C:\Aut0exec.bat.tmp

MD5 4eb3b26a8fea38c56e0373aa61eb8c52
SHA1 f001d0d68eeb38929095c713338ca8e3f128829d
SHA256 cc5834dc59612ddfae70565d099d10d66b99e432f2ab4ef0a10bdace9ec4de7f
SHA512 82f2d80da31aad658269d4014adcf43b90d31e89b255f49ec72742cebd539c2f8122024122b147d2509419dd6e419dbfe4e7a312fd9b1b8de224a4f9380fa773

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif.tmp

MD5 15f29684d71f802e43ee68bcf9505381
SHA1 40107b2e35b82927c6dea7b918f9806125359379
SHA256 4fe7c0f0e5349d1814e61103b10c5de797259321db92f88205328a8d02da5d4b
SHA512 17144b908384fc96db7b7c005bab8232799f57cae5c7da3f1611e23085b309339e0041a612a094bc42fdfc4ee3ee6c6bf26abf9914daa771317f6873a63238e5

C:\Windows\SysWOW64\Shell32.com.tmp

MD5 f1f42ad53e568ba8f62644818db42277
SHA1 92ca621177ad52060b1f8248d3de34f43185e7a1
SHA256 7901086c95b5732fb4d3fd253977a79519db9e28dee015b7682079f2ec1e287b
SHA512 4c66463a0c28005515618528166b4b9bf25d2d710ece7ab8ad09f489c8c1fa76e00aea7342e18df177638223d25e82addb20f635c2cee8616f0cf85ff726a931

C:\Windows\SysWOW64\K0L4B0R451.exe.tmp

MD5 d4455c8442f495731b2836c5ac1ee2f2
SHA1 38346b47977ec73ac116c3ab72643433d1c8233b
SHA256 daeba9134d1d54fa8237d12acde258ba49f1225a02ee11ae4611b2964a316595
SHA512 f8ca7840001ec3d1a7c3e4bc38e8e8749c35cfbc637cf6b16f65490d2b8c94f6b905bb7562ff3ec085e03944a2104af9a4d084ea6c601cf56ac3f5c1c567d013

C:\Windows\SysWOW64\GoldenGhost.exe.tmp

MD5 0de5ad86e6b9e486ac7d1d4381ee9414
SHA1 5661b45867fcae161d74877e30dab1c52d81050d
SHA256 a85a0139aa64940150a3a2b42a13457b11afa98af15194a88d60ca9a2a89e640
SHA512 b2b6af6c943e61e4bdbbd4db7d66767b14ebd1a47e71a19176ad4d09b27a80fa9a62ccb9bcc2e9b0be757432ee83d4265c7d37e76420b40d89f163802642342d

C:\Windows\SysWOW64\4K51K4.exe.tmp

MD5 bfd058d3a849d67c6219920339a604e9
SHA1 7863242d722ce74041ef3af9d3634fc28797fc59
SHA256 9782eee0518bb0b1bc15666e3dc22a2f157c0a0e9af85a82322305180d90835d
SHA512 4b4843859c1010fb7e72c49b3d0794a90ca84ef2a6f243efc28cf300b1e28751ec8ca93790bf4c75edce32fad03307c6e24acf86e263cc0807ee154734c61b87

C:\Windows\SysWOW64\Kantuk.exe.tmp

MD5 75fc479cf5d742d0842642eb1cda1bbb
SHA1 e92e8729d3543ceeaa0593c87fee794ea2680822
SHA256 43d340c2327eaaa8c4064e3bde1502edc84fdce1865548934f27dc184b0cc59a
SHA512 7abc12a1f3d4d3cb443360f6322555810efc7f4210a85a94045dbd87e5bd597a558efcf0f3923c297e2f436c7a816cbbc25897212bcd04e7762bdb776da7fe29

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp

MD5 5f7bd85f47cdec115409a342f3572f87
SHA1 f67d768aff4ed9c5738a3bf47dcde4012d341f7b
SHA256 d6d02c95dcfb23477a0cc091d67b6dfb729afc5ea0dc4f1ebbfed523ea3e6725
SHA512 3fb25565f6edc20a796dd3b832818e99b5a96efc388d8b114a3f9cd09be4481df1e62beda1128da29a347764b9c2ac3397ee3a033cbffadfddc30eb2c0f552f5

C:\Windows\SysWOW64\GoldenGhost.exe

MD5 56c550a5651f6adc298a747896f87e43
SHA1 7c64f5f295e9248040eff59e8a5b04cd7f796455
SHA256 faa4d093a08e944d7f259be6c88108d743406ad9b98a753dbaae2b19c01da4f0
SHA512 598bd8ce485dc78f0b783b3677e9d65772a7278fa27ca17586d7e311596ee37cba802b9a82d8895e4cb1c973a91beffc15aca3adb0615428e98268813ca1a023

