Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18-10-2022 21:20
Behavioral task
behavioral1
Sample
ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe
Resource
win7-20220812-en
windows7-x64
27 signatures
150 seconds
Behavioral task
behavioral2
Sample
ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
27 signatures
150 seconds
General
-
Target
ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe
-
Size
236KB
-
MD5
f939bf75f63371ca206f31ab06145efd
-
SHA1
54a876db09f4bb36ace0e77a1633802f33585704
-
SHA256
ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee
-
SHA512
082ddd59f55dcf562284d2e24ee1c96efe88b38beeb1c1df3e9b1b30dfa815693cb6fc9d6b68b089b86dc27e7d2db9daa02c9cd36887071f197924aa0512342b
-
SSDEEP
1536:2DusHJo0IHgL2AHfb1mzaFXg+xsukl4Y17jsgS/jHagQNuXGpeV1eT92NdTy2OBn:Vox6AHjYzaFXg+w17jsgS/jHagQg1E5
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File created C:\Windows\SysWOW64\drivers\system32.exe ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe -
Executes dropped EXE 30 IoCs
pid Process 4868 smss.exe 4356 smss.exe 2636 Gaara.exe 1372 smss.exe 4156 Gaara.exe 2992 csrss.exe 32 smss.exe 112 Gaara.exe 3548 csrss.exe 3300 Kazekage.exe 4348 smss.exe 3280 Gaara.exe 4860 csrss.exe 5020 Kazekage.exe 1820 system32.exe 4492 smss.exe 3044 Gaara.exe 3584 csrss.exe 924 Kazekage.exe 1636 system32.exe 3676 system32.exe 2532 Kazekage.exe 2884 system32.exe 2404 csrss.exe 364 Kazekage.exe 2324 system32.exe 4164 Gaara.exe 2096 csrss.exe 4852 Kazekage.exe 4284 system32.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" system32.exe -
resource yara_rule behavioral2/memory/4520-132-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x0006000000022e45-136.dat upx behavioral2/files/0x0006000000022e45-137.dat upx behavioral2/files/0x0006000000022e46-143.dat upx behavioral2/files/0x0006000000022e48-145.dat upx behavioral2/files/0x0006000000022e4a-147.dat upx behavioral2/files/0x0006000000022e49-146.dat upx behavioral2/files/0x0006000000022e47-144.dat upx behavioral2/memory/4868-152-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x0006000000022e45-151.dat upx behavioral2/files/0x0006000000022e46-157.dat upx behavioral2/files/0x0006000000022e46-158.dat upx behavioral2/memory/4356-162-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x0006000000022e4a-167.dat upx behavioral2/files/0x0006000000022e45-171.dat upx behavioral2/files/0x0006000000022e49-166.dat upx behavioral2/files/0x0006000000022e48-165.dat upx behavioral2/files/0x0006000000022e47-164.dat upx behavioral2/memory/1372-176-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x0006000000022e46-177.dat upx behavioral2/memory/4156-181-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/2636-182-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x0006000000022e47-184.dat upx behavioral2/files/0x0006000000022e47-186.dat upx behavioral2/memory/4156-185-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x0006000000022e4a-193.dat upx behavioral2/files/0x0006000000022e45-197.dat upx behavioral2/files/0x0006000000022e48-191.dat upx behavioral2/files/0x0006000000022e49-192.dat upx behavioral2/files/0x0006000000022e46-202.dat upx behavioral2/files/0x0006000000022e47-207.dat upx behavioral2/memory/112-208-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/2992-212-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/3548-213-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x0006000000022e49-215.dat upx behavioral2/files/0x0006000000022e49-217.dat upx behavioral2/memory/3548-216-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x0006000000022e4a-222.dat upx behavioral2/files/0x0006000000022e48-221.dat upx behavioral2/files/0x0006000000022e45-226.dat upx behavioral2/files/0x0006000000022e46-231.dat upx behavioral2/memory/3280-237-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x0006000000022e47-236.dat upx behavioral2/memory/4860-241-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/3300-242-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x0006000000022e49-244.dat upx behavioral2/memory/5020-250-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x0006000000022e4a-249.dat upx behavioral2/files/0x0006000000022e4a-248.dat upx behavioral2/files/0x0006000000022e48-254.dat upx behavioral2/files/0x0006000000022e45-258.dat upx behavioral2/memory/4492-262-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/3044-266-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/1820-273-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/924-274-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/1636-278-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/3676-282-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/2532-286-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/2884-290-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/364-297-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/2324-301-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4164-305-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4852-311-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4852-313-0x0000000000400000-0x000000000043B000-memory.dmp upx -
