Analysis
-
max time kernel
119s -
max time network
155s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
05-05-2021 11:07
Static task
static1
Behavioral task
behavioral1
Sample
c9915631_by_Libranalysis.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
c9915631_by_Libranalysis.exe
Resource
win10v20210410
General
-
Target
c9915631_by_Libranalysis.exe
-
Size
124KB
-
MD5
c9915631dd271219bf51fe0a46a1d8ff
-
SHA1
7d6b0dd72dd6dd3261b0f30525c6860f86de012f
-
SHA256
1c958bc2a268ce3f104a35882f694f8bead71015937bfb99b0986400ab29d703
-
SHA512
045d441879636ebc9c6a25994a6aa08172bec3756829bba7b2eb188ee1585d7659f77e43d505c61032a5d36815f205f29b875ae5354fe13857941f366dae0941
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
Processes:
Kazekage.exesmss.exesystem32.exec9915631_by_Libranalysis.execsrss.exeGaara.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe -
Modifies visibility of file extensions in Explorer 2 TTPs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs
-
Disables RegEdit via registry modification
-
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
Processes:
Kazekage.execsrss.exeGaara.exesmss.exec9915631_by_Libranalysis.exesystem32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe c9915631_by_Libranalysis.exe File created C:\Windows\SysWOW64\drivers\system32.exe c9915631_by_Libranalysis.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe c9915631_by_Libranalysis.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe c9915631_by_Libranalysis.exe -
Executes dropped EXE 30 IoCs
Processes:
smss.exesmss.exeGaara.exesmss.exeGaara.execsrss.exesmss.exeGaara.execsrss.exeKazekage.exesmss.exeGaara.execsrss.exeKazekage.exesystem32.exesmss.exeGaara.execsrss.exeKazekage.exesystem32.exesystem32.exeKazekage.exesystem32.execsrss.exeKazekage.exesystem32.exeGaara.execsrss.exeKazekage.exesystem32.exepid process 2384 smss.exe 2944 smss.exe 3100 Gaara.exe 1368 smss.exe 3784 Gaara.exe 1612 csrss.exe 1040 smss.exe 3816 Gaara.exe 2680 csrss.exe 1624 Kazekage.exe 200 smss.exe 3048 Gaara.exe 2528 csrss.exe 3312 Kazekage.exe 3676 system32.exe 1376 smss.exe 1040 Gaara.exe 3800 csrss.exe 1196 Kazekage.exe 200 system32.exe 3776 system32.exe 3484 Kazekage.exe 3976 system32.exe 1664 csrss.exe 2388 Kazekage.exe 2504 system32.exe 2632 Gaara.exe 3040 csrss.exe 1196 Kazekage.exe 3048 system32.exe -
Sets file execution options in registry 2 TTPs
-
Loads dropped DLL 18 IoCs
Processes:
smss.exesmss.exeGaara.exesmss.exeGaara.execsrss.exesmss.exeGaara.execsrss.exesmss.exeGaara.execsrss.exesmss.exeGaara.execsrss.execsrss.exeGaara.execsrss.exepid process 2384 smss.exe 2944 smss.exe 3100 Gaara.exe 1368 smss.exe 3784 Gaara.exe 1612 csrss.exe 1040 smss.exe 3816 Gaara.exe 2680 csrss.exe 200 smss.exe 3048 Gaara.exe 2528 csrss.exe 1376 smss.exe 1040 Gaara.exe 3800 csrss.exe 1664 csrss.exe 2632 Gaara.exe 3040 csrss.exe -
Adds Run key to start application 2 TTPs 30 IoCs
Processes:
Kazekage.exesmss.exeGaara.execsrss.exec9915631_by_Libranalysis.exesystem32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 5 - 5 - 2021\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "5-5-2021.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "5-5-2021.exe" csrss.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run c9915631_by_Libranalysis.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 5 - 5 - 2021\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 5 - 5 - 2021\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 5 - 5 - 2021\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 5 - 5 - 2021\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 5 - 5 - 2021\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "5-5-2021.exe" system32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 5 - 5 - 2021\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 5 - 5 - 2021\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "5-5-2021.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 5 - 5 - 2021\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 5 - 5 - 2021\\smss.exe" c9915631_by_Libranalysis.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 5 - 5 - 2021\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 5 - 5 - 2021\\Gaara.exe" c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "5-5-2021.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "5-5-2021.exe" c9915631_by_Libranalysis.exe -
Processes:
csrss.exec9915631_by_Libranalysis.exeKazekage.exesmss.exeGaara.exesystem32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c9915631_by_Libranalysis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
Gaara.execsrss.exeKazekage.exesystem32.exec9915631_by_Libranalysis.exesmss.exedescription ioc process File opened for modification D:\Desktop.ini Gaara.exe File opened for modification \??\M:\Desktop.ini Gaara.exe File opened for modification \??\Y:\Desktop.ini csrss.exe File opened for modification \??\M:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini csrss.exe File opened for modification \??\H:\Desktop.ini Gaara.exe File opened for modification \??\L:\Desktop.ini system32.exe File opened for modification \??\U:\Desktop.ini Gaara.exe File opened for modification \??\Y:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini system32.exe File opened for modification \??\V:\Desktop.ini system32.exe File opened for modification \??\L:\Desktop.ini Gaara.exe File opened for modification \??\N:\Desktop.ini Gaara.exe File opened for modification \??\M:\Desktop.ini c9915631_by_Libranalysis.exe File opened for modification \??\A:\Desktop.ini smss.exe File opened for modification \??