C:\Windows\SysWOW64\4K51K4.exe

MD5 587ba5caa45f04e5b213640989a4a0af
SHA1 28bad90102b260228c33e9f9c529bbad1f3090eb
SHA256 4f8b6380edb1e558d93a3f3d5a1eb1d01f7e6c8158a519bb295971c5d68d7f6d
SHA512 a11297b4abfd61d6ab73cd7ca046e661c1fcd0192e0c0b77130c084c04ac7300919bad391cbedff50d18f9df8e5056608e02084c9faee5295663d8985a5a1f9d

C:\Windows\SysWOW64\Kantuk.exe

MD5 6327c1b8a40069702ca9ed4a3616361d
SHA1 e9d2db91f34bdb5d414b905e7ef2e6118520d7c7
SHA256 906b34b7ba1deed9326cd8461be1278fbfe56ffca35fda4f4863d2ae90b01065
SHA512 9e3fb8aa5e306fb8237eb2559db02c01050d3d07d9b2c50b20075d14ae344c87a4ac8a4acfd8a551e5833deb3cac0670a7fe69a165307d41dfa0384df0596d48

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif.tmp

MD5 c5a28444db842b3c14772ed23ff16024
SHA1 a315cfece44d0f37451d8194c0b4f58308c6dc1c
SHA256 99f185d5162bf4f2e35436917d8df8c08d51c7bac8cd94d70a77f822f129a382
SHA512 69c6f69fdd4c13249015e354f7ab70fff761fb2c21cf09ac036ab372c5079b3f949fa1f27423fa6c9d92b060d73b8d21e72d45dc4eae71b2e675fbe970e43a40

C:\Windows\SysWOW64\Player.ico

MD5 43be35d4fb3ebc6ca0970f05365440e3
SHA1 87bc28e5d9a6ab0c79a07118ca578726ce61b1bc
SHA256 5a15c1aab77f132e7ce5928996919ed66564c6082a7f94d0a42229c480113fc5
SHA512 b2e24ff3702805d2ff8ecf3ddde8a8e6258965f992f37104c2ed9b763e1448ab32c7609a607e1d90cfba281e7add1e839855656d6453433a42c0d6c8923c9395

C:\Windows\SysWOW64\Folder.ico

MD5 d7f9d9553c172cba8825fa161e8e9851
SHA1 e45bdc6609d9d719e1cefa846f17d3d66332a3a0
SHA256 cd2e513851d519098acef16d191188ac2586d2174dfd1a84f4db7f41a6970086
SHA512 a03a806d9db86c0c4f6f8efc4b40008aa51f1625fc1c703a929bfa57a5caf962119b3c76044775af607d4ee1a8a671e1d0a2be66d19ee551717398f9ddc8ad24

C:\Windows\SysWOW64\Word.ico

MD5 8482935ff2fab6025b44b5a23c750480
SHA1 d770c46d210c0fd302fa035a6054f5ac19f3bd13
SHA256 dcbcdce04483e9d2d8a5d7779b18b7f64cfc06e758b07f671493e38dfb9ab33c
SHA512 00c711d815815a88fc15f73c8cba6a81b2bfc505baff2cc67b456545151fe896029f11127e447c9bbc5a2d5dc561a06a52be9a9f9c0d28e98ea4e174cdd54398

C:\Windows\SysWOW64\Shell32.com.tmp

MD5 c0c3978660f2f95df57bd2efcc950491
SHA1 8d8ac7d972f8e0f26030fc1d716d990dbf80544f
SHA256 56fca7960001ebf43dc93f5e656cc73a2b1726f5a14aef24370b7cfb429dc331
SHA512 9eaccdc9bb3178406107068eacceebee19d518bcd0623f3b5532c99d61092866f9cfa3bb5ee8eb42cf7768a21343c9251fcea31e7de6eb31ef018c7e4c94f8e0

C:\Windows\SysWOW64\K0L4B0R451.exe.tmp

MD5 1855e6d8929524a76ff931d7ed3edf0b
SHA1 1e37f50f3c36327b42375d38dd8fc680a0de413f
SHA256 68c7c8d25fea17cd23ded50df0c18b36b8ee9afcc4962df156a24799fddf8127
SHA512 ff45f3f7a6f08c36a5d93c17aaf48678bd17ebe268c044ff7a12452649e66e3046e0e196526fdcc2a6d9d8ad283557eb1956c1dabfed5b219bb9d73c6e799240

C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp

MD5 e101cafdffc3f911092198165302cd25
SHA1 6fd269534cc14f5e7870f6ecfd312295cf5be28c
SHA256 cad3fa4db200e8e5fa884c9a3103a8e89462d191742d481406e2924d1800ad0e
SHA512 374d10dd61958fd6555bcff02a65301106934d50567059eb19463ca415ca8e63e0304062300cfe51d029e7707fc3b53124dcaf1289264ebefb4d716ec063105a

