Analysis
-
max time kernel
148s -
max time network
48s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
05-05-2021 11:07
Static task
static1
Behavioral task
behavioral1
Sample
c9915631_by_Libranalysis.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
c9915631_by_Libranalysis.exe
Resource
win10v20210410
General
-
Target
c9915631_by_Libranalysis.exe
-
Size
124KB
-
MD5
c9915631dd271219bf51fe0a46a1d8ff
-
SHA1
7d6b0dd72dd6dd3261b0f30525c6860f86de012f
-
SHA256
1c958bc2a268ce3f104a35882f694f8bead71015937bfb99b0986400ab29d703
-
SHA512
045d441879636ebc9c6a25994a6aa08172bec3756829bba7b2eb188ee1585d7659f77e43d505c61032a5d36815f205f29b875ae5354fe13857941f366dae0941
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
Processes:
c9915631_by_Libranalysis.exeGaara.execsrss.exeKazekage.exesystem32.exesmss.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe -
Modifies visibility of file extensions in Explorer 2 TTPs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs
-
Disables RegEdit via registry modification
-
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
Processes:
c9915631_by_Libranalysis.exesmss.exeKazekage.exesystem32.execsrss.exeGaara.exedescription ioc process File opened for modification C:\Windows\SysWOW64\drivers\system32.exe c9915631_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe c9915631_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe c9915631_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe c9915631_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe -
Executes dropped EXE 30 IoCs
Processes:
smss.exesmss.exeGaara.exesmss.exeGaara.execsrss.exesmss.exeGaara.execsrss.exeKazekage.exesmss.exeGaara.execsrss.exeKazekage.exesystem32.exesmss.exeGaara.execsrss.exeKazekage.exesystem32.exesystem32.exeKazekage.exesystem32.execsrss.exeKazekage.exesystem32.exeGaara.execsrss.exeKazekage.exesystem32.exepid process 1980 smss.exe 1776 smss.exe 1724 Gaara.exe 1068 smss.exe 1848 Gaara.exe 1648 csrss.exe 816 smss.exe 268 Gaara.exe 992 csrss.exe 2012 Kazekage.exe 1696 smss.exe 1692 Gaara.exe 1764 csrss.exe 1604 Kazekage.exe 1608 system32.exe 1828 smss.exe 420 Gaara.exe 1104 csrss.exe 1944 Kazekage.exe 1740 system32.exe 1888 system32.exe 1212 Kazekage.exe 1628 system32.exe 1772 csrss.exe 1420 Kazekage.exe 1776 system32.exe 1760 Gaara.exe 1764 csrss.exe 1008 Kazekage.exe 528 system32.exe -
Sets file execution options in registry 2 TTPs
-
Loads dropped DLL 63 IoCs
Processes:
c9915631_by_Libranalysis.exesmss.exesmss.exeGaara.exesmss.exeGaara.execsrss.exesmss.exeGaara.execsrss.exeKazekage.exesmss.exeGaara.execsrss.exesystem32.exesmss.exeGaara.execsrss.execsrss.exeGaara.execsrss.exepid process 1996 c9915631_by_Libranalysis.exe 1996 c9915631_by_Libranalysis.exe 1980 smss.exe 1980 smss.exe 1776 smss.exe 1980 smss.exe 1980 smss.exe 1724 Gaara.exe 1724 Gaara.exe 1724 Gaara.exe 1068 smss.exe 1724 Gaara.exe 1848 Gaara.exe 1724 Gaara.exe 1724 Gaara.exe 1648 csrss.exe 1648 csrss.exe 816 smss.exe 1648 csrss.exe 268 Gaara.exe 992 csrss.exe 1648 csrss.exe 1648 csrss.exe 2012 Kazekage.exe 1696 smss.exe 2012 Kazekage.exe 1692 Gaara.exe 2012 Kazekage.exe 1764 csrss.exe 2012 Kazekage.exe 2012 Kazekage.exe 2012 Kazekage.exe 2012 Kazekage.exe 1608 system32.exe 1828 smss.exe 1608 system32.exe 420 Gaara.exe 1608 system32.exe 1104 csrss.exe 1608 system32.exe 1608 system32.exe 1608 system32.exe 1608 system32.exe 1648 csrss.exe 1648 csrss.exe 1724 Gaara.exe 1724 Gaara.exe 1724 Gaara.exe 1724 Gaara.exe 1980 smss.exe 1772 csrss.exe 1980 smss.exe 1980 smss.exe 1980 smss.exe 1980 smss.exe 1996 c9915631_by_Libranalysis.exe 1760 Gaara.exe 1996 c9915631_by_Libranalysis.exe 1764 csrss.exe 1996 c9915631_by_Libranalysis.exe 1996 c9915631_by_Libranalysis.exe 1996 c9915631_by_Libranalysis.exe 1996 c9915631_by_Libranalysis.exe -
Adds Run key to start application 2 TTPs 30 IoCs
Processes:
system32.exec9915631_by_Libranalysis.execsrss.exesmss.exeGaara.exeKazekage.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 5 - 5 - 2021\\Gaara.exe" c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "5-5-2021.exe" c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "5-5-2021.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 5 - 5 - 2021\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 5 - 5 - 2021\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" c9915631_by_Libranalysis.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "5-5-2021.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 5 - 5 - 2021\\Gaara.exe" Kazekage.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 5 - 5 - 2021\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "5-5-2021.exe" system32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 5 - 5 - 2021\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 5 - 5 - 2021\\Gaara.exe" csrss.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "5-5-2021.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 5 - 5 - 2021\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "5-5-2021.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 5 - 5 - 2021\\Gaara.exe" system32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 5 - 5 - 2021\\smss.exe" smss.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 5 - 5 - 2021\\smss.exe" c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 5 - 5 - 2021\\Gaara.exe" smss.exe -
Processes:
system32.exec9915631_by_Libranalysis.exesmss.exeGaara.execsrss.exeKazekage.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c9915631_by_Libranalysis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