\I:\Desktop.ini Kazekage.exe File opened for modification \??\R:\Desktop.ini Kazekage.exe File opened for modification \??\Y:\Desktop.ini Kazekage.exe File opened for modification \??\F:\Desktop.ini c9915631_by_Libranalysis.exe File opened for modification \??\L:\Desktop.ini smss.exe File opened for modification \??\B:\Desktop.ini system32.exe File opened for modification \??\T:\Desktop.ini system32.exe File opened for modification \??\A:\Desktop.ini c9915631_by_Libranalysis.exe File opened for modification \??\Q:\Desktop.ini Kazekage.exe File opened for modification \??\T:\Desktop.ini csrss.exe File opened for modification \??\X:\Desktop.ini csrss.exe File opened for modification \??\S:\Desktop.ini Kazekage.exe File opened for modification \??\W:\Desktop.ini Gaara.exe File opened for modification \??\H:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini csrss.exe File opened for modification \??\R:\Desktop.ini csrss.exe File opened for modification \??\V:\Desktop.ini smss.exe File opened for modification \??\Q:\Desktop.ini Gaara.exe File opened for modification C:\Desktop.ini Kazekage.exe File opened for modification \??\B:\Desktop.ini smss.exe File opened for modification \??\Z:\Desktop.ini smss.exe File opened for modification \??\S:\Desktop.ini Gaara.exe File opened for modification \??\N:\Desktop.ini csrss.exe File opened for modification \??\G:\Desktop.ini c9915631_by_Libranalysis.exe File opened for modification \??\L:\Desktop.ini c9915631_by_Libranalysis.exe File opened for modification \??\X:\Desktop.ini smss.exe File opened for modification \??\E:\Desktop.ini Gaara.exe File opened for modification \??\K:\Desktop.ini Gaara.exe File opened for modification \??\P:\Desktop.ini system32.exe File opened for modification \??\X:\Desktop.ini Gaara.exe File opened for modification \??\K:\Desktop.ini csrss.exe File opened for modification \??\Z:\Desktop.ini Kazekage.exe File opened for modification \??\F:\Desktop.ini smss.exe File opened for modification \??\G:\Desktop.ini Gaara.exe File opened for modification \??\B:\Desktop.ini csrss.exe File opened for modification \??\S:\Desktop.ini csrss.exe File opened for modification \??\X:\Desktop.ini c9915631_by_Libranalysis.exe File opened for modification \??\L:\Desktop.ini Kazekage.exe File opened for modification \??\W:\Desktop.ini smss.exe File opened for modification \??\A:\Desktop.ini Gaara.exe File opened for modification \??\H:\Desktop.ini system32.exe File opened for modification \??\P:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini smss.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini smss.exe File opened for modification \??\I:\Desktop.ini csrss.exe File opened for modification \??\R:\Desktop.ini Gaara.exe File opened for modification \??\F:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini csrss.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Kazekage.exeGaara.execsrss.exesmss.exesystem32.exec9915631_by_Libranalysis.exedescription ioc process File opened (read-only) \??\U: Kazekage.exe File opened (read-only) \??\E: Gaara.exe File opened (read-only) \??\W: Gaara.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\G: Kazekage.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\S: Kazekage.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\F: Gaara.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\B: Kazekage.exe File opened (read-only) \??\F: Kazekage.exe File opened (read-only) \??\X: Kazekage.exe File opened (read-only) \??\M: system32.exe File opened (read-only) \??\V: c9915631_by_Libranalysis.exe File opened (read-only) \??\I: Kazekage.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\L: c9915631_by_Libranalysis.exe File opened (read-only) \??\R: c9915631_by_Libranalysis.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\T: Gaara.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\L: system32.exe File opened (read-only) \??\S: Gaara.exe File opened (read-only) \??\U: system32.exe File opened (read-only) \??\H: c9915631_by_Libranalysis.exe File opened (read-only) \??\T: c9915631_by_Libranalysis.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\X: system32.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\X: Gaara.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\G: system32.exe File opened (read-only) \??\N: system32.exe File opened (read-only) \??\Q: system32.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\U: c9915631_by_Libranalysis.exe File opened (read-only) \??\W: c9915631_by_Libranalysis.exe File opened (read-only) \??\O: Kazekage.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\E: c9915631_by_Libranalysis.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\J: Kazekage.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\B: Gaara.exe File opened (read-only) \??\Y: Gaara.exe File opened (read-only) \??\S: system32.exe File opened (read-only) \??\E: Kazekage.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\H: Gaara.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\N: Kazekage.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 39 IoCs
Processes:
smss.execsrss.exeKazekage.exesystem32.exec9915631_by_Libranalysis.exeGaara.exedescription ioc process File opened for modification C:\Windows\SysWOW64\5-5-2021.exe smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\5-5-2021.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\5-5-2021.exe system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\5-5-2021.exe c9915631_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\5-5-2021.exe csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx c9915631_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini c9915631_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\ c9915631_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\5-5-2021.exe Gaara.exe File created C:\Windows\SysWOW64\Desktop.ini c9915631_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\5-5-2021.exe c9915631_by_Libranalysis.exe File created C:\Windows\SysWOW64\msvbvm60.dll c9915631_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll c9915631_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\mscomctl.ocx c9915631_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
Processes:
Gaara.execsrss.exeKazekage.exesystem32.exec9915631_by_Libranalysis.exesmss.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe -
Drops file in Windows directory 64 IoCs
Processes:
c9915631_by_Libranalysis.exeGaara.execsrss.exesystem32.exesmss.exeKazekage.exedescription ioc process File created C:\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll c9915631_by_Libranalysis.exe File opened for modification C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe Gaara.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File opened for modification C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe smss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe smss.exe File created C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe c9915631_by_Libranalysis.exe File opened for modification C:\Windows\msvbvm60.dll c9915631_by_Libranalysis.exe File opened for modification C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe system32.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg c9915631_by_Libranalysis.exe File opened for modification C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe c9915631_by_Libranalysis.exe File opened for modification C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe c9915631_by_Libranalysis.exe File created C:\Windows\msvbvm60.dll c9915631_by_Libranalysis.exe File opened for modification C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe smss.exe File created C:\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File created C:\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe c9915631_by_Libranalysis.exe File opened for modification C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe csrss.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll c9915631_by_Libranalysis.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx c9915631_by_Libranalysis.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File created C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File created C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe system32.exe File created C:\Windows\mscomctl.ocx c9915631_by_Libranalysis.exe File created C:\Windows\Fonts\The Kazekage.jpg c9915631_by_Libranalysis.exe File created C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe c9915631_by_Libranalysis.exe File opened for modification C:\Windows\system\msvbvm60.dll c9915631_by_Libranalysis.exe File opened for modification C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe smss.exe File created C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe csrss.exe File created C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll c9915631_by_Libranalysis.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe Gaara.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File created C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe smss.exe File opened for modification C:\Windows\ Gaara.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\ system32.exe -
Modifies Control Panel 64 IoCs
Processes:
Gaara.execsrss.exesmss.exesystem32.exeKazekage.exec9915631_by_Libranalysis.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Size = "72" c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Speed = "4" c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee c9915631_by_Libranalysis.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" c9915631_by_Libranalysis.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe -
Processes:
Kazekage.execsrss.exec9915631_by_Libranalysis.exesmss.exeGaara.exesystem32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" c9915631_by_Libranalysis.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main c9915631_by_Libranalysis.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main smss.exe -
Modifies registry class 48 IoCs
Processes:
c9915631_by_Libranalysis.exeKazekage.exesystem32.execsrss.exeGaara.exesmss.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command c9915631_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" c9915631_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command c9915631_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" c9915631_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" c9915631_by_Libranalysis.exe -
Runs ping.exe 1 TTPs 32 IoCs
Processes:
ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exepid process 760 ping.exe 3476 ping.exe 1172 ping.exe 216 ping.exe 4020 ping.exe 2100 ping.exe 3552 ping.exe 204 ping.exe 1288 ping.exe 836 ping.exe 3048 ping.exe 812 ping.exe 3916 ping.exe 3760 ping.exe 1972 ping.exe 2320 ping.exe 956 ping.exe 360 ping.exe 1036 ping.exe 2676 ping.exe 3256 ping.exe 2540 ping.exe 3552 ping.exe 3908 ping.exe 2288 ping.exe 3476 ping.exe 540 ping.exe 1020 ping.exe 664 ping.exe 2676 ping.exe 2388 ping.exe 3188 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Kazekage.exesmss.exeGaara.exepid process 1624 Kazekage.exe 1624 Kazekage.exe 1624 Kazekage.exe 1624 Kazekage.exe 1624 Kazekage.exe 1624 Kazekage.exe 1624 Kazekage.exe 1624 Kazekage.exe 1624 Kazekage.exe 1624 Kazekage.exe 1624 Kazekage.exe 1624 Kazekage.exe 1624 Kazekage.exe 1624 Kazekage.exe 1624 Kazekage.exe 1624 Kazekage.exe 1624 Kazekage.exe 1624 Kazekage.exe 1624 Kazekage.exe 1624 Kazekage.exe 1624 Kazekage.exe 1624 Kazekage.exe 1624 Kazekage.exe 1624 Kazekage.exe 2384 smss.exe 2384 smss.exe 2384 smss.exe 2384 smss.exe 2384 smss.exe 2384 smss.exe 2384 smss.exe 2384 smss.exe 2384 smss.exe 2384 smss.exe 2384 smss.exe 2384 smss.exe 2384 smss.exe 2384 smss.exe 2384 smss.exe 2384 smss.exe 2384 smss.exe 2384 smss.exe 2384 smss.exe 2384 smss.exe 2384 smss.exe 2384 smss.exe 2384 smss.exe 2384 smss.exe 3100 Gaara.exe 3100 Gaara.exe 3100 Gaara.exe 3100 Gaara.exe 3100 Gaara.exe 3100 Gaara.exe 3100 Gaara.exe 3100 Gaara.exe 3100 Gaara.exe 3100 Gaara.exe 3100 Gaara.exe 3100 Gaara.exe 3100 Gaara.exe 3100 Gaara.exe 3100 Gaara.exe 3100 Gaara.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
Processes:
c9915631_by_Libranalysis.exesmss.exesmss.exeGaara.exesmss.exeGaara.execsrss.exesmss.exeGaara.execsrss.exeKazekage.exesmss.exeGaara.execsrss.exeKazekage.exesystem32.exesmss.exeGaara.execsrss.exeKazekage.exesystem32.exesystem32.exeKazekage.exesystem32.execsrss.exeKazekage.exesystem32.exeGaara.execsrss.exeKazekage.exesystem32.exepid process 3896 c9915631_by_Libranalysis.exe 2384 smss.exe 2944 smss.exe 3100 Gaara.exe 1368 smss.exe 3784 Gaara.exe 1612 csrss.exe 1040 smss.exe 3816 Gaara.exe 2680 csrss.exe 1624 Kazekage.exe 200 smss.exe 3048 Gaara.exe 2528 csrss.exe 3312 Kazekage.exe 3676 system32.exe 1376 smss.exe 1040 Gaara.exe 3800 csrss.exe 1196 Kazekage.exe 200 system32.exe 3776 system32.exe 3484 Kazekage.exe 3976 system32.exe 1664 csrss.exe 2388 Kazekage.exe 2504 system32.exe 2632 Gaara.exe 3040 csrss.exe 1196 Kazekage.exe 3048 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c9915631_by_Libranalysis.exesmss.exeGaara.execsrss.exeKazekage.exesystem32.exedescription pid process target process PID 3896 wrote to memory of 2384 3896 c9915631_by_Libranalysis.exe smss.exe PID 3896 wrote to memory of 2384 3896 c9915631_by_Libranalysis.exe smss.exe PID 3896 wrote to memory of 2384 3896 c9915631_by_Libranalysis.exe smss.exe PID 2384 wrote to memory of 2944 2384 smss.exe smss.exe PID 2384 wrote to memory of 2944 2384 smss.exe smss.exe PID 2384 wrote to memory of 2944 2384 smss.exe smss.exe PID 2384 wrote to memory of 3100 2384 smss.exe Gaara.exe PID 2384 wrote to memory of 3100 2384 smss.exe Gaara.exe PID 2384 wrote to memory of 3100 2384 smss.exe Gaara.exe PID 3100 wrote to memory of 1368 3100 Gaara.exe smss.exe PID 3100 wrote to memory of 1368 3100 Gaara.exe smss.exe PID 3100 wrote to memory of 1368 3100 Gaara.exe smss.exe PID 3100 wrote to memory of 3784 3100 Gaara.exe Gaara.exe PID 3100 wrote to memory of 3784 3100 Gaara.exe Gaara.exe PID 3100 wrote to memory of 3784 3100 Gaara.exe Gaara.exe PID 3100 wrote to memory of 1612 3100 Gaara.exe csrss.exe PID 3100 wrote to memory of 1612 3100 Gaara.exe csrss.exe PID 3100 wrote to memory of 1612 3100 Gaara.exe csrss.exe PID 1612 wrote to memory of 1040 1612 csrss.exe smss.exe PID 1612 wrote to memory of 1040 1612 csrss.exe smss.exe PID 1612 wrote to memory of 1040 1612 csrss.exe smss.exe PID 1612 wrote to memory of 3816 1612 csrss.exe Gaara.exe PID 1612 wrote to memory of 3816 1612 csrss.exe Gaara.exe PID 1612 wrote to memory of 3816 1612 csrss.exe Gaara.exe PID 1612 wrote to memory of 2680 1612 csrss.exe csrss.exe PID 1612 wrote to memory of 2680 1612 csrss.exe csrss.exe PID 1612 wrote to memory of 2680 1612 csrss.exe csrss.exe PID 1612 wrote to memory of 1624 1612 csrss.exe Kazekage.exe PID 1612 wrote to memory of 1624 1612 csrss.exe Kazekage.exe PID 1612 wrote to memory of 1624 1612 csrss.exe Kazekage.exe PID 1624 wrote to memory of 200 1624 Kazekage.exe smss.exe PID 1624 wrote to memory of 200 1624 Kazekage.exe smss.exe PID 1624 wrote to memory of 200 1624 Kazekage.exe smss.exe PID 1624 wrote to memory of 3048 1624 Kazekage.exe Gaara.exe PID 1624 wrote to memory of 3048 1624 Kazekage.exe Gaara.exe PID 1624 wrote to memory of 3048 1624 Kazekage.exe Gaara.exe PID 1624 wrote to memory of 2528 1624 Kazekage.exe csrss.exe PID 1624 wrote to memory of 2528 1624 Kazekage.exe csrss.exe PID 1624 wrote to memory of 2528 1624 Kazekage.exe csrss.exe PID 1624 wrote to memory of 3312 1624 Kazekage.exe Kazekage.exe PID 1624 wrote to memory of 3312 1624 Kazekage.exe Kazekage.exe PID 1624 wrote to memory of 3312 1624 Kazekage.exe Kazekage.exe PID 1624 wrote to memory of 3676 1624 Kazekage.exe system32.exe PID 1624 wrote to memory of 3676 1624 Kazekage.exe system32.exe PID 1624 wrote to memory of 3676 1624 Kazekage.exe system32.exe PID 3676 wrote to memory of 1376 3676 system32.exe smss.exe PID 3676 wrote to memory of 1376 3676 system32.exe smss.exe PID 3676 wrote to memory of 1376 3676 system32.exe smss.exe PID 3676 wrote to memory of 1040 3676 system32.exe Gaara.exe PID 3676 wrote to memory of 1040 3676 system32.exe Gaara.exe PID 3676 wrote to memory of 1040 3676 system32.exe Gaara.exe PID 3676 wrote to memory of 3800 3676 system32.exe csrss.exe PID 3676 wrote to memory of 3800 3676 system32.exe csrss.exe PID 3676 wrote to memory of 3800 3676 system32.exe csrss.exe PID 3676 wrote to memory of 1196 3676 system32.exe Kazekage.exe PID 3676 wrote to memory of 1196 3676 system32.exe Kazekage.exe PID 3676 wrote to memory of 1196 3676 system32.exe Kazekage.exe PID 3676 wrote to memory of 200 3676 system32.exe system32.exe PID 3676 wrote to memory of 200 3676 system32.exe system32.exe PID 3676 wrote to memory of 200 3676 system32.exe system32.exe PID 1612 wrote to memory of 3776 1612 csrss.exe system32.exe PID 1612 wrote to memory of 3776 1612 csrss.exe system32.exe PID 1612 wrote to memory of 3776 1612 csrss.exe system32.exe PID 3100 wrote to memory of 3484 3100 Gaara.exe Kazekage.exe -