C:\Windows\SysWOW64\GoldenGhost.exe.tmp

MD5 80db7cd8977314a55ac27bb954f6b3f4
SHA1 8c795f40425d97173d1a7ba1607f33f5007ee4d4
SHA256 c5d0b4f87d317f5a88dedfc6938515f212a711df7eb97e5fbf5b6ba5b2475f68
SHA512 c925dbdbeecf235a88d1a349c4033914f70e2a77dfceb13049f132c2fbb59db7bfe2cce68d1ea958734478467e9938cfdb7d0bbd9bf3d314d4d9d8b61ad38d93

C:\Windows\SysWOW64\4K51K4.exe.tmp

MD5 d199806c9b45bd9e254e5641f74bac42
SHA1 e2541bdc49961577f9af3ee2f7a1409c1d54ef42
SHA256 2adbd571a04f06b4506076f19bed64321d39264b20c56ed0b8107f24f40b96bd
SHA512 d30790bb701a39e9e3c22e4ccb2af090a002700c51c2345fb12ed864ead488446367abc083613f0603288f974f5cc4560d34124a118de25e9866e431a1071293

C:\Windows\SysWOW64\Kantuk.exe.tmp

MD5 5ae8724b166cfe7e34c2145c33427708
SHA1 3126894347c2c37ede8a1246f93e4583b8869001
SHA256 ce1b62abbb7e3d0667a4da9a65060cb12eb258ee1254cc2bf18a8674f47b8532
SHA512 397cf272ae268d9b6561fd1410ad931b8e9b5edeec807102def63c78f834ccc996da694c75312087c9b36cf3c5e8d6c8378f5d37d8205c85f1654325de680144

C:\Aut0exec.bat.tmp

MD5 3785c4a5a20af0d218db13d57bf060ff
SHA1 bbddd460408d6567869b73513efb32b355ee6a5f
SHA256 e08af1c22c3eb0fd041e33819542170422659c23399194b5d25481c9c4939f0d
SHA512 5fc2748d34c231c857a3766015543ce9b27b66690834fd47032bcd507f7d8fa9f0f5d94242eccc6ac000eb6e9428340920cfb08a16f484004cef52f54471d4ce

\Windows\SysWOW64\Kantuk.exe

MD5 9606ce820a8c1a45f3c9e8c49d950bf2
SHA1 1bdc96f791281f8be5d6cfc8ac1a577f28b6a21c
SHA256 ef8f5c8457c8f6d5b7fdce416f1eff86d4b0e9d6957e9e59427dc20c1adb71b4
SHA512 02bc25bc6788f43a1d0033ebd75aff3b41d8654a89824d724c67befb9e81ba67ad72bd7adecbfc1047bd1f893a8bb3c52ca25bff651d74b4600ecd291ca4177e

memory/2244-271-0x0000000000400000-0x0000000000451000-memory.dmp

C:\JPG.ico

MD5 62b7610403ea3ac4776df9eb93bf4ba4
SHA1 b4a6cd17516f8fba679f15eda654928dc44dc502
SHA256 b0fd7ffb4c8f0e4566658a7284ca0652961648aaab44a53c5b9713664b122c29
SHA512 fa1995a21ffe073a15fa00a3a8717492b0a67f3615abe4c7e6bce054bb23cf545e10e21cfe3625b665c8bb199577815dbeccc7c6107cdb49f673b8d53f23888d

memory/792-292-0x0000000000400000-0x0000000000451000-memory.dmp

C:\Windows\SysWOW64\4K51K4.exe

MD5 560f7ce213354dde6cd00e27b74033ad
SHA1 5127606e6339aff976317b10258e2fa9f21ac6c8
SHA256 f2c33a1728e9e497e8ad20dc5a8d5728b0494904b4e9342762622efedbdaf9d2
SHA512 e7f5fcfa46487eb5634b397cd9bcd65ec2ca32f36f062fb73bcfbcf2a6039fcc92934c21803d3645432418c1e3c1cf75c792f5d4d719fbb5e1cd4677a905cc6c

memory/1052-300-0x0000000000400000-0x0000000000451000-memory.dmp

\Windows\SysWOW64\GoldenGhost.exe

MD5 cce8a3b139ae3f3faa51208356c67552
SHA1 39893a298df96eca7bdf6672a40bbbb1b91e39d7
SHA256 134d7945f7347bad94d494f23f22fc55082719144ec382e492b06c39d44eddad
SHA512 a077e1a496c250a5393b21d688a18ec86a852e18f6d21eaaa9b037a4b96f03d7a704e0692eca50648464f99661c3c762816d9b78486adc1dae33f93fbc1b35d5

memory/3044-310-0x0000000000400000-0x0000000000451000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 17:54

Reported

2024-10-20 17:57

Platform

win10v2004-20241007-en

Max time kernel

38s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\K0L4B0R451.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\Kantuk.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\4K51K4.exe N/A