csrss.exeKazekage.exesmss.exeGaara.exesystem32.exec9915631_by_Libranalysis.exedescription ioc process File opened for modification \??\P:\Desktop.ini csrss.exe File opened for modification \??\N:\Desktop.ini Kazekage.exe File opened for modification \??\V:\Desktop.ini smss.exe File opened for modification \??\M:\Desktop.ini Gaara.exe File opened for modification \??\Y:\Desktop.ini Gaara.exe File opened for modification \??\Z:\Desktop.ini Gaara.exe File opened for modification \??\J:\Desktop.ini csrss.exe File opened for modification \??\S:\Desktop.ini system32.exe File opened for modification \??\F:\Desktop.ini smss.exe File opened for modification \??\Z:\Desktop.ini c9915631_by_Libranalysis.exe File opened for modification \??\I:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification C:\Desktop.ini Gaara.exe File opened for modification \??\F:\Desktop.ini Kazekage.exe File opened for modification \??\B:\Desktop.ini smss.exe File opened for modification \??\Z:\Desktop.ini system32.exe File opened for modification \??\Y:\Desktop.ini c9915631_by_Libranalysis.exe File opened for modification \??\K:\Desktop.ini Gaara.exe File opened for modification \??\H:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini Gaara.exe File opened for modification \??\P:\Desktop.ini Gaara.exe File opened for modification \??\U:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini system32.exe File opened for modification \??\O:\Desktop.ini Kazekage.exe File opened for modification \??\A:\Desktop.ini system32.exe File opened for modification \??\J:\Desktop.ini c9915631_by_Libranalysis.exe File opened for modification \??\M:\Desktop.ini c9915631_by_Libranalysis.exe File opened for modification \??\W:\Desktop.ini c9915631_by_Libranalysis.exe File opened for modification \??\Z:\Desktop.ini smss.exe File opened for modification \??\N:\Desktop.ini Gaara.exe File opened for modification \??\B:\Desktop.ini csrss.exe File opened for modification \??\V:\Desktop.ini Gaara.exe File opened for modification \??\F:\Desktop.ini csrss.exe File opened for modification \??\X:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini system32.exe File opened for modification \??\R:\Desktop.ini c9915631_by_Libranalysis.exe File opened for modification \??\N:\Desktop.ini csrss.exe File opened for modification \??\V:\Desktop.ini csrss.exe File opened for modification \??\Y:\Desktop.ini csrss.exe File opened for modification \??\B:\Desktop.ini Kazekage.exe File opened for modification \??\W:\Desktop.ini Kazekage.exe File opened for modification \??\X:\Desktop.ini system32.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini c9915631_by_Libranalysis.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification \??\O:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini smss.exe File opened for modification \??\J:\Desktop.ini Gaara.exe File opened for modification \??\R:\Desktop.ini Gaara.exe File opened for modification \??\M:\Desktop.ini smss.exe File opened for modification \??\N:\Desktop.ini smss.exe File opened for modification \??\X:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini Kazekage.exe File opened for modification \??\F:\Desktop.ini system32.exe File opened for modification \??\B:\Desktop.ini Gaara.exe File opened for modification \??\M:\Desktop.ini csrss.exe File opened for modification \??\G:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini csrss.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification C:\Desktop.ini system32.exe File opened for modification \??\L:\Desktop.ini system32.exe File opened for modification \??\G:\Desktop.ini Kazekage.exe File opened for modification \??\G:\Desktop.ini csrss.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
csrss.exeKazekage.exec9915631_by_Libranalysis.exesystem32.exeGaara.exesmss.exedescription ioc process File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\S: Kazekage.exe File opened (read-only) \??\T: Kazekage.exe File opened (read-only) \??\A: c9915631_by_Libranalysis.exe File opened (read-only) \??\B: c9915631_by_Libranalysis.exe File opened (read-only) \??\J: c9915631_by_Libranalysis.exe File opened (read-only) \??\M: system32.exe File opened (read-only) \??\K: Gaara.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\E: Kazekage.exe File opened (read-only) \??\G: c9915631_by_Libranalysis.exe File opened (read-only) \??\L: c9915631_by_Libranalysis.exe File opened (read-only) \??\O: system32.exe File opened (read-only) \??\Y: system32.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\T: Gaara.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\H: Gaara.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\A: Kazekage.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\S: Gaara.exe File opened (read-only) \??\J: Kazekage.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\I: Gaara.exe File opened (read-only) \??\W: Gaara.exe File opened (read-only) \??\V: Kazekage.exe File opened (read-only) \??\Y: Kazekage.exe File opened (read-only) \??\P: system32.exe File opened (read-only) \??\S: system32.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\B: Gaara.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\M: Gaara.exe File opened (read-only) \??\H: Kazekage.exe File opened (read-only) \??\N: c9915631_by_Libranalysis.exe File opened (read-only) \??\V: system32.exe File opened (read-only) \??