Loads dropped DLL 18 IoCs
pid Process 4868 smss.exe 4356 smss.exe 2636 Gaara.exe 1372 smss.exe 4156 Gaara.exe 2992 csrss.exe 32 smss.exe 112 Gaara.exe 3548 csrss.exe 4348 smss.exe 3280 Gaara.exe 4860 csrss.exe 4492 smss.exe 3044 Gaara.exe 3584 csrss.exe 2404 csrss.exe 4164 Gaara.exe 2096 csrss.exe -
Adds Run key to start application 2 TTPs 30 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 10 - 2022\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 10 - 2022\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 10 - 2022\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-10-2022.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 10 - 2022\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 10 - 2022\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-10-2022.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 10 - 2022\\smss.exe" ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-10-2022.exe" ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 10 - 2022\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 10 - 2022\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-10-2022.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 10 - 2022\\smss.exe" Kazekage.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-10-2022.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-10-2022.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 10 - 2022\\smss.exe" csrss.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 10 - 2022\\Gaara.exe" ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 10 - 2022\\Gaara.exe" Kazekage.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run smss.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\L:\Desktop.ini smss.exe File opened for modification D:\Desktop.ini ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\F:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened for modification \??\Z:\Desktop.ini csrss.exe File opened for modification \??\W:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened for modification \??\F:\Desktop.ini system32.exe File opened for modification \??\F:\Desktop.ini csrss.exe File opened for modification \??\M:\Desktop.ini csrss.exe File opened for modification \??\F:\Desktop.ini smss.exe File opened for modification \??\M:\Desktop.ini system32.exe File opened for modification \??\R:\Desktop.ini Gaara.exe File opened for modification \??\K:\Desktop.ini csrss.exe File opened for modification C:\Desktop.ini smss.exe File opened for modification \??\Z:\Desktop.ini Kazekage.exe File opened for modification \??\F:\Desktop.ini ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened for modification \??\M:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini Gaara.exe File opened for modification \??\X:\Desktop.ini Gaara.exe File opened for modification \??\U:\Desktop.ini csrss.exe File opened for modification \??\P:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini Gaara.exe File opened for modification \??\Z:\Desktop.ini Gaara.exe File opened for modification \??\O:\Desktop.ini system32.exe File opened for modification \??\B:\Desktop.ini Gaara.exe File opened for modification \??\K:\Desktop.ini system32.exe File opened for modification \??\Y:\Desktop.ini smss.exe File opened for modification \??\Z:\Desktop.ini ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened for modification \??\E:\Desktop.ini smss.exe File opened for modification \??\A:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened for modification \??\J:\Desktop.ini Gaara.exe File opened for modification \??\N:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini Gaara.exe File opened for modification \??\N:\Desktop.ini csrss.exe File opened for modification \??\S:\Desktop.ini ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened for modification \??\B:\Desktop.ini system32.exe File opened for modification \??\P:\Desktop.ini system32.exe File opened for modification \??\V:\Desktop.ini system32.exe File opened for modification \??\G:\Desktop.ini csrss.exe File opened for modification \??\E:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini system32.exe File opened for modification \??\W:\Desktop.ini system32.exe File opened for modification \??\F:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini Gaara.exe File opened for modification \??\X:\Desktop.ini Kazekage.exe File opened for modification \??\G:\Desktop.ini system32.exe File opened for modification \??\K:\Desktop.ini smss.exe File opened for modification \??\L:\Desktop.ini ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened for modification \??\X:\Desktop.ini smss.exe File opened for modification \??\K:\Desktop.ini Kazekage.exe File opened for modification \??\K:\Desktop.ini ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification \??\U:\Desktop.ini ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened for modification \??\Q:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini csrss.exe File opened for modification \??\M:\Desktop.ini Kazekage.exe File opened for modification \??