Disables Task Manager via registry modification

evasion

Disables cmd.exe use via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A

Disables use of System Restore points

evasion

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe\Debugger = "notepad.exe" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgnt.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger = "notepad.exe" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe\Debugger = "notepad.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgnt.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgw.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgw.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe C:\Windows\SysWOW64\GoldenGhost.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\Kantuk.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" C:\Windows\SysWOW64\K0L4B0R451.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\Kantuk.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\K0L4B0R451.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\K0L4B0R451.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\autorun.inf C:\Windows\SysWOW64\Kantuk.exe N/A
File opened for modification C:\autorun.inf C:\Windows\SysWOW64\Kantuk.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File opened for modification C:\Windows\SysWOW64\4K51K4.exe.tmp C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File created C:\Windows\SysWOW64\Word.ico C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File opened for modification C:\Windows\SysWOW64\GoldenGhost.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File opened for modification C:\Windows\SysWOW64\Shell32.com.tmp C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\Rar.ico C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\GoldenGhost.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File created C:\Windows\SysWOW64\Shell32.com C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File created C:\Windows\SysWOW64\Folder.ico C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File created C:\Windows\SysWOW64\Asli.ico C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\GoldenGhost.exe.tmp C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File created C:\Windows\SysWOW64\Rar.ico C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\Kantuk.exe.tmp C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\GoldenGhost.exe.tmp C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\Word.ico C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\Player.ico C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\Shell32.com.tmp C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File created C:\Windows\SysWOW64\Asli.ico C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File opened for modification C:\Windows\SysWOW64\K0L4B0R451.exe.tmp C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\Kantuk.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\Shell32.com C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\K0L4B0R451.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows_3D.scr C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\Kantuk.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File created C:\Windows\SysWOW64\Kantuk.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File created C:\Windows\SysWOW64\K0L4B0R451.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File opened for modification C:\Windows\SysWOW64\4K51K4.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File created C:\Windows\SysWOW64\Folder.ico C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\Shell32.com C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File created C:\Windows\SysWOW64\Player.ico C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows_3D.scr C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File created C:\Windows\SysWOW64\GoldenGhost.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File opened for modification C:\Windows\SysWOW64\Kantuk.exe.tmp C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File opened for modification C:\Windows\SysWOW64\K0L4B0R451.exe.tmp C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\4K51K4.exe.tmp C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\K0L4B0R451.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File opened for modification C:\Windows\SysWOW64\4K51K4.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
File created C:\Windows\SysWOW64\4K51K4.exe C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\K0L4B0R451.jpg" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\K0L4B0R451.jpg C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\4K51K4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kantuk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kantuk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\4K51K4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\GoldenGhost.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\s1159 = "K0L4B0R451" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\s2359 = "K0L4B0R451" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\ C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\s1159 = "K0L4B0R451" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\s2359 = "K0L4B0R451" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\s2359 = "K0L4B0R451" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\s1159 = "K0L4B0R451" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\ C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\s1159 = "K0L4B0R451" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\s2359 = "K0L4B0R451" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\ C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\s1159 = "K0L4B0R451" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\s2359 = "K0L4B0R451" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\s1159 = "K0L4B0R451" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\WallpaperStyle = "0" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\s2359 = "K0L4B0R451" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\ C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\ C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\ C:\Windows\SysWOW64\Kantuk.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Edit\Command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command\ = "logoff.exe" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Install\command\ = "logoff.exe" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "logoff.exe" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Edit\Command\ = "logoff.exe" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "logoff.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "K0L4B0R451 File" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\Shell\Edit\Command C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "logoff.exe" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\edit\command\ = "logoff.exe" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "K0L4B0R451 File" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Install\command C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\NeverShowExt = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "K0L4B0R451 File" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\NeverShowExt = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "logoff.exe" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "K0L4B0R451 File" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\edit\command\ = "logoff.exe" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Install\command\ = "logoff.exe" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\GoldenGhost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\4K51K4.exe N/A
N/A N/A C:\Windows\SysWOW64\GoldenGhost.exe N/A
N/A N/A C:\Windows\SysWOW64\Kantuk.exe N/A
N/A N/A C:\Windows\SysWOW64\K0L4B0R451.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1068 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 1068 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 1068 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 3908 wrote to memory of 2932 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 3908 wrote to memory of 2932 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 3908 wrote to memory of 2932 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
PID 3908 wrote to memory of 112 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\Kantuk.exe
PID 3908 wrote to memory of 112 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\Kantuk.exe
PID 3908 wrote to memory of 112 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\Kantuk.exe
PID 3908 wrote to memory of 1388 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\4K51K4.exe
PID 3908 wrote to memory of 1388 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\4K51K4.exe
PID 3908 wrote to memory of 1388 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\4K51K4.exe
PID 3908 wrote to memory of 4132 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\K0L4B0R451.exe
PID 3908 wrote to memory of 4132 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\K0L4B0R451.exe
PID 3908 wrote to memory of 4132 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\K0L4B0R451.exe
PID 3908 wrote to memory of 4344 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\GoldenGhost.exe
PID 3908 wrote to memory of 4344 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\GoldenGhost.exe
PID 3908 wrote to memory of 4344 N/A C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe C:\Windows\SysWOW64\GoldenGhost.exe
PID 1068 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\Kantuk.exe
PID 1068 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\Kantuk.exe
PID 1068 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\Kantuk.exe
PID 1068 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\4K51K4.exe
PID 1068 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\4K51K4.exe
PID 1068 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\4K51K4.exe
PID 1068 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\K0L4B0R451.exe
PID 1068 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\K0L4B0R451.exe
PID 1068 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\K0L4B0R451.exe
PID 1068 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\GoldenGhost.exe
PID 1068 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\GoldenGhost.exe
PID 1068 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe C:\Windows\SysWOW64\GoldenGhost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\GoldenGhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Windows\SysWOW64\4K51K4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\SysWOW64\4K51K4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\K0L4B0R451.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\Kantuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\SysWOW64\Kantuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" C:\Windows\SysWOW64\GoldenGhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe

"C:\Users\Admin\AppData\Local\Temp\623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344dN.exe"

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe

C:\Windows\SysWOW64\Kantuk.exe

C:\Windows\system32\Kantuk.exe

C:\Windows\SysWOW64\4K51K4.exe

C:\Windows\system32\4K51K4.exe

C:\Windows\SysWOW64\K0L4B0R451.exe

C:\Windows\system32\K0L4B0R451.exe

C:\Windows\SysWOW64\GoldenGhost.exe

C:\Windows\system32\GoldenGhost.exe

C:\Windows\SysWOW64\Kantuk.exe

C:\Windows\system32\Kantuk.exe

C:\Windows\SysWOW64\4K51K4.exe

C:\Windows\system32\4K51K4.exe

C:\Windows\SysWOW64\K0L4B0R451.exe

C:\Windows\system32\K0L4B0R451.exe

C:\Windows\SysWOW64\GoldenGhost.exe

C:\Windows\system32\GoldenGhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/1068-0-0x0000000000400000-0x0000000000451000-memory.dmp

C:\Windows\SysWOW64\GoldenGhost.exe

MD5 9d84816304edd977f6562e4dc27ed660
SHA1 de0b1053cdf13bdad55c059950c57d627fe20558
SHA256 623cb42b885ac024b94f63036aed53db34d068b01e9750c3ac257af9b179344d
SHA512 0ca5f5f40f96f2df68aa3a5ac61a596d3e0c879b0599c96274d071e5bc15c04589f0bfddab745f4e81c75e539268f44fa03b4e19072d112e589502f61a9d5392

C:\Aut0exec.bat.tmp

MD5 8adc1390286d84330b7e5afa854864f6
SHA1 76a0c97467ffb7c6768db1a583925f4ac5d343ea
SHA256 258fc246ae48ad041ef48dd2a254d8963e2dd3ca9a6193c7f8c8f2c10c5ac8d1
SHA512 cc757ba68e4bcbd6e17f2ebb59c65efb52efd13b4963f544ec62d233a82345d18900a2120408265fad87c6db132ae6938cf0ada80ea2feafbbd0b2db0cf017fb

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp

MD5 89f42f35b164016e032bfc2f7a14433b
SHA1 e04b45577fcdcb720dad8f2160083d67cf6aee66
SHA256 f2396aa268e5108565f633c9669e49c8a3a4553950d75a241fa29c1a4347a59e
SHA512 bb071cae4ef95c21c24813e1675a4e013583542ae170121502b593eea1a2f1552fd8b96c75b1c6da873d24f2fde8427032d60080c78404dba00bb6435a45af68

C:\Windows\SysWOW64\Kantuk.exe.tmp

MD5 b534333b14b0b4337e85eb7311f47309
SHA1 4e85ab9f181a47ff3f15224d4690dfd2061241fb
SHA256 35e6f6f176d7e01f665efe5817562c84cae3bc9fa23970a56c56c6cc06923ae6
SHA512 379dca6258116f799e90e62e7ae1760b7d459b9ee5e0bcdabd36c996b501cb76bba29c8a936bcf49df50bd3dfe52e225a3660bcd042253518c7922bf11e8dd67

C:\Windows\SysWOW64\4K51K4.exe

MD5 d199806c9b45bd9e254e5641f74bac42
SHA1 e2541bdc49961577f9af3ee2f7a1409c1d54ef42
SHA256 2adbd571a04f06b4506076f19bed64321d39264b20c56ed0b8107f24f40b96bd
SHA512 d30790bb701a39e9e3c22e4ccb2af090a002700c51c2345fb12ed864ead488446367abc083613f0603288f974f5cc4560d34124a118de25e9866e431a1071293