\Y: c9915631_by_Libranalysis.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\A: csrss.exe File opened (read-only) \??\M: c9915631_by_Libranalysis.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\P: Gaara.exe File opened (read-only) \??\E: system32.exe File opened (read-only) \??\Q: system32.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\E: c9915631_by_Libranalysis.exe File opened (read-only) \??\J: system32.exe File opened (read-only) \??\T: c9915631_by_Libranalysis.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\K: c9915631_by_Libranalysis.exe File opened (read-only) \??\F: Gaara.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\L: Gaara.exe File opened (read-only) \??\R: Gaara.exe File opened (read-only) \??\V: csrss.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 38 IoCs
Processes:
c9915631_by_Libranalysis.exeGaara.exesystem32.execsrss.exeKazekage.exesmss.exedescription ioc process File created C:\Windows\SysWOW64\msvbvm60.dll c9915631_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\5-5-2021.exe csrss.exe File opened for modification C:\Windows\SysWOW64\5-5-2021.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\5-5-2021.exe c9915631_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\5-5-2021.exe smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx c9915631_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\5-5-2021.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File created C:\Windows\SysWOW64\5-5-2021.exe c9915631_by_Libranalysis.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini c9915631_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\ c9915631_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File created C:\Windows\SysWOW64\Desktop.ini c9915631_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll c9915631_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\5-5-2021.exe system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\ smss.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
Processes:
c9915631_by_Libranalysis.exesmss.exeGaara.execsrss.exeKazekage.exesystem32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe -
Drops file in Windows directory 64 IoCs
Processes:
smss.exeKazekage.exec9915631_by_Libranalysis.execsrss.exesystem32.exeGaara.exedescription ioc process File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe Kazekage.exe File created C:\Windows\msvbvm60.dll c9915631_by_Libranalysis.exe File opened for modification C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File opened for modification C:\Windows\ smss.exe File created C:\Windows\WBEM\msvbvm60.dll c9915631_by_Libranalysis.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe csrss.exe File created C:\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe smss.exe File created C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe Gaara.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe Kazekage.exe File created C:\Windows\mscomctl.ocx c9915631_by_Libranalysis.exe File created C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe c9915631_by_Libranalysis.exe File opened for modification C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe csrss.exe File created C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe c9915631_by_Libranalysis.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe system32.exe File opened for modification C:\Windows\ system32.exe File created C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe c9915631_by_Libranalysis.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File created C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File opened for modification C:\Windows\ c9915631_by_Libranalysis.exe File opened for modification C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe Gaara.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File created C:\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe Gaara.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\The Kazekage.jpg c9915631_by_Libranalysis.exe File opened for modification C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe c9915631_by_Libranalysis.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File opened for modification C:\Windows\system\mscoree.dll c9915631_by_Libranalysis.exe File created C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe Gaara.exe File created C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe smss.exe File created C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe smss.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll c9915631_by_Libranalysis.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File created C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe csrss.exe File created C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx c9915631_by_Libranalysis.exe File created C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe smss.exe File created C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe Gaara.exe File opened for modification C:\Windows\ csrss.exe -
Modifies Control Panel 64 IoCs
Processes:
Kazekage.exesystem32.exec9915631_by_Libranalysis.exeGaara.exesmss.execsrss.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Size = "72" c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Speed = "4" c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" c9915631_by_Libranalysis.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe -
Processes:
smss.exeGaara.execsrss.exesystem32.exec9915631_by_Libranalysis.exeKazekage.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main c9915631_by_Libranalysis.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main smss.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" c9915631_by_Libranalysis.exe -
Modifies registry class 48 IoCs
Processes:
c9915631_by_Libranalysis.exesmss.exeGaara.exesystem32.exeKazekage.execsrss.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" c9915631_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" c9915631_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe -
Runs ping.exe 1 TTPs 34 IoCs
Processes:
ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exepid process 796 ping.exe 1756 ping.exe 2032 ping.exe 860 ping.exe 1392 ping.exe 328 ping.exe 112 ping.exe 1660 ping.exe 1300 ping.exe 328 ping.exe 1140 ping.exe 1852 ping.exe 628 ping.exe 520 ping.exe 1480 ping.exe 1060 ping.exe 552 ping.exe 336 ping.exe 984 ping.exe 1352 ping.exe 548 ping.exe 1744 ping.exe 588 ping.exe 844 ping.exe 1780 ping.exe 1156 ping.exe 1056 ping.exe 668 ping.exe 1696 ping.exe 1944 ping.exe 1696 ping.exe 1176 ping.exe 668 ping.exe 1840 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
csrss.exeKazekage.exesystem32.exec9915631_by_Libranalysis.exesmss.exeGaara.exepid process 1648 csrss.exe 1648 csrss.exe 1648 csrss.exe 1648 csrss.exe 1648 csrss.exe 1648 csrss.exe 1648 csrss.exe 1648 csrss.exe 1648 csrss.exe 1648 csrss.exe 1648 csrss.exe 1648 csrss.exe 2012 Kazekage.exe 2012 Kazekage.exe 2012 Kazekage.exe 2012 Kazekage.exe 2012 Kazekage.exe 2012 Kazekage.exe 2012 Kazekage.exe 2012 Kazekage.exe 2012 Kazekage.exe 2012 Kazekage.exe 2012 Kazekage.exe 2012 Kazekage.exe 1608 system32.exe 1608 system32.exe 1608 system32.exe 1608 system32.exe 1608 system32.exe 1608 system32.exe 1608 system32.exe 1608 system32.exe 1608 system32.exe 1608 system32.exe 1608 system32.exe 1608 system32.exe 1996 c9915631_by_Libranalysis.exe 1996 c9915631_by_Libranalysis.exe 1996 c9915631_by_Libranalysis.exe 1996 c9915631_by_Libranalysis.exe 1996 c9915631_by_Libranalysis.exe 1996 c9915631_by_Libranalysis.exe 1996 c9915631_by_Libranalysis.exe 1996 c9915631_by_Libranalysis.exe 1996 c9915631_by_Libranalysis.exe 1996 c9915631_by_Libranalysis.exe 1996 c9915631_by_Libranalysis.exe 1996 c9915631_by_Libranalysis.exe 1980 smss.exe 1980 smss.exe 1980 smss.exe 1980 smss.exe 1980 smss.exe 1980 smss.exe 1980 smss.exe 1980 smss.exe 1980 smss.exe 1980 smss.exe 1980 smss.exe 1980 smss.exe 1724 Gaara.exe 1724 Gaara.exe 1724 Gaara.exe 1724 Gaara.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
Processes:
c9915631_by_Libranalysis.exesmss.exesmss.exeGaara.exesmss.exeGaara.execsrss.exesmss.exeGaara.execsrss.exeKazekage.exesmss.exeGaara.execsrss.exeKazekage.exesystem32.exesmss.exeGaara.execsrss.exeKazekage.exesystem32.exesystem32.exeKazekage.exesystem32.execsrss.exeKazekage.exesystem32.exeGaara.execsrss.exeKazekage.exesystem32.exepid process 1996 c9915631_by_Libranalysis.exe 1980 smss.exe 1776 smss.exe 1724 Gaara.exe 1068 smss.exe 1848 Gaara.exe 1648 csrss.exe 816 smss.exe 268 Gaara.exe 992 csrss.exe 2012 Kazekage.exe 1696 smss.exe 1692 Gaara.exe 1764 csrss.exe 1604 Kazekage.exe 1608 system32.exe 1828 smss.exe 420 Gaara.exe 1104 csrss.exe 1944 Kazekage.exe 1740 system32.exe 1888 system32.exe 1212 Kazekage.exe 1628 system32.exe 1772 csrss.exe 1420 Kazekage.exe 1776 system32.exe 1760 Gaara.exe 1764 csrss.exe 1008 Kazekage.exe 528 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c9915631_by_Libranalysis.exesmss.exeGaara.execsrss.exeKazekage.exesystem32.exedescription pid process target process PID 1996 wrote to memory of 1980 1996 c9915631_by_Libranalysis.exe smss.exe PID 1996 wrote to memory of 1980 1996 c9915631_by_Libranalysis.exe smss.exe PID 1996 wrote to memory of 1980 1996 c9915631_by_Libranalysis.exe smss.exe PID 1996 wrote to memory of 1980 1996 c9915631_by_Libranalysis.exe smss.exe PID 1980 wrote to memory of 1776 1980 smss.exe smss.exe PID 1980 wrote to memory of 1776 1980 smss.exe smss.exe PID 1980 wrote to memory of 1776 1980 smss.exe smss.exe PID 1980 wrote to memory of 1776 1980 smss.exe smss.exe PID 1980 wrote to memory of 1724 1980 smss.exe Gaara.exe PID 1980 wrote to memory of 1724 1980 smss.exe Gaara.exe PID 1980 wrote to memory of 1724 1980 smss.exe Gaara.exe PID 1980 wrote to memory of 1724 1980 smss.exe Gaara.exe PID 1724 wrote to memory of 1068 1724 Gaara.exe smss.exe PID 1724 wrote to memory of 1068 1724 Gaara.exe smss.exe PID 1724 wrote to memory of 1068 1724 Gaara.exe smss.exe PID 1724 wrote to memory of 1068 1724 Gaara.exe smss.exe PID 1724 wrote to memory of 1848 1724 Gaara.exe Gaara.exe PID 1724 wrote to memory of 1848 1724 Gaara.exe Gaara.exe PID 1724 wrote to memory of 1848 1724 Gaara.exe Gaara.exe PID 1724 wrote to memory of 1848 1724 Gaara.exe Gaara.exe PID 1724 wrote to memory of 1648 1724 Gaara.exe csrss.exe PID 1724 wrote to memory of 1648 1724 Gaara.exe csrss.exe PID 1724 wrote to memory of 1648 1724 Gaara.exe csrss.exe PID 1724 wrote to memory of 1648 1724 Gaara.exe csrss.exe PID 1648 wrote to memory of 816 1648 csrss.exe smss.exe PID 1648 wrote to memory of 816 1648 csrss.exe smss.exe PID 1648 wrote to memory of 816 1648 csrss.exe smss.exe PID 1648 wrote to memory of 816 1648 csrss.exe smss.exe PID 1648 wrote to memory of 268 1648 csrss.exe Gaara.exe PID 1648 wrote to memory of 268 1648 csrss.exe Gaara.exe PID 1648 wrote to memory of 268 1648 csrss.exe Gaara.exe