System policy modification 1 TTPs 12 IoCs
Processes:
Gaara.exesystem32.exeKazekage.exesmss.execsrss.exec9915631_by_Libranalysis.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System c9915631_by_Libranalysis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c9915631_by_Libranalysis.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9915631_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\c9915631_by_Libranalysis.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"2⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Winlogon Helper DLL
1Hidden Files and Directories
2Registry Run Keys / Startup Folder
2Defense Evasion
Modify Registry
9Hidden Files and Directories
2Bypass User Account Control
1Disabling Security Tools
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exeMD5
b5ac95bf5f43ab2d14e3b9afdc7a9eef
SHA19602d66411548ec80be41dae7fdf3a200a54d33a
SHA256df469daa56ed07c3fdc767a5122fb73f473f11af7811ceadd063027b7d89a723
SHA512733aaf23ceb0d5f4bf8d6dba27b922d46b61d3e7008df2a2adfa7c39386fbac571555dc663e73a7e1ad98a42e85fe25cb22cc9a6931a6c0aa944207f21010987
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exeMD5
b5ac95bf5f43ab2d14e3b9afdc7a9eef
SHA19602d66411548ec80be41dae7fdf3a200a54d33a
SHA256df469daa56ed07c3fdc767a5122fb73f473f11af7811ceadd063027b7d89a723
SHA512733aaf23ceb0d5f4bf8d6dba27b922d46b61d3e7008df2a2adfa7c39386fbac571555dc663e73a7e1ad98a42e85fe25cb22cc9a6931a6c0aa944207f21010987
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exeMD5
b5ac95bf5f43ab2d14e3b9afdc7a9eef
SHA19602d66411548ec80be41dae7fdf3a200a54d33a
SHA256df469daa56ed07c3fdc767a5122fb73f473f11af7811ceadd063027b7d89a723
SHA512733aaf23ceb0d5f4bf8d6dba27b922d46b61d3e7008df2a2adfa7c39386fbac571555dc663e73a7e1ad98a42e85fe25cb22cc9a6931a6c0aa944207f21010987
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exeMD5
b5ac95bf5f43ab2d14e3b9afdc7a9eef
SHA19602d66411548ec80be41dae7fdf3a200a54d33a
SHA256df469daa56ed07c3fdc767a5122fb73f473f11af7811ceadd063027b7d89a723
SHA512733aaf23ceb0d5f4bf8d6dba27b922d46b61d3e7008df2a2adfa7c39386fbac571555dc663e73a7e1ad98a42e85fe25cb22cc9a6931a6c0aa944207f21010987
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exeMD5
b5ac95bf5f43ab2d14e3b9afdc7a9eef
SHA19602d66411548ec80be41dae7fdf3a200a54d33a
SHA256df469daa56ed07c3fdc767a5122fb73f473f11af7811ceadd063027b7d89a723
SHA512733aaf23ceb0d5f4bf8d6dba27b922d46b61d3e7008df2a2adfa7c39386fbac571555dc663e73a7e1ad98a42e85fe25cb22cc9a6931a6c0aa944207f21010987
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exeMD5
b5ac95bf5f43ab2d14e3b9afdc7a9eef
SHA19602d66411548ec80be41dae7fdf3a200a54d33a
SHA256df469daa56ed07c3fdc767a5122fb73f473f11af7811ceadd063027b7d89a723
SHA512733aaf23ceb0d5f4bf8d6dba27b922d46b61d3e7008df2a2adfa7c39386fbac571555dc663e73a7e1ad98a42e85fe25cb22cc9a6931a6c0aa944207f21010987
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\MSVBVM60.DLLMD5
9618e4752b19ce24efd729c662c8db1e
SHA1e2fc41553e1f85472e3e4c6b20dea5430e500ef7
SHA2563b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e
SHA5120c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exeMD5
cb37062f5487b3c6e4a97fc867ac6682
SHA1e5f27c3ad525e9880e6f17582a4e3902b7dae620
SHA256d774f71ab77bef7e57a683affeed9d888ca8949e2a7007fa73bce717c0be6e8b
SHA5128e03e4988b136002797d1915b1688bca7f0ca06cb5d1e9f8119bba062ce2c6e6ba4db8000eb277c64787e112ca029c1dbb52edf3fddb88308073c5a77d5b36ce
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exeMD5
19674aa489413717e589b30a782296e4
SHA1fc4a4870956907f34fa5e9cac2f7cbade4c55033
SHA2565c832390ad2a264895cbfe71f45f1b562622fba59b305bcdfda462cbacb4996a
SHA51222c2ccde98aa0128cdd00bf1e4b00e8043eb266ed916650fd21c2503c8053d8b3bbb495c8d853ce80661013854db07b80e4cbaa7bf7b00f8bf8e94745865a5a3
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exeMD5
19674aa489413717e589b30a782296e4
SHA1fc4a4870956907f34fa5e9cac2f7cbade4c55033
SHA2565c832390ad2a264895cbfe71f45f1b562622fba59b305bcdfda462cbacb4996a
SHA51222c2ccde98aa0128cdd00bf1e4b00e8043eb266ed916650fd21c2503c8053d8b3bbb495c8d853ce80661013854db07b80e4cbaa7bf7b00f8bf8e94745865a5a3
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exeMD5
19674aa489413717e589b30a782296e4
SHA1fc4a4870956907f34fa5e9cac2f7cbade4c55033
SHA2565c832390ad2a264895cbfe71f45f1b562622fba59b305bcdfda462cbacb4996a
SHA51222c2ccde98aa0128cdd00bf1e4b00e8043eb266ed916650fd21c2503c8053d8b3bbb495c8d853ce80661013854db07b80e4cbaa7bf7b00f8bf8e94745865a5a3
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exeMD5
19674aa489413717e589b30a782296e4
SHA1fc4a4870956907f34fa5e9cac2f7cbade4c55033
SHA2565c832390ad2a264895cbfe71f45f1b562622fba59b305bcdfda462cbacb4996a
SHA51222c2ccde98aa0128cdd00bf1e4b00e8043eb266ed916650fd21c2503c8053d8b3bbb495c8d853ce80661013854db07b80e4cbaa7bf7b00f8bf8e94745865a5a3
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exeMD5
19674aa489413717e589b30a782296e4
SHA1fc4a4870956907f34fa5e9cac2f7cbade4c55033
SHA2565c832390ad2a264895cbfe71f45f1b562622fba59b305bcdfda462cbacb4996a
SHA51222c2ccde98aa0128cdd00bf1e4b00e8043eb266ed916650fd21c2503c8053d8b3bbb495c8d853ce80661013854db07b80e4cbaa7bf7b00f8bf8e94745865a5a3
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exeMD5
4a9a6e8ce1295ce906c9d678d33cd946
SHA1f2ee6df1f6b308dff87cbd6af88c56549e65d579
SHA2566274851cf01246a6ee2d8ee36c3acb51ac1197a9d850f6976019648f9274531b