C:\Windows\SysWOW64\K0L4B0R451.exe.tmp

MD5 1bb4a155de66d427f8725ad8bd1971b2
SHA1 e761e6b692b6c8a3317a538c2810f384d93e07fd
SHA256 3e1662cc61136ba7c7fbda9f51df5e1d83d1d9634170d6ac9dd9f9c82241f19d
SHA512 ee41018e26b885cce832ce968c6ddf0e00c58d037fe5aab931ac0ffa48756a6e5265450b7dc39e4c14d4e1baa0d5ff89c7ca82d6aa5129dbd1d80e0aeeafec2c

C:\Windows\SysWOW64\Shell32.com.tmp

MD5 f1f42ad53e568ba8f62644818db42277
SHA1 92ca621177ad52060b1f8248d3de34f43185e7a1
SHA256 7901086c95b5732fb4d3fd253977a79519db9e28dee015b7682079f2ec1e287b
SHA512 4c66463a0c28005515618528166b4b9bf25d2d710ece7ab8ad09f489c8c1fa76e00aea7342e18df177638223d25e82addb20f635c2cee8616f0cf85ff726a931

C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp

MD5 5fc1d2ddd9e979533233f4a55479dc86
SHA1 fdad0fce7d5df166dd098c0e16dc276dc97facbd
SHA256 e0dd4e9887406b458a506daba05636ed32438b7568c4fdd85a4862706d73d4dc
SHA512 d2102b68235148b71c9bba7ed6ce4e778f63691363ba91de69680ca3fb8ad0d24ed7de55ef6200debce9fc8f6c3a6987a66d660ba568c9ebc003bdd2ed378f05

C:\Windows\SysWOW64\4K51K4.exe.tmp

MD5 9b29292c1437bcdc1d8b223ef164514b
SHA1 04b351635c8a162fd8fee36f7f916d7f1ce2fd4a
SHA256 7fc1b75a8b0807d8e6c8680c12fb45d439f6e26bb5e00af08bd257a66e2be020
SHA512 9552c19b90cd27fe438415e297ffd4a76a386b6c0f92bc9df53172a871051d248b58856a3ce521146f124956cacf02db3c360d196b2ddca1fe08270d4c6ec72a

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Empty.pif

MD5 ac632c293229f8af9b74176af887dcd0
SHA1 893ab0064dd064e56f135432d381acdacf00313f
SHA256 edbad0aae1398432d1563ba80116ef26f11eef9c88e1e2734c70c8cc9ca1f45f
SHA512 0cec4c02bd2e36b588316ffb7d17ab7c63f10f2c3188b30d5aeffbc4b976dfc4cac64cb0fc8d01db2da7391c404796754a309864b59587bae90b3c23380ec0c5

memory/3908-207-0x0000000000400000-0x0000000000451000-memory.dmp

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe

MD5 ff4a2253150d5b39bc4ba5776d1f7cbc
SHA1 173fcb5fc7fda44f8a223a211e3075889639fe24
SHA256 2dfeb957bfee54c073f2eac8c849155178cbc83b4669a31f405d15e8433385b0
SHA512 950c26cdeb5794c54a2f11eb3ff7ea8d98b20914651645d933b4012eeedd2f2a2a9069bdfa9d4ab43c36482819f67a88c40a11d4a3ef9b7720709717fb5a63ad

C:\Windows\SysWOW64\Shell32.com

MD5 54eec0f3d04b92f67499ab31ebd241f3
SHA1 8ac0d83e505afd09435ad042067ad7b7139d0f86
SHA256 aca6a5c443b897195698ce69b66171658b0116d81c05717dc9d42fff0fc81f20
SHA512 15a37e8ea3b325392fdce1cf505d828e7e4c39ee296f30a0b64c42751063ba6d07f5053026390984a42e950187a5efb3e3eea0ca1facb434c1f983eec5ff23f0

C:\Windows\SysWOW64\Kantuk.exe.tmp

MD5 5335cb84bc0f2203c2a5f252b66bcd11
SHA1 7d24e36a0ddf61bd70f1c163a978c13879fafb60
SHA256 7347445faaaa53360c1c6b466da6288ec22e9cb12b01c6ae246332fa90b0e72f
SHA512 6a25df5bf0d0dc742d342b6754ba51be38cc43fef5464d97a7dcdaa7d0714cf0cbf051758174df3d36760edd0e0fea9dab98c9b8530f8cceb0ed341ffc971a87