PID 1648 wrote to memory of 268 1648 csrss.exe Gaara.exe PID 1648 wrote to memory of 992 1648 csrss.exe csrss.exe PID 1648 wrote to memory of 992 1648 csrss.exe csrss.exe PID 1648 wrote to memory of 992 1648 csrss.exe csrss.exe PID 1648 wrote to memory of 992 1648 csrss.exe csrss.exe PID 1648 wrote to memory of 2012 1648 csrss.exe Kazekage.exe PID 1648 wrote to memory of 2012 1648 csrss.exe Kazekage.exe PID 1648 wrote to memory of 2012 1648 csrss.exe Kazekage.exe PID 1648 wrote to memory of 2012 1648 csrss.exe Kazekage.exe PID 2012 wrote to memory of 1696 2012 Kazekage.exe smss.exe PID 2012 wrote to memory of 1696 2012 Kazekage.exe smss.exe PID 2012 wrote to memory of 1696 2012 Kazekage.exe smss.exe PID 2012 wrote to memory of 1696 2012 Kazekage.exe smss.exe PID 2012 wrote to memory of 1692 2012 Kazekage.exe Gaara.exe PID 2012 wrote to memory of 1692 2012 Kazekage.exe Gaara.exe PID 2012 wrote to memory of 1692 2012 Kazekage.exe Gaara.exe PID 2012 wrote to memory of 1692 2012 Kazekage.exe Gaara.exe PID 2012 wrote to memory of 1764 2012 Kazekage.exe csrss.exe PID 2012 wrote to memory of 1764 2012 Kazekage.exe csrss.exe PID 2012 wrote to memory of 1764 2012 Kazekage.exe csrss.exe PID 2012 wrote to memory of 1764 2012 Kazekage.exe csrss.exe PID 2012 wrote to memory of 1604 2012 Kazekage.exe Kazekage.exe PID 2012 wrote to memory of 1604 2012 Kazekage.exe Kazekage.exe PID 2012 wrote to memory of 1604 2012 Kazekage.exe Kazekage.exe PID 2012 wrote to memory of 1604 2012 Kazekage.exe Kazekage.exe PID 2012 wrote to memory of 1608 2012 Kazekage.exe system32.exe PID 2012 wrote to memory of 1608 2012 Kazekage.exe system32.exe PID 2012 wrote to memory of 1608 2012 Kazekage.exe system32.exe PID 2012 wrote to memory of 1608 2012 Kazekage.exe system32.exe PID 1608 wrote to memory of 1828 1608 system32.exe smss.exe PID 1608 wrote to memory of 1828 1608 system32.exe smss.exe PID 1608 wrote to memory of 1828 1608 system32.exe smss.exe PID 1608 wrote to memory of 1828 1608 system32.exe smss.exe -
System policy modification 1 TTPs 12 IoCs
Processes:
system32.exec9915631_by_Libranalysis.exesmss.exeGaara.execsrss.exeKazekage.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c9915631_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System c9915631_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9915631_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\c9915631_by_Libranalysis.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"2⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Winlogon Helper DLL
1Hidden Files and Directories
2Registry Run Keys / Startup Folder
2Defense Evasion
Modify Registry
9Hidden Files and Directories
2Bypass User Account Control
1Disabling Security Tools
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exeMD5
d74a5ee9e24ce8b52d93b7ab16b5d5a0
SHA199f88e2955c41341c0c62fcac29472ad4790c9b2
SHA2565d38d473b2ae4cd7eb8dc475347150f68bdde2469b8412755478201d745d0a17
SHA51267b8d222226d82a280bb128dc78c47b4611fe4c183d12e6f973424ef0546b5b3cfde60ecbe64d53533e7d8848d631232d90ecfde103d9f5e1825e50a3399ceab
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exeMD5
d74a5ee9e24ce8b52d93b7ab16b5d5a0
SHA199f88e2955c41341c0c62fcac29472ad4790c9b2
SHA2565d38d473b2ae4cd7eb8dc475347150f68bdde2469b8412755478201d745d0a17
SHA51267b8d222226d82a280bb128dc78c47b4611fe4c183d12e6f973424ef0546b5b3cfde60ecbe64d53533e7d8848d631232d90ecfde103d9f5e1825e50a3399ceab
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exeMD5
d74a5ee9e24ce8b52d93b7ab16b5d5a0
SHA199f88e2955c41341c0c62fcac29472ad4790c9b2
SHA2565d38d473b2ae4cd7eb8dc475347150f68bdde2469b8412755478201d745d0a17
SHA51267b8d222226d82a280bb128dc78c47b4611fe4c183d12e6f973424ef0546b5b3cfde60ecbe64d53533e7d8848d631232d90ecfde103d9f5e1825e50a3399ceab
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exeMD5
d74a5ee9e24ce8b52d93b7ab16b5d5a0
SHA199f88e2955c41341c0c62fcac29472ad4790c9b2
SHA2565d38d473b2ae4cd7eb8dc475347150f68bdde2469b8412755478201d745d0a17
SHA51267b8d222226d82a280bb128dc78c47b4611fe4c183d12e6f973424ef0546b5b3cfde60ecbe64d53533e7d8848d631232d90ecfde103d9f5e1825e50a3399ceab
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exeMD5
d74a5ee9e24ce8b52d93b7ab16b5d5a0
SHA199f88e2955c41341c0c62fcac29472ad4790c9b2
SHA2565d38d473b2ae4cd7eb8dc475347150f68bdde2469b8412755478201d745d0a17
SHA51267b8d222226d82a280bb128dc78c47b4611fe4c183d12e6f973424ef0546b5b3cfde60ecbe64d53533e7d8848d631232d90ecfde103d9f5e1825e50a3399ceab
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\MSVBVM60.DLLMD5
5343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exeMD5
5453981a7ec8967178c734842c87a511
SHA14437c1763cf4ab9ab4d30e918df8e617c8e6377e
SHA2568ebc373fc3a0f3c7e625ad88f7f9de30bb4b2119f642525729937247ae373087
SHA5125442126f9755d15026bd9d451a8cee770cfc9622b341e364a14f22b3d3b99ce6952fe43e643e7ed68f646c63adc2e244930ac5a51e32bb4ab39c7c3fd8705deb
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exeMD5
5453981a7ec8967178c734842c87a511
SHA14437c1763cf4ab9ab4d30e918df8e617c8e6377e
SHA2568ebc373fc3a0f3c7e625ad88f7f9de30bb4b2119f642525729937247ae373087
SHA5125442126f9755d15026bd9d451a8cee770cfc9622b341e364a14f22b3d3b99ce6952fe43e643e7ed68f646c63adc2e244930ac5a51e32bb4ab39c7c3fd8705deb
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exeMD5
5453981a7ec8967178c734842c87a511
SHA14437c1763cf4ab9ab4d30e918df8e617c8e6377e
SHA2568ebc373fc3a0f3c7e625ad88f7f9de30bb4b2119f642525729937247ae373087