\S:\Desktop.ini csrss.exe File opened for modification \??\A:\Desktop.ini Kazekage.exe File opened for modification \??\G:\Desktop.ini Kazekage.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: smss.exe File opened (read-only) \??\Y: Gaara.exe File opened (read-only) \??\G: Kazekage.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\A: ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened (read-only) \??\G: Gaara.exe File opened (read-only) \??\E: Kazekage.exe File opened (read-only) \??\K: Kazekage.exe File opened (read-only) \??\X: ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened (read-only) \??\F: smss.exe File opened (read-only) \??\I: system32.exe File opened (read-only) \??\V: system32.exe File opened (read-only) \??\S: Gaara.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\R: ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\L: ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\Y: Kazekage.exe File opened (read-only) \??\A: Kazekage.exe File opened (read-only) \??\I: Kazekage.exe File opened (read-only) \??\M: Kazekage.exe File opened (read-only) \??\Q: ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\W: Gaara.exe File opened (read-only) \??\B: csrss.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\X: system32.exe File opened (read-only) \??\Y: ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\S: system32.exe File opened (read-only) \??\L: Kazekage.exe File opened (read-only) \??\R: system32.exe File opened (read-only) \??\A: system32.exe File opened (read-only) \??\M: ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\J: Gaara.exe File opened (read-only) \??\X: Gaara.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\N: Gaara.exe File opened (read-only) \??\W: ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened (read-only) \??\E: system32.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\S: Kazekage.exe File opened (read-only) \??\E: ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\U: ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened (read-only) \??\L: system32.exe File opened (read-only) \??\E: Gaara.exe File opened (read-only) \??\A: csrss.exe File opened (read-only) \??\H: ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened (read-only) \??\Z: Kazekage.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\K: Gaara.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created \??\N:\Autorun.inf ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File created \??\Q:\Autorun.inf ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened for modification C:\Autorun.inf smss.exe File created \??\U:\Autorun.inf Gaara.exe File created \??\M:\Autorun.inf Kazekage.exe File created \??\N:\Autorun.inf system32.exe File created D:\Autorun.inf ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File created \??\O:\Autorun.inf ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File created \??\P:\Autorun.inf ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File created \??\S:\Autorun.inf ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File created \??\I:\Autorun.inf csrss.exe File opened for modification \??\J:\Autorun.inf csrss.exe File opened for modification \??\R:\Autorun.inf csrss.exe File opened for modification \??\S:\Autorun.inf csrss.exe File created \??\F:\Autorun.inf Kazekage.exe File created \??\F:\Autorun.inf system32.exe File opened for modification \??\Z:\Autorun.inf system32.exe File opened for modification \??\G:\Autorun.inf ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened for modification \??\L:\Autorun.inf ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File created \??\X:\Autorun.inf smss.exe File opened for modification \??\T:\Autorun.inf smss.exe File opened for modification \??\F:\Autorun.inf Gaara.exe File opened for modification \??\B:\Autorun.inf csrss.exe File opened for modification C:\Autorun.inf system32.exe File created \??\Y:\Autorun.inf smss.exe File created \??\S:\Autorun.inf Gaara.exe File created \??\E:\Autorun.inf csrss.exe File opened for modification \??\U:\Autorun.inf Kazekage.exe File created \??\L:\Autorun.inf ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File created \??\T:\Autorun.inf ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File created \??\S:\Autorun.inf smss.exe File created \??\G:\Autorun.inf Gaara.exe File created \??\J:\Autorun.inf Gaara.exe File created \??\U:\Autorun.inf Kazekage.exe File created \??\I:\Autorun.inf ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened for modification \??\U:\Autorun.inf csrss.exe File created \??\W:\Autorun.inf csrss.exe File opened for modification \??\M:\Autorun.inf system32.exe File created \??\P:\Autorun.inf smss.exe File created \??\R:\Autorun.inf Kazekage.exe File created \??\Q:\Autorun.inf system32.exe File created \??\U:\Autorun.inf system32.exe File created D:\Autorun.inf smss.exe File created \??\V:\Autorun.inf csrss.exe File opened for modification C:\Autorun.inf Kazekage.exe File opened for modification \??\J:\Autorun.inf system32.exe File opened for modification \??