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico

MD5 62b7610403ea3ac4776df9eb93bf4ba4
SHA1 b4a6cd17516f8fba679f15eda654928dc44dc502
SHA256 b0fd7ffb4c8f0e4566658a7284ca0652961648aaab44a53c5b9713664b122c29
SHA512 fa1995a21ffe073a15fa00a3a8717492b0a67f3615abe4c7e6bce054bb23cf545e10e21cfe3625b665c8bb199577815dbeccc7c6107cdb49f673b8d53f23888d

memory/112-312-0x0000000000400000-0x0000000000451000-memory.dmp

C:\Windows\SysWOW64\K0L4B0R451.exe

MD5 599c69f2d9035e03086a1fdabcc8b89e
SHA1 c30eb72947cc16063474d73618d35cd68b9f4510
SHA256 2f5682c36d46501bbc8393d9eab5d6f7f294d85309b3bc2fa53430df91df60c7
SHA512 7b899127eb7e49ccf027da99bc2df5cd2b6bbf01a2d81824c495a33ac42b947667eea5a74245ad0a2985464892f4a390215ae3e8bed2af4f41221396dfde960a

memory/4132-335-0x0000000000400000-0x0000000000451000-memory.dmp

memory/4344-341-0x0000000000400000-0x0000000000451000-memory.dmp

C:\Windows\SysWOW64\GoldenGhost.exe

MD5 1a738c043865289639f92f3c2bd1bc7b
SHA1 2c0bde3eec759ead9e89f3d2daed8508f6bb2077
SHA256 cb7c8f7ca9b3b00fb771946ce317d2646fbdb37d5126254bd1724c5cf0ffae46
SHA512 927280afd99b7dd89e6a2a3d479641b2445a0741e21ec826361849d91b9d544fdf11918f9e51f9857413bcd2c29582a3c21f4b7bf59ab00abe97a8148ce2d0ae

memory/1388-318-0x0000000000400000-0x0000000000451000-memory.dmp

C:\Windows\SysWOW64\4K51K4.exe

MD5 eda1958effa62fef3d3fe90bc26f1b0e
SHA1 142c56ba2cea1d024bf761c493cec2bca6f08ff0
SHA256 17297418f6025be14eb8a6d341555013da45b419ca611dafb4514a7fde0bbcfb
SHA512 20269e129a108d22413bcc9eaa6bb50625973b95cdba928060377f0e7f2f5c85b7dd4a9b0c2fa3a543b05e26bf2c070597a8a78cd2aaf4e35d9bee0e300d9c6e

C:\Windows\SysWOW64\Kantuk.exe

MD5 c6928f8a5bc39daf43c7202d21464ae7
SHA1 99a70e3c7a63c89ea8e54226b314c590281d3a49
SHA256 b4e2c1a4b46bd40aeb6ad46736e0a07d5c17ac545f846472fe5727e33d0e2c39
SHA512 a5b62eb329cbc61ffcb9d7453acca3331b24f9179c56ad4acb9007af20e5a71a10c9ec0c6bc827936b54884900f6e232342183ce2f1ca369ec672417c6280916

C:\Windows\SysWOW64\Player.ico

MD5 43be35d4fb3ebc6ca0970f05365440e3
SHA1 87bc28e5d9a6ab0c79a07118ca578726ce61b1bc
SHA256 5a15c1aab77f132e7ce5928996919ed66564c6082a7f94d0a42229c480113fc5
SHA512 b2e24ff3702805d2ff8ecf3ddde8a8e6258965f992f37104c2ed9b763e1448ab32c7609a607e1d90cfba281e7add1e839855656d6453433a42c0d6c8923c9395

C:\Windows\SysWOW64\Folder.ico

MD5 d7f9d9553c172cba8825fa161e8e9851
SHA1 e45bdc6609d9d719e1cefa846f17d3d66332a3a0
SHA256 cd2e513851d519098acef16d191188ac2586d2174dfd1a84f4db7f41a6970086
SHA512 a03a806d9db86c0c4f6f8efc4b40008aa51f1625fc1c703a929bfa57a5caf962119b3c76044775af607d4ee1a8a671e1d0a2be66d19ee551717398f9ddc8ad24

C:\Windows\SysWOW64\Word.ico

MD5 8482935ff2fab6025b44b5a23c750480
SHA1 d770c46d210c0fd302fa035a6054f5ac19f3bd13
SHA256 dcbcdce04483e9d2d8a5d7779b18b7f64cfc06e758b07f671493e38dfb9ab33c
SHA512 00c711d815815a88fc15f73c8cba6a81b2bfc505baff2cc67b456545151fe896029f11127e447c9bbc5a2d5dc561a06a52be9a9f9c0d28e98ea4e174cdd54398

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Empty.pif

MD5 6e1b2b5dec593e298afd25cded4313fc
SHA1 3f9e326a9e9f289fc70c2d2775d521527cfce352
SHA256 e375d381974573ad50fea0bc16923b39b1300754c7bebb17e69c4067d9ff98f0
SHA512 c9864011244dd35b0e292a15a35e603f9ab71331cacadbb48380b63a744945205650548adb7c8c0c9b43809b1f3516f4b7e957d915b4bde8bae4f92fbeddaf46