SHA5125442126f9755d15026bd9d451a8cee770cfc9622b341e364a14f22b3d3b99ce6952fe43e643e7ed68f646c63adc2e244930ac5a51e32bb4ab39c7c3fd8705deb
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exeMD5
709797a48af4d80eb2ef4abc6ef4a75b
SHA1bdd09da0709d9b9691d4629a7e67973105a14da5
SHA256a044ce96db0cecbd9eccbb30628bd9157ffdc942e251c741409e3f4d4ffdaa2e
SHA512c8b396c16066c85dff353efcc2795bdfddb4e9932ffe39ee3ae451fde429945a6f0b32f3a17f357c3080225c61465e6fab5b91a702ea2d53e66a758d267639e4
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exeMD5
5453981a7ec8967178c734842c87a511
SHA14437c1763cf4ab9ab4d30e918df8e617c8e6377e
SHA2568ebc373fc3a0f3c7e625ad88f7f9de30bb4b2119f642525729937247ae373087
SHA5125442126f9755d15026bd9d451a8cee770cfc9622b341e364a14f22b3d3b99ce6952fe43e643e7ed68f646c63adc2e244930ac5a51e32bb4ab39c7c3fd8705deb
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exeMD5
7546d2c72c6a33de3390703e2046b052
SHA1a36333936e9174c50f0fe43b0ef14289a626e443
SHA2567da41258de481f60e1f035dfff1e0f70a85216680ae910cf371bdc3271e93366
SHA5121ec6a4e5015b1955bc8f784e803009df372d144b06f61dff9030dbd6009a8df0a248d735434e611c5c23af48a0d33c026aa9e69e15bc6d6c6b2b439444cb1acf
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exeMD5
7546d2c72c6a33de3390703e2046b052
SHA1a36333936e9174c50f0fe43b0ef14289a626e443
SHA2567da41258de481f60e1f035dfff1e0f70a85216680ae910cf371bdc3271e93366
SHA5121ec6a4e5015b1955bc8f784e803009df372d144b06f61dff9030dbd6009a8df0a248d735434e611c5c23af48a0d33c026aa9e69e15bc6d6c6b2b439444cb1acf
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exeMD5
7546d2c72c6a33de3390703e2046b052
SHA1a36333936e9174c50f0fe43b0ef14289a626e443
SHA2567da41258de481f60e1f035dfff1e0f70a85216680ae910cf371bdc3271e93366
SHA5121ec6a4e5015b1955bc8f784e803009df372d144b06f61dff9030dbd6009a8df0a248d735434e611c5c23af48a0d33c026aa9e69e15bc6d6c6b2b439444cb1acf
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exeMD5
7546d2c72c6a33de3390703e2046b052
SHA1a36333936e9174c50f0fe43b0ef14289a626e443
SHA2567da41258de481f60e1f035dfff1e0f70a85216680ae910cf371bdc3271e93366
SHA5121ec6a4e5015b1955bc8f784e803009df372d144b06f61dff9030dbd6009a8df0a248d735434e611c5c23af48a0d33c026aa9e69e15bc6d6c6b2b439444cb1acf
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exeMD5
7546d2c72c6a33de3390703e2046b052
SHA1a36333936e9174c50f0fe43b0ef14289a626e443
SHA2567da41258de481f60e1f035dfff1e0f70a85216680ae910cf371bdc3271e93366
SHA5121ec6a4e5015b1955bc8f784e803009df372d144b06f61dff9030dbd6009a8df0a248d735434e611c5c23af48a0d33c026aa9e69e15bc6d6c6b2b439444cb1acf
-
C:\Windows\Fonts\The Kazekage.jpgMD5
d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
C:\Windows\Fonts\The Kazekage.jpgMD5
d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
C:\Windows\Fonts\The Kazekage.jpgMD5
d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
C:\Windows\Fonts\The Kazekage.jpgMD5
d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
C:\Windows\SysWOW64\5-5-2021.exeMD5
70f3662e749d408f1cd71fb3be3711c5
SHA178563537f70c124246146c6539c60413bd63eaa5
SHA256d3c0c57f36a82ad2385c28c8127e3e158881d4056ae0958d5ec39c546c785c76
SHA512c0a5cf2c1cd65bbed90a7164762a1d08a2a5bfa44f7b27cece1c1a8d3ec59ff8437d4e9e3aee64d4c8fe79e9123a4e098b397163545dff9fc56c8dbeec2e4db7
-
C:\Windows\SysWOW64\5-5-2021.exeMD5
ccb8c53083700be4dc966d9c0b0d1d0f
SHA13869271e77f2f298011f26fd05d37e436de8b952
SHA256e3d01c7eb1f26f330d7a401e49ebf315d721442fe89e0157c26371412afe4f67
SHA5121a36620c6ea1c83d95eabf809cbcba0dd66ab4b78108e8975a2c46867750d652a64a74c3d801e5dc855443723792838ff01b095644352bf131397043cbfbbc64
-
C:\Windows\SysWOW64\5-5-2021.exeMD5
d3ef33f561652a65735fb12b65b61d2e
SHA1d930e3a06e8d6ff1824fb2d746ddddbc5c9b154e
SHA25617093e990521631c656508b1fc66141eec7a61943b9b9526f3dec41ac1fafeb1
SHA5129a4d409436eb9c0852aaaeba57f2b99cff73e35e8f3db2d21a601b317c330a2f32bc7f7effbd7f2dc9d1eaa7b656771890d036ce5692803d4ad0f1a0a20399dc
-
C:\Windows\SysWOW64\5-5-2021.exeMD5
fa559399594488ced5477c3f2e4df2df
SHA18be49f2e9e22f431ad5e40b2b1a19f95b196763d
SHA256ea26443eb344b67469e7e732612475ed707be914f4451886e3027cb7c5c7ccad
SHA512f3e20c8ca7eb6c8cddcc2fa0d844e3d65b3417bc4f5ce05d851d4ee1eef952bbc4bd46188d62e45c1b413769edce924a7d6a3460bb5083d36ff20901052b47b2
-
C:\Windows\SysWOW64\drivers\Kazekage.exeMD5
4002866af8490e46df8e63ee05aba853
SHA16bd279bcbacdf32495eae6045254717e2c3e130d
SHA25605c7adbc013efb0127081a5d5c79360716dfdb6c5ae45aa8f9dc8fea02c4ca52
SHA512725671f4b64d6e9c6efb145425f76effcf19302c2cafe2eff64da062886ab65f4efd1d66d36320e698fde7da1170d326bbb6e4dcfe86d4eb8b653d1e2289357e
-
C:\Windows\SysWOW64\drivers\Kazekage.exeMD5
9090db50bf7ff111bcaa85f26a830b94
SHA1ab9c2c7646bf69fee6aa054323783180303e4a70
SHA2569c02b83d5b3469347397989e7eb947583ca7945e03f313cc05f889c710f49f90
SHA5120732b502592172067f33d48134028dd2bd29f1894e4b09a0a738a9afb3db99df3b315c3e7aa003a1972e54e86b886181c81d8e46ec1f286e019258b7e2dd68cb
-
C:\Windows\SysWOW64\drivers\Kazekage.exeMD5
9090db50bf7ff111bcaa85f26a830b94
SHA1ab9c2c7646bf69fee6aa054323783180303e4a70
SHA2569c02b83d5b3469347397989e7eb947583ca7945e03f313cc05f889c710f49f90
SHA5120732b502592172067f33d48134028dd2bd29f1894e4b09a0a738a9afb3db99df3b315c3e7aa003a1972e54e86b886181c81d8e46ec1f286e019258b7e2dd68cb
-
C:\Windows\SysWOW64\drivers\Kazekage.exeMD5
9090db50bf7ff111bcaa85f26a830b94
SHA1ab9c2c7646bf69fee6aa054323783180303e4a70
SHA2569c02b83d5b3469347397989e7eb947583ca7945e03f313cc05f889c710f49f90
SHA5120732b502592172067f33d48134028dd2bd29f1894e4b09a0a738a9afb3db99df3b315c3e7aa003a1972e54e86b886181c81d8e46ec1f286e019258b7e2dd68cb