SHA512de7a6594d026dbd5fa4ae89661c03404ea07aab85c6d692fd7c8d75e5ca4c6ad6d76556b0f30bfca8a08f9d7bedc2ca5e8b652bf104e2d52d586d1043fa2faa4
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exeMD5
4a9a6e8ce1295ce906c9d678d33cd946
SHA1f2ee6df1f6b308dff87cbd6af88c56549e65d579
SHA2566274851cf01246a6ee2d8ee36c3acb51ac1197a9d850f6976019648f9274531b
SHA512de7a6594d026dbd5fa4ae89661c03404ea07aab85c6d692fd7c8d75e5ca4c6ad6d76556b0f30bfca8a08f9d7bedc2ca5e8b652bf104e2d52d586d1043fa2faa4
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exeMD5
4a9a6e8ce1295ce906c9d678d33cd946
SHA1f2ee6df1f6b308dff87cbd6af88c56549e65d579
SHA2566274851cf01246a6ee2d8ee36c3acb51ac1197a9d850f6976019648f9274531b
SHA512de7a6594d026dbd5fa4ae89661c03404ea07aab85c6d692fd7c8d75e5ca4c6ad6d76556b0f30bfca8a08f9d7bedc2ca5e8b652bf104e2d52d586d1043fa2faa4
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exeMD5
4a9a6e8ce1295ce906c9d678d33cd946
SHA1f2ee6df1f6b308dff87cbd6af88c56549e65d579
SHA2566274851cf01246a6ee2d8ee36c3acb51ac1197a9d850f6976019648f9274531b
SHA512de7a6594d026dbd5fa4ae89661c03404ea07aab85c6d692fd7c8d75e5ca4c6ad6d76556b0f30bfca8a08f9d7bedc2ca5e8b652bf104e2d52d586d1043fa2faa4
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exeMD5
4a9a6e8ce1295ce906c9d678d33cd946
SHA1f2ee6df1f6b308dff87cbd6af88c56549e65d579
SHA2566274851cf01246a6ee2d8ee36c3acb51ac1197a9d850f6976019648f9274531b
SHA512de7a6594d026dbd5fa4ae89661c03404ea07aab85c6d692fd7c8d75e5ca4c6ad6d76556b0f30bfca8a08f9d7bedc2ca5e8b652bf104e2d52d586d1043fa2faa4
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exeMD5
4a9a6e8ce1295ce906c9d678d33cd946
SHA1f2ee6df1f6b308dff87cbd6af88c56549e65d579
SHA2566274851cf01246a6ee2d8ee36c3acb51ac1197a9d850f6976019648f9274531b
SHA512de7a6594d026dbd5fa4ae89661c03404ea07aab85c6d692fd7c8d75e5ca4c6ad6d76556b0f30bfca8a08f9d7bedc2ca5e8b652bf104e2d52d586d1043fa2faa4
-
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exeMD5
4a9a6e8ce1295ce906c9d678d33cd946
SHA1f2ee6df1f6b308dff87cbd6af88c56549e65d579
SHA2566274851cf01246a6ee2d8ee36c3acb51ac1197a9d850f6976019648f9274531b
SHA512de7a6594d026dbd5fa4ae89661c03404ea07aab85c6d692fd7c8d75e5ca4c6ad6d76556b0f30bfca8a08f9d7bedc2ca5e8b652bf104e2d52d586d1043fa2faa4
-
C:\Windows\Fonts\The Kazekage.jpgMD5
d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
C:\Windows\Fonts\The Kazekage.jpgMD5
d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
C:\Windows\Fonts\The Kazekage.jpgMD5
d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
C:\Windows\Fonts\The Kazekage.jpgMD5
d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
C:\Windows\Fonts\The Kazekage.jpgMD5
d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
C:\Windows\SysWOW64\5-5-2021.exeMD5
a02ecd48bbf30a5cc641961bb2dd21f8
SHA19bc0ad2240c161db76f722707cb5fc1206aea74e
SHA256907a9e50fe5be9b9921a9a87956d362d6e5d044edaa67d95203da31b74c20f9e
SHA51239a10d76be199dc5fe52ddf3df02b47e094cf3c7535c088a871ec8a4046b01e9986e31d4d762086eac7e59ae1102ab155b5d34325a9b4ce6c7f46b1f4f214450
-
C:\Windows\SysWOW64\5-5-2021.exeMD5
a57542ddac265f5e9ba3f8b83e78d3cf
SHA1c3309f5f36da15ec6dd01868966a948e218aa591
SHA25643648aa5a1b375e95303935c836298364152d3fc7a852dc5b23bb4301269cbe9
SHA512d2aa11b046a2e1f60c22e59b04a3e601a8f2aee35bf1182e15487c8fbe276331ff35e7797e0f29fa3d5556670445a7d6c94e064f9d2445a9fc5e821dc89ca865
-
C:\Windows\SysWOW64\5-5-2021.exeMD5
7532b61823bdf5be4a74a3058f10a634
SHA1bacb0e4c478b3f5d50d44ebd562d3f1947b57ae4
SHA256a4290e763c8cd56a12d009179e5757e826fd75bc829a6e3934c02293f44fd21d
SHA512df121f83d90c4b108d501089b3248eb8fbdc82b0c2cbf59549a4be116d89b692ffd382f0571c1960028806ccf1814e12632e52b45fde557e043e4f6d8c56350a
-
C:\Windows\SysWOW64\5-5-2021.exeMD5
9f4f45912393d9184a2d6ffefb8eb8a6
SHA17d9cb4c72aa1ec23c33ae96f3de4eccca55c9d26
SHA256cdfb3bae25c0087ed69133dd9bd7c3da09bd5755ac0ed9ecc05bc04ed5f93d81
SHA5128ea6dbd5fc864851bbaa9b77c5b5e4d8d67d7946dbfbfc916b03e9032dbb764eb51e8cd110cc70535d5e96235552a64a763f9f0a255cd41405c92a1be81bc76d
-
C:\Windows\SysWOW64\5-5-2021.exeMD5
3daa9d5c5247dcc563ca072128d0ada4
SHA1b5e474303deb3d64a146ef7a4e26934cd63af004
SHA256f9d3e3ff07608ddd92104a4f822fc000dd302ffd06bb021238726fe59cfc2c25
SHA5129cde7303819315db80746e0d37302ec4a68a95f3b8a7cb954fc9c24e08d6d72a427f9425b6da949a2df169491c79ff94dc3d56cfac309043570ca658dcc9ddce
-
C:\Windows\SysWOW64\drivers\Kazekage.exeMD5
2eead6b2494b621b97f8732be3650eb6
SHA1a7ffd9109ea795f05c520955e6ffd7449869f5fe
SHA256a0a7999799e11e2f20743a60b9e2d47a285b3fdd0f23c9d256cf9c25626a4bef
SHA5127fb843c5e47f64413d66ddc697faabb8ac94be26fd4eb1f5b5b06dcea8f11a6b6a1457fec68f7b0e18bdfb4bcf23cd7af9390ac0d5448042b03fbc9d93362756
-
C:\Windows\SysWOW64\drivers\Kazekage.exeMD5
e26a3c331ab15872993b1e883d0d2f98
SHA1ec8e9886bba7cc6bc1b69168cd405ab73f3abf99
SHA256c14d8e563e8f7bd0181181ca0b5a01fb0f6c5a157683fb4d12b5bf68776d23eb
SHA512e6add3290301567cf7a38faca46dc4d51e7516d6f4ceb282c10da435e06bc3bc6e1817e20cc66b696bba1cb90469c5d79c1fd0eeb84390fa32f0ba3e8d472b01
-
C:\Windows\SysWOW64\drivers\Kazekage.exeMD5
144f8d82bf0e06d4ee3ea1a738892a22
SHA162e8ced46628e84df9381509d910316d902c326d
SHA25686a1debb45ac49ddbcb45eca3825809c8b7ecf4a25f6d8fa3fd473623f0630a6
SHA512be13807c0534523f3571148055f52eaff3231dca315e08f297aedd3aef10a05f96fc0c21f80556ce40fe0803b3282fd61896254b9c039170f8e0bd91e25a468b
-
C:\Windows\SysWOW64\drivers\Kazekage.exeMD5
144f8d82bf0e06d4ee3ea1a738892a22
SHA162e8ced46628e84df9381509d910316d902c326d
SHA25686a1debb45ac49ddbcb45eca3825809c8b7ecf4a25f6d8fa3fd473623f0630a6
SHA512be13807c0534523f3571148055f52eaff3231dca315e08f297aedd3aef10a05f96fc0c21f80556ce40fe0803b3282fd61896254b9c039170f8e0bd91e25a468b
-
C:\Windows\SysWOW64\drivers\Kazekage.exeMD5