C:\Windows\SysWOW64\GoldenGhost.exe.tmp

MD5 bab5f490f21e735d7fede320581003f4
SHA1 640a44123c30d5e35d70b424127f134b47c96fa4
SHA256 bf7f18ad52751c2df2445e48a933027062a0a6a346ea972963ecaab5c260f2e3
SHA512 71243e617601c956d4504ff4b5299fa7c4a71b32f18590e7ea9f2fe46fb1d6554adae8e9f0b14f7f2f74a5483380955e300bcee2d5e003e7f6e3af67c861d0e2

C:\Windows\SysWOW64\4K51K4.exe.tmp

MD5 a035393af60476e2e0ea61c7dee229bf
SHA1 b80ac1cebe9108ad2017f44eb7d97ebe0f4cfa40
SHA256 82c21a3f1dce16a3f2085d223c47067ffebf577b9530cdad23f46a7fbef953f8
SHA512 2adcf35a7eb66eada6adb5ecc2156b256fb255b9870f635c9004b9f792f067e51df055c569abae9838f6fd0f8a522a2170334c847cd4ae63fd0419d9c4f4bebf

C:\Aut0exec.bat.tmp

MD5 2d7788e7b87eff4688711d93e8cc9453
SHA1 1dc8a054545aef1c13039b299eb5e36f801ea84f
SHA256 0923c36d9f290e654c832200b1eb9ac4bd5b6fe2c467d53054209700c4334c67
SHA512 76e339616864f34cd83ad81d6ef627155dfb8b155185cff797ca22025ebcc6f3e9295e5dfe9251f22827c766618b6fbc091e7f4528d310a1d7e95f408187dbce

C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr

MD5 98bebb8f8cdc341dbbaf5843dad48805
SHA1 a839cc6f2dfc0eba9ce0e93a440de15815f6be0b
SHA256 831861cb62aeaf194069bac5c1bcc057d90ceb51b3ff24591e188b81b46ed2c4
SHA512 5d0545cf16f0cd16eeb4c7f6681645dc78def3bd4b50ce9a28e0dbe750b09a1dcdaf5cc8e430b49acd090f9159a5ddafcacd2db460edb60aa16d40628801a87c

C:\Windows\SysWOW64\Shell32.com.tmp

MD5 179a1c04de7142bdb24dff2f7c2e9788
SHA1 bb6647b53effffeb640900c0385acdde95f279ae
SHA256 9ca50051aa9bf76fb1a87f7fb92a67d9b45ba367ea875db763270cd30a3ccb0c
SHA512 a0c790b5d221234d139d8995e8a652d31162202f497c18dd96216c9bdb87e799d9c3bd3609b0af684010237a3ecf4af0c85ddf08d46cd891c5bf5377454e53ae

C:\Windows\SysWOW64\K0L4B0R451.exe.tmp

MD5 85d0d323287a19ef7bceeaf0d0133c06
SHA1 e06676b1324fcf54c0ebc92423a8368a00a0301c
SHA256 59001f70eacb43c270612c5715f1ec26ba9b2d704ac390700e4fd98df5b39908
SHA512 67bf36f9e36730111cb75045be811eeb923f4803b121e4740e962f11ee96cc085a739ddd9a12a5b80c155bb8cb971d6d783705388c504a40929026f65235e7da

C:\Windows\SysWOW64\Kantuk.exe.tmp

MD5 23853cc6aa4086715f3d3a86db60096a
SHA1 d72cd79f619457833138816dfe75605a59f2a2ee
SHA256 17ff6f36800f502727263cdbe26814a2b7a6d4884886b625f29589434e922675
SHA512 9b2f175eb60f5d8f47d35f62e6c0ae205582916a10de3dcd10fe4c6e10765c002f1ec82caaadc0775d346e45a81bd0e4c82ace67d75d13861bf817cbd61a4191

C:\Aut0exec.bat.tmp

MD5 60631443dc5b622c32bda326a175c03d
SHA1 2851a9303dcbc70f753d341b6393b36bc8e4be66
SHA256 74c618214fe85888807a7d057d6dc891677d3a4e1a4673e32d7d7124d2c1f192
SHA512 3d6ecc68181eb76c82538c2587d32050d3c6d29def46bb5e62bada6f2e3831b59442aa8577073128ccb4c9fe4caf1c16e1cf204b00263203e43a9123446e967f

C:\Windows\SysWOW64\GoldenGhost.exe.tmp

MD5 0de5ad86e6b9e486ac7d1d4381ee9414
SHA1 5661b45867fcae161d74877e30dab1c52d81050d
SHA256 a85a0139aa64940150a3a2b42a13457b11afa98af15194a88d60ca9a2a89e640
SHA512 b2b6af6c943e61e4bdbbd4db7d66767b14ebd1a47e71a19176ad4d09b27a80fa9a62ccb9bcc2e9b0be757432ee83d4265c7d37e76420b40d89f163802642342d