-
C:\Windows\SysWOW64\drivers\Kazekage.exeMD5
39423b2856cb5ef6dc7178c74f38625c
SHA16520e099f3ff56ace3c247e7ed8098448b451858
SHA256ec2a9c680cc8c5af17da3018775a32b3076c134efdf99cf8822e97c31e9555ba
SHA512c5bada0c026031cf6cb70d40ac80e2110d30f70edd19b940d4d6b79e73a8d112e85b2194969b2005e26f6e5ab362b7d5f0610456c25305318848091f094703ee
-
C:\Windows\SysWOW64\drivers\system32.exeMD5
8cf787d0e734bf11ac2cd442df08cec1
SHA112498153324626c3558c7cb08fc7cda46f98e628
SHA2566c32a3547b1192fa932e1f4bb9ad13a0186efa229f068896b92f1ed326fd2271
SHA512fbcb9ec65603ee505338ea228e240dfd753a42c40c45c7ce97b1f158631ceebf6f9775e5bce4381dc3e21b85228a32662d26d9bd6ed765be1874fd5d8dbba615
-
C:\Windows\SysWOW64\drivers\system32.exeMD5
5c1d27877beb8527605a49a48a2be85e
SHA1c5f5223c30abac3d620ce19ad13b249934f32671
SHA256f08cc37002c2273923c7653b87c12c881179fd9aafac89bfd9fe23d703842378
SHA5127712ca01a9aaab5529022d1db5871a93225317c72047496433199b0ea0c6cb1a22dc1c4dbe594bc98e511c30aa4a0d50fd7d523a74fe3dba64ee3bffd39de653
-
C:\Windows\SysWOW64\drivers\system32.exeMD5
fcc820824b1f5731a8b4f1473ce1c3cb
SHA175388f5966b6f249ae60934127f8034cc8d5b6c1
SHA25610b9fed793dc30869020b09c44585ef5bb84ed7d5e31f4ac3cc3aa0c3b7e5a9d
SHA512cbe52d79bea90b2965b1c9035d3b6bd7a43d21e7e3839e9435c17a1545a75c1dae993325f25b4872fce523990478cd99739313f2991fe6d9dad4c5ef98758ff1
-
C:\Windows\SysWOW64\drivers\system32.exeMD5
ea3f8fae053ab7dc8bcfab68354116f3
SHA1de1062ff2ab3b1741d487ec53d7365601e39ed78
SHA2566816ed78a5efefe207023bb534da612f85681bed01358abfc11020defe687885
SHA51265801789e235e335fd5ef9063ab48dd2b3bc10cc88d88e31883f94434424d58e25939fa1f5ac58bd89577a8276137bf6d856f115fdf99499459eb6f2c8546d8f
-
C:\Windows\msvbvm60.dllMD5
5343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
C:\Windows\msvbvm60.dllMD5
5343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
C:\Windows\msvbvm60.dllMD5
5343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
C:\Windows\msvbvm60.dllMD5
5343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
C:\Windows\system\msvbvm60.dllMD5
5343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
C:\Windows\system\msvbvm60.dllMD5
5343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
C:\Windows\system\msvbvm60.dllMD5
5343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
C:\Windows\system\msvbvm60.dllMD5
5343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exeMD5
d74a5ee9e24ce8b52d93b7ab16b5d5a0
SHA199f88e2955c41341c0c62fcac29472ad4790c9b2
SHA2565d38d473b2ae4cd7eb8dc475347150f68bdde2469b8412755478201d745d0a17
SHA51267b8d222226d82a280bb128dc78c47b4611fe4c183d12e6f973424ef0546b5b3cfde60ecbe64d53533e7d8848d631232d90ecfde103d9f5e1825e50a3399ceab
-
\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exeMD5
d74a5ee9e24ce8b52d93b7ab16b5d5a0
SHA199f88e2955c41341c0c62fcac29472ad4790c9b2
SHA2565d38d473b2ae4cd7eb8dc475347150f68bdde2469b8412755478201d745d0a17
SHA51267b8d222226d82a280bb128dc78c47b4611fe4c183d12e6f973424ef0546b5b3cfde60ecbe64d53533e7d8848d631232d90ecfde103d9f5e1825e50a3399ceab
-
\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exeMD5
d74a5ee9e24ce8b52d93b7ab16b5d5a0
SHA199f88e2955c41341c0c62fcac29472ad4790c9b2
SHA2565d38d473b2ae4cd7eb8dc475347150f68bdde2469b8412755478201d745d0a17
SHA51267b8d222226d82a280bb128dc78c47b4611fe4c183d12e6f973424ef0546b5b3cfde60ecbe64d53533e7d8848d631232d90ecfde103d9f5e1825e50a3399ceab
-
\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exeMD5
d74a5ee9e24ce8b52d93b7ab16b5d5a0
SHA199f88e2955c41341c0c62fcac29472ad4790c9b2
SHA2565d38d473b2ae4cd7eb8dc475347150f68bdde2469b8412755478201d745d0a17
SHA51267b8d222226d82a280bb128dc78c47b4611fe4c183d12e6f973424ef0546b5b3cfde60ecbe64d53533e7d8848d631232d90ecfde103d9f5e1825e50a3399ceab
-
\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exeMD5
5453981a7ec8967178c734842c87a511
SHA14437c1763cf4ab9ab4d30e918df8e617c8e6377e
SHA2568ebc373fc3a0f3c7e625ad88f7f9de30bb4b2119f642525729937247ae373087
SHA5125442126f9755d15026bd9d451a8cee770cfc9622b341e364a14f22b3d3b99ce6952fe43e643e7ed68f646c63adc2e244930ac5a51e32bb4ab39c7c3fd8705deb
-
\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exeMD5
5453981a7ec8967178c734842c87a511
SHA14437c1763cf4ab9ab4d30e918df8e617c8e6377e
SHA2568ebc373fc3a0f3c7e625ad88f7f9de30bb4b2119f642525729937247ae373087
SHA5125442126f9755d15026bd9d451a8cee770cfc9622b341e364a14f22b3d3b99ce6952fe43e643e7ed68f646c63adc2e244930ac5a51e32bb4ab39c7c3fd8705deb
-
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dllMD5
5343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dllMD5
5343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dllMD5
5343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dllMD5
5343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dllMD5
5343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dllMD5
5343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dllMD5
5343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dllMD5
5343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dllMD5
5343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\Fonts\Admin 5 - 5 - 2021\smss.exeMD5
7546d2c72c6a33de3390703e2046b052
SHA1a36333936e9174c50f0fe43b0ef14289a626e443
SHA2567da41258de481f60e1f035dfff1e0f70a85216680ae910cf371bdc3271e93366
SHA5121ec6a4e5015b1955bc8f784e803009df372d144b06f61dff9030dbd6009a8df0a248d735434e611c5c23af48a0d33c026aa9e69e15bc6d6c6b2b439444cb1acf
-
\Windows\Fonts\Admin 5 - 5 - 2021\smss.exeMD5