144f8d82bf0e06d4ee3ea1a738892a22
SHA162e8ced46628e84df9381509d910316d902c326d
SHA25686a1debb45ac49ddbcb45eca3825809c8b7ecf4a25f6d8fa3fd473623f0630a6
SHA512be13807c0534523f3571148055f52eaff3231dca315e08f297aedd3aef10a05f96fc0c21f80556ce40fe0803b3282fd61896254b9c039170f8e0bd91e25a468b
-
C:\Windows\SysWOW64\drivers\Kazekage.exeMD5
144f8d82bf0e06d4ee3ea1a738892a22
SHA162e8ced46628e84df9381509d910316d902c326d
SHA25686a1debb45ac49ddbcb45eca3825809c8b7ecf4a25f6d8fa3fd473623f0630a6
SHA512be13807c0534523f3571148055f52eaff3231dca315e08f297aedd3aef10a05f96fc0c21f80556ce40fe0803b3282fd61896254b9c039170f8e0bd91e25a468b
-
C:\Windows\SysWOW64\drivers\system32.exeMD5
5978785c10b6583d942c592996747324
SHA1494ac036e3e0cc89301e9b99e625849cb3dacf62
SHA256144cfc297143c8fc2821e06d1281e0e182e4a9b6e9de924dfdd6066c1564fd37
SHA512a75c5e674c76a105f277250bae02a9db5e8960e1c28fdf82010f7e8b4370b5da7c3483085560c2ddc7ba5d0c77c2a664dcd34b5879b57b20c27a91b90f5a3522
-
C:\Windows\SysWOW64\drivers\system32.exeMD5
b697020c4fd85e067c3216c002df86d6
SHA146f1cea5fc2f334d7b346e0977dc5cd5717726b2
SHA2569f2262a9bd5a22acf460561dab4d4187c9e690e7c3b77bc34df0e17796fa3177
SHA51264d52350a20a795c2aaebeceaf147d134cdc453db71fa5682a1223542c491153dd0bf4ad6dc2c1a56448e4d7beae86e6cd0c2855f2e185d31a7b973e12a569b1
-
C:\Windows\SysWOW64\drivers\system32.exeMD5
324465e8e906eeee9065ef9a94e48a18
SHA1b2b3f3cb8fde22a8decdf0440320cf884e43c512
SHA25618c8c9f7a6e89afd92f7e5be9418b18ac5f2c3e9a1bdf213b4ccbd6af733e85a
SHA51218cddcd22fce346b5606f443793cbdc1e0efc77e5079d9acc9cd24cbfa8a43ae200b1893a30c13e076ac49d881df999b1c1c12b5eaa0a2b33f11baf38cfbfe38
-
C:\Windows\SysWOW64\drivers\system32.exeMD5
d5100ba21b9c4126dc63342f38bb8961
SHA1056dd7b3c148b71694e7f8ba8438b31c821d12f2
SHA2569408c43441ef4d5359696e82d745e4960f3b2b68401faf4c666cb487b5c93c84
SHA512339a4c234465856d8f8ec21b20a46f38a99ed4bf56e8450ec61afd5f6913411805d05b72e0e93607885b43347a26299842601640c89f02628760cbda18f7461d
-
C:\Windows\SysWOW64\drivers\system32.exeMD5
d5100ba21b9c4126dc63342f38bb8961
SHA1056dd7b3c148b71694e7f8ba8438b31c821d12f2
SHA2569408c43441ef4d5359696e82d745e4960f3b2b68401faf4c666cb487b5c93c84
SHA512339a4c234465856d8f8ec21b20a46f38a99ed4bf56e8450ec61afd5f6913411805d05b72e0e93607885b43347a26299842601640c89f02628760cbda18f7461d
-
C:\Windows\SysWOW64\drivers\system32.exeMD5
d5100ba21b9c4126dc63342f38bb8961
SHA1056dd7b3c148b71694e7f8ba8438b31c821d12f2
SHA2569408c43441ef4d5359696e82d745e4960f3b2b68401faf4c666cb487b5c93c84
SHA512339a4c234465856d8f8ec21b20a46f38a99ed4bf56e8450ec61afd5f6913411805d05b72e0e93607885b43347a26299842601640c89f02628760cbda18f7461d
-
C:\Windows\msvbvm60.dllMD5
9618e4752b19ce24efd729c662c8db1e
SHA1e2fc41553e1f85472e3e4c6b20dea5430e500ef7
SHA2563b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e
SHA5120c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb
-
C:\Windows\msvbvm60.dllMD5
9618e4752b19ce24efd729c662c8db1e
SHA1e2fc41553e1f85472e3e4c6b20dea5430e500ef7
SHA2563b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e
SHA5120c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb
-
C:\Windows\msvbvm60.dllMD5
9618e4752b19ce24efd729c662c8db1e
SHA1e2fc41553e1f85472e3e4c6b20dea5430e500ef7
SHA2563b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e
SHA5120c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb
-
C:\Windows\msvbvm60.dllMD5
9618e4752b19ce24efd729c662c8db1e
SHA1e2fc41553e1f85472e3e4c6b20dea5430e500ef7
SHA2563b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e
SHA5120c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb
-
C:\Windows\msvbvm60.dllMD5
9618e4752b19ce24efd729c662c8db1e
SHA1e2fc41553e1f85472e3e4c6b20dea5430e500ef7
SHA2563b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e
SHA5120c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb
-
C:\Windows\system\msvbvm60.dllMD5
9618e4752b19ce24efd729c662c8db1e
SHA1e2fc41553e1f85472e3e4c6b20dea5430e500ef7
SHA2563b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e
SHA5120c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb
-
C:\Windows\system\msvbvm60.dllMD5
9618e4752b19ce24efd729c662c8db1e
SHA1e2fc41553e1f85472e3e4c6b20dea5430e500ef7
SHA2563b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e
SHA5120c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb
-
C:\Windows\system\msvbvm60.dllMD5
9618e4752b19ce24efd729c662c8db1e
SHA1e2fc41553e1f85472e3e4c6b20dea5430e500ef7
SHA2563b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e
SHA5120c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb
-
C:\Windows\system\msvbvm60.dllMD5
9618e4752b19ce24efd729c662c8db1e
SHA1e2fc41553e1f85472e3e4c6b20dea5430e500ef7
SHA2563b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e
SHA5120c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb
-
C:\Windows\system\msvbvm60.dllMD5
9618e4752b19ce24efd729c662c8db1e
SHA1e2fc41553e1f85472e3e4c6b20dea5430e500ef7
SHA2563b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e
SHA5120c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb
-
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dllMD5
9618e4752b19ce24efd729c662c8db1e
SHA1e2fc41553e1f85472e3e4c6b20dea5430e500ef7
SHA2563b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e
SHA5120c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb
-
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dllMD5
9618e4752b19ce24efd729c662c8db1e
SHA1e2fc41553e1f85472e3e4c6b20dea5430e500ef7
SHA2563b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e
SHA5120c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb
-
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dllMD5
9618e4752b19ce24efd729c662c8db1e
SHA1e2fc41553e1f85472e3e4c6b20dea5430e500ef7
SHA2563b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e
SHA5120c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb
-
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dllMD5
9618e4752b19ce24efd729c662c8db1e
SHA1e2fc41553e1f85472e3e4c6b20dea5430e500ef7
SHA2563b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e
SHA5120c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb
-
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dllMD5
9618e4752b19ce24efd729c662c8db1e
SHA1e2fc41553e1f85472e3e4c6b20dea5430e500ef7
SHA2563b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e
SHA5120c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb
-
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dllMD5
9618e4752b19ce24efd729c662c8db1e
SHA1e2fc41553e1f85472e3e4c6b20dea5430e500ef7
SHA2563b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e
SHA5120c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb
-
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dllMD5
9618e4752b19ce24efd729c662c8db1e
SHA1e2fc41553e1f85472e3e4c6b20dea5430e500ef7
SHA2563b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e
SHA5120c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb
-
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dllMD5
9618e4752b19ce24efd729c662c8db1e
SHA1e2fc41553e1f85472e3e4c6b20dea5430e500ef7
SHA2563b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e
SHA5120c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb
-
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dllMD5
9618e4752b19ce24efd729c662c8db1e
SHA1e2fc41553e1f85472e3e4c6b20dea5430e500ef7
SHA2563b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e
SHA5120c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb
-
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dllMD5
9618e4752b19ce24efd729c662c8db1e
SHA1e2fc41553e1f85472e3e4c6b20dea5430e500ef7
SHA2563b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e
SHA5120c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb
-
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dllMD5
9618e4752b19ce24efd729c662c8db1e
SHA1e2fc41553e1f85472e3e4c6b20dea5430e500ef7
SHA2563b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e
SHA5120c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb
-
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dllMD5
9618e4752b19ce24efd729c662c8db1e
SHA1e2fc41553e1f85472e3e4c6b20dea5430e500ef7
SHA2563b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e
SHA5120c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb
-
memory/200-196-0x0000000000000000-mapping.dmp
-
memory/200-237-0x0000000000000000-mapping.dmp
-
memory/204-279-0x0000000000000000-mapping.dmp
-
memory/216-287-0x0000000000000000-mapping.dmp
-
memory/360-285-0x0000000000000000-mapping.dmp
-
memory/540-288-0x0000000000000000-mapping.dmp
-
memory/664-298-0x0000000000000000-mapping.dmp
-
memory/760-292-0x0000000000000000-mapping.dmp
-
memory/812-273-0x0000000000000000-mapping.dmp
-
memory/836-289-0x0000000000000000-mapping.dmp
-
memory/956-282-0x0000000000000000-mapping.dmp
-
memory/1020-297-0x0000000000000000-mapping.dmp
-
memory/1036-290-0x0000000000000000-mapping.dmp
-
memory/1040-228-0x0000000000000000-mapping.dmp
-
memory/1040-171-0x0000000000000000-mapping.dmp
-
memory/1172-286-0x0000000000000000-mapping.dmp
-
memory/1196-264-0x0000000000000000-mapping.dmp
-
memory/1196-234-0x0000000000000000-mapping.dmp
-
memory/1288-291-0x0000000000000000-mapping.dmp
-
memory/1368-149-0x0000000000000000-mapping.dmp
-
memory/1376-224-0x0000000000000000-mapping.dmp
-
memory/1612-159-0x0000000000000000-mapping.dmp
-
memory/1624-186-0x0000000000000000-mapping.dmp
-
memory/1664-249-0x0000000000000000-mapping.dmp
-
memory/1972-283-0x0000000000000000-mapping.dmp
-
memory/2100-296-0x0000000000000000-mapping.dmp
-
memory/2288-280-0x0000000000000000-mapping.dmp
-
memory/2320-281-0x0000000000000000-mapping.dmp
-
memory/2384-116-0x0000000000000000-mapping.dmp
-
memory/2388-271-0x0000000000000000-mapping.dmp
-
memory/2388-252-0x0000000000000000-mapping.dmp
-
memory/2504-255-0x0000000000000000-mapping.dmp
-
memory/2528-206-0x0000000000000000-mapping.dmp
-
memory/2540-276-0x0000000000000000-mapping.dmp
-
memory/2632-258-0x0000000000000000-mapping.dmp
-
memory/2676-270-0x0000000000000000-mapping.dmp
-
memory/2676-294-0x0000000000000000-mapping.dmp
-
memory/2680-181-0x0000000000000000-mapping.dmp
-
memory/2944-131-0x0000000000000000-mapping.dmp
-
memory/3040-261-0x0000000000000000-mapping.dmp
-
memory/3048-267-0x0000000000000000-mapping.dmp
-
memory/3048-301-0x0000000000000000-mapping.dmp
-
memory/3048-201-0x0000000000000000-mapping.dmp
-
memory/3100-136-0x0000000000000000-mapping.dmp
-
memory/3188-278-0x0000000000000000-mapping.dmp
-
memory/3256-272-0x0000000000000000-mapping.dmp
-
memory/3312-211-0x0000000000000000-mapping.dmp
-
memory/3476-284-0x0000000000000000-mapping.dmp
-
memory/3476-295-0x0000000000000000-mapping.dmp
-
memory/3484-243-0x0000000000000000-mapping.dmp
-
memory/3552-275-0x0000000000000000-mapping.dmp
-
memory/3552-300-0x0000000000000000-mapping.dmp
-
memory/3676-215-0x0000000000000000-mapping.dmp
-
memory/3760-277-0x0000000000000000-mapping.dmp
-
memory/3776-240-0x0000000000000000-mapping.dmp
-
memory/3784-154-0x0000000000000000-mapping.dmp
-
memory/3800-231-0x0000000000000000-mapping.dmp
-
memory/3816-176-0x0000000000000000-mapping.dmp
-
memory/3908-299-0x0000000000000000-mapping.dmp
-
memory/3916-274-0x0000000000000000-mapping.dmp
-
memory/3976-246-0x0000000000000000-mapping.dmp
-
memory/4020-293-0x0000000000000000-mapping.dmp