7546d2c72c6a33de3390703e2046b052
SHA1a36333936e9174c50f0fe43b0ef14289a626e443
SHA2567da41258de481f60e1f035dfff1e0f70a85216680ae910cf371bdc3271e93366
SHA5121ec6a4e5015b1955bc8f784e803009df372d144b06f61dff9030dbd6009a8df0a248d735434e611c5c23af48a0d33c026aa9e69e15bc6d6c6b2b439444cb1acf
-
\Windows\Fonts\Admin 5 - 5 - 2021\smss.exeMD5
7546d2c72c6a33de3390703e2046b052
SHA1a36333936e9174c50f0fe43b0ef14289a626e443
SHA2567da41258de481f60e1f035dfff1e0f70a85216680ae910cf371bdc3271e93366
SHA5121ec6a4e5015b1955bc8f784e803009df372d144b06f61dff9030dbd6009a8df0a248d735434e611c5c23af48a0d33c026aa9e69e15bc6d6c6b2b439444cb1acf
-
\Windows\Fonts\Admin 5 - 5 - 2021\smss.exeMD5
7546d2c72c6a33de3390703e2046b052
SHA1a36333936e9174c50f0fe43b0ef14289a626e443
SHA2567da41258de481f60e1f035dfff1e0f70a85216680ae910cf371bdc3271e93366
SHA5121ec6a4e5015b1955bc8f784e803009df372d144b06f61dff9030dbd6009a8df0a248d735434e611c5c23af48a0d33c026aa9e69e15bc6d6c6b2b439444cb1acf
-
\Windows\Fonts\Admin 5 - 5 - 2021\smss.exeMD5
7546d2c72c6a33de3390703e2046b052
SHA1a36333936e9174c50f0fe43b0ef14289a626e443
SHA2567da41258de481f60e1f035dfff1e0f70a85216680ae910cf371bdc3271e93366
SHA5121ec6a4e5015b1955bc8f784e803009df372d144b06f61dff9030dbd6009a8df0a248d735434e611c5c23af48a0d33c026aa9e69e15bc6d6c6b2b439444cb1acf
-
\Windows\Fonts\Admin 5 - 5 - 2021\smss.exeMD5
7546d2c72c6a33de3390703e2046b052
SHA1a36333936e9174c50f0fe43b0ef14289a626e443
SHA2567da41258de481f60e1f035dfff1e0f70a85216680ae910cf371bdc3271e93366
SHA5121ec6a4e5015b1955bc8f784e803009df372d144b06f61dff9030dbd6009a8df0a248d735434e611c5c23af48a0d33c026aa9e69e15bc6d6c6b2b439444cb1acf
-
\Windows\SysWOW64\drivers\Kazekage.exeMD5
9090db50bf7ff111bcaa85f26a830b94
SHA1ab9c2c7646bf69fee6aa054323783180303e4a70
SHA2569c02b83d5b3469347397989e7eb947583ca7945e03f313cc05f889c710f49f90
SHA5120732b502592172067f33d48134028dd2bd29f1894e4b09a0a738a9afb3db99df3b315c3e7aa003a1972e54e86b886181c81d8e46ec1f286e019258b7e2dd68cb
-
\Windows\SysWOW64\drivers\Kazekage.exeMD5
9090db50bf7ff111bcaa85f26a830b94
SHA1ab9c2c7646bf69fee6aa054323783180303e4a70
SHA2569c02b83d5b3469347397989e7eb947583ca7945e03f313cc05f889c710f49f90
SHA5120732b502592172067f33d48134028dd2bd29f1894e4b09a0a738a9afb3db99df3b315c3e7aa003a1972e54e86b886181c81d8e46ec1f286e019258b7e2dd68cb
-
memory/112-244-0x0000000000000000-mapping.dmp
-
memory/268-142-0x0000000000000000-mapping.dmp
-
memory/328-235-0x0000000000000000-mapping.dmp
-
memory/328-241-0x0000000000000000-mapping.dmp
-
memory/336-226-0x0000000000000000-mapping.dmp
-
memory/420-191-0x0000000000000000-mapping.dmp
-
memory/520-240-0x0000000000000000-mapping.dmp
-
memory/528-217-0x0000000000000000-mapping.dmp
-
memory/548-238-0x0000000000000000-mapping.dmp
-
memory/552-225-0x0000000000000000-mapping.dmp
-
memory/588-247-0x0000000000000000-mapping.dmp
-
memory/628-239-0x0000000000000000-mapping.dmp
-
memory/668-246-0x0000000000000000-mapping.dmp
-
memory/668-221-0x0000000000000000-mapping.dmp
-
memory/796-223-0x0000000000000000-mapping.dmp
-
memory/816-135-0x0000000000000000-mapping.dmp
-
memory/844-218-0x0000000000000000-mapping.dmp
-
memory/860-251-0x0000000000000000-mapping.dmp
-
memory/984-228-0x0000000000000000-mapping.dmp
-
memory/992-148-0x0000000000000000-mapping.dmp
-
memory/1008-216-0x0000000000000000-mapping.dmp
-
memory/1056-243-0x0000000000000000-mapping.dmp
-
memory/1060-230-0x0000000000000000-mapping.dmp
-
memory/1068-106-0x0000000000000000-mapping.dmp
-
memory/1104-195-0x0000000000000000-mapping.dmp
-
memory/1140-248-0x0000000000000000-mapping.dmp
-
memory/1156-237-0x0000000000000000-mapping.dmp
-
memory/1176-242-0x0000000000000000-mapping.dmp
-
memory/1212-209-0x0000000000000000-mapping.dmp
-
memory/1300-233-0x0000000000000000-mapping.dmp
-
memory/1352-236-0x0000000000000000-mapping.dmp
-
memory/1392-231-0x0000000000000000-mapping.dmp
-
memory/1420-212-0x0000000000000000-mapping.dmp
-
memory/1480-220-0x0000000000000000-mapping.dmp
-
memory/1604-179-0x0000000000000000-mapping.dmp
-
memory/1608-183-0x0000000000000000-mapping.dmp
-
memory/1628-210-0x0000000000000000-mapping.dmp
-
memory/1648-121-0x0000000000000000-mapping.dmp
-
memory/1660-224-0x0000000000000000-mapping.dmp
-
memory/1692-171-0x0000000000000000-mapping.dmp
-
memory/1696-232-0x0000000000000000-mapping.dmp
-
memory/1696-167-0x0000000000000000-mapping.dmp
-
memory/1696-222-0x0000000000000000-mapping.dmp
-
memory/1724-90-0x0000000000000000-mapping.dmp
-
memory/1740-203-0x0000000000000000-mapping.dmp
-
memory/1744-245-0x0000000000000000-mapping.dmp
-
memory/1756-227-0x0000000000000000-mapping.dmp
-
memory/1760-214-0x0000000000000000-mapping.dmp
-
memory/1764-175-0x0000000000000000-mapping.dmp
-
memory/1764-215-0x0000000000000000-mapping.dmp
-
memory/1772-211-0x0000000000000000-mapping.dmp
-
memory/1776-213-0x0000000000000000-mapping.dmp
-
memory/1776-82-0x0000000000000000-mapping.dmp
-
memory/1780-219-0x0000000000000000-mapping.dmp
-
memory/1828-187-0x0000000000000000-mapping.dmp
-
memory/1840-250-0x0000000000000000-mapping.dmp
-
memory/1848-113-0x0000000000000000-mapping.dmp
-
memory/1852-234-0x0000000000000000-mapping.dmp
-
memory/1888-207-0x0000000000000000-mapping.dmp
-
memory/1944-199-0x0000000000000000-mapping.dmp
-
memory/1944-229-0x0000000000000000-mapping.dmp
-
memory/1980-65-0x0000000000000000-mapping.dmp
-
memory/1996-62-0x0000000075D41000-0x0000000075D43000-memory.dmpFilesize
8KB
-
memory/2012-156-0x0000000000000000-mapping.dmp
-
memory/2032-249-0x0000000000000000-mapping.dmp