\S:\Autorun.inf ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File created D:\Autorun.inf Kazekage.exe File opened for modification \??\E:\Autorun.inf Kazekage.exe File created \??\J:\Autorun.inf system32.exe File opened for modification C:\Autorun.inf ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened for modification \??\F:\Autorun.inf csrss.exe File created \??\R:\Autorun.inf csrss.exe File opened for modification \??\T:\Autorun.inf Kazekage.exe File created \??\M:\Autorun.inf ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened for modification D:\Autorun.inf smss.exe File opened for modification \??\E:\Autorun.inf Gaara.exe File created \??\G:\Autorun.inf Kazekage.exe File created \??\Q:\Autorun.inf Kazekage.exe File opened for modification \??\O:\Autorun.inf csrss.exe File created \??\K:\Autorun.inf Kazekage.exe File created \??\T:\Autorun.inf Kazekage.exe File opened for modification \??\V:\Autorun.inf Kazekage.exe File created \??\K:\Autorun.inf system32.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\18-10-2022.exe smss.exe File opened for modification C:\Windows\SysWOW64\ ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\18-10-2022.exe ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened for modification C:\Windows\SysWOW64\18-10-2022.exe system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened for modification C:\Windows\SysWOW64\18-10-2022.exe csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\18-10-2022.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File created C:\Windows\SysWOW64\mscomctl.ocx ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\18-10-2022.exe ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\18-10-2022.exe Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File created C:\Windows\SysWOW64\Desktop.ini ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Fonts\Admin 18 - 10 - 2022\msvbvm60.dll smss.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File created C:\Windows\Fonts\Admin 18 - 10 - 2022\smss.exe csrss.exe File created C:\Windows\mscomctl.ocx ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened for modification C:\Windows\ ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File created C:\Windows\Fonts\Admin 18 - 10 - 2022\Gaara.exe ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened for modification C:\Windows\Fonts\Admin 18 - 10 - 2022\msvbvm60.dll ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 18 - 10 - 2022\Gaara.exe smss.exe File created C:\Windows\system\msvbvm60.dll ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened for modification C:\Windows\Fonts\Admin 18 - 10 - 2022\smss.exe Gaara.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File created C:\Windows\Fonts\Admin 18 - 10 - 2022\csrss.exe ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File created C:\Windows\Fonts\Admin 18 - 10 - 2022\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 18 - 10 - 2022\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 18 - 10 - 2022\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 18 - 10 - 2022\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File opened for modification C:\Windows\ Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 18 - 10 - 2022\csrss.exe smss.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\mscomctl.ocx ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File created C:\Windows\Fonts\The Kazekage.jpg ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened for modification C:\Windows\Fonts\Admin 18 - 10 - 2022\Gaara.exe smss.exe File created C:\Windows\Fonts\Admin 18 - 10 - 2022\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 18 - 10 - 2022\csrss.exe Gaara.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File opened for modification C:\Windows\ system32.exe File created C:\Windows\Fonts\Admin 18 - 10 - 2022\smss.exe ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File created C:\Windows\Fonts\Admin 18 - 10 - 2022\Gaara.exe Gaara.exe File created C:\Windows\Fonts\Admin 18 - 10 - 2022\Gaara.exe Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 18 - 10 - 2022\smss.exe system32.exe File created C:\Windows\Fonts\Admin 18 - 10 - 2022\csrss.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 18 - 10 - 2022\csrss.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 18 - 10 - 2022\Gaara.exe Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File opened for modification C:\Windows\system\mscoree.dll ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File created C:\Windows\Fonts\Admin 18 - 10 - 2022\msvbvm60.dll ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened for modification C:\Windows\Fonts\Admin 18 - 10 - 2022\Gaara.exe system32.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 18 - 10 - 2022\Gaara.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 18 - 10 - 2022\Gaara.exe Gaara.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened for modification C:\Windows\system\msvbvm60.dll ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File created C:\Windows\msvbvm60.dll ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File created C:\Windows\WBEM\msvbvm60.dll ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe File opened for modification C:\Windows\Fonts\Admin 18 - 10 - 2022\csrss.exe Gaara.exe File created C:\Windows\Fonts\Admin 18 - 10 - 2022\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 18 - 10 - 2022\smss.exe system32.exe File created C:\Windows\Fonts\Admin 18 - 10 - 2022\csrss.exe smss.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee Gaara.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee\Speed = "4" ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\WallpaperStyle = "2" ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe -
Modifies registry class 51 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe -
Runs ping.exe 1 TTPs 32 IoCs
pid Process 4476 ping.exe 2400 ping.exe 3232 ping.exe 1708 ping.exe 4436 ping.exe 3108 ping.exe 3548 ping.exe 4780 ping.exe 4316 ping.exe 3044 ping.exe 4844 ping.exe 3760 ping.exe 4468 ping.exe 4116 ping.exe 32 ping.exe 3256 ping.exe 3580 ping.exe 2556 ping.exe 5000 ping.exe 1956 ping.exe 1444 ping.exe 1608 ping.exe 3264 ping.exe 344 ping.exe 4516 ping.exe 4860 ping.exe 1844 ping.exe 392 ping.exe 2632 ping.exe 4404 ping.exe 4644 ping.exe 5020 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2992 csrss.exe 2992 csrss.exe 2992 csrss.exe 2992 csrss.exe 2992 csrss.exe 2992 csrss.exe 2992 csrss.exe 2992 csrss.exe 2992 csrss.exe 2992 csrss.exe 2992 csrss.exe 2992 csrss.exe 2992 csrss.exe 2992 csrss.exe 2992 csrss.exe 2992 csrss.exe 2992 csrss.exe 2992 csrss.exe 2992 csrss.exe 2992 csrss.exe 2992 csrss.exe 2992 csrss.exe 2992 csrss.exe 2992 csrss.exe 3300 Kazekage.exe 3300 Kazekage.exe 3300 Kazekage.exe 3300 Kazekage.exe 3300 Kazekage.exe 3300 Kazekage.exe 3300 Kazekage.exe 3300 Kazekage.exe 3300 Kazekage.exe 3300 Kazekage.exe 3300 Kazekage.exe 3300 Kazekage.exe 3300 Kazekage.exe 3300 Kazekage.exe 3300 Kazekage.exe 3300 Kazekage.exe 3300 Kazekage.exe 3300 Kazekage.exe 3300 Kazekage.exe 3300 Kazekage.exe 3300 Kazekage.exe 3300 Kazekage.exe 3300 Kazekage.exe 3300 Kazekage.exe 4520 ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe 4520 ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe 4520 ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe 4520 ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe 4520 ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe 4520 ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe 4520 ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe 4520 ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe 4520 ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe 4520 ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe 4520 ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe 4520 ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe 4520 ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe 4520 ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe 4520 ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe 4520 ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 4520 ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe 4868 smss.exe 4356 smss.exe 2636 Gaara.exe 1372 smss.exe 4156 Gaara.exe 2992 csrss.exe 32 smss.exe 112 Gaara.exe 3548 csrss.exe 3300 Kazekage.exe 4348 smss.exe 3280 Gaara.exe 4860 csrss.exe 5020 Kazekage.exe 1820 system32.exe 4492 smss.exe 3044 Gaara.exe 3584 csrss.exe 924 Kazekage.exe 1636 system32.exe 3676 system32.exe 2532 Kazekage.exe 2884 system32.exe 2404 csrss.exe 364 Kazekage.exe 2324 system32.exe 4164 Gaara.exe 2096 csrss.exe 4852 Kazekage.exe 4284 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4520 wrote to memory of 4868 4520 ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe 83 PID 4520 wrote to memory of 4868 4520 ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe 83 PID 4520 wrote to memory of 4868 4520 ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe 83 PID 4868 wrote to memory of 4356 4868 smss.exe 84 PID 4868 wrote to memory of 4356 4868 smss.exe 84 PID 4868 wrote to memory of 4356 4868 smss.exe 84 PID 4868 wrote to memory of 2636 4868 smss.exe 85 PID 4868 wrote to memory of 2636 4868 smss.exe 85 PID 4868 wrote to memory of 2636 4868 smss.exe 85 PID 2636 wrote to memory of 1372 2636 Gaara.exe 86 PID 2636 wrote to memory of 1372 2636 Gaara.exe 86 PID 2636 wrote to memory of 1372 2636 Gaara.exe 86 PID 2636 wrote to memory of 4156 2636 Gaara.exe 87 PID 2636 wrote to memory of 4156 2636 Gaara.exe 87 PID 2636 wrote to memory of 4156 2636 Gaara.exe 87 PID 2636 wrote to memory of 2992 2636 Gaara.exe 88 PID 2636 wrote to memory of 2992 2636 Gaara.exe 88 PID 2636 wrote to memory of 2992 2636 Gaara.exe 88 PID 2992 wrote to memory of 32 2992 csrss.exe 89 PID 2992 wrote to memory of 32 2992 csrss.exe 89 PID 2992 wrote to memory of 32 2992 csrss.exe 89 PID 2992 wrote to memory of 112 2992 csrss.exe 90 PID 2992 wrote to memory of 112 2992 csrss.exe 90 PID 2992 wrote to memory of 112 2992 csrss.exe 90 PID 2992 wrote to memory of 3548 2992 csrss.exe 91 PID 2992 wrote to memory of 3548 2992 csrss.exe 91 PID 2992 wrote to memory of 3548 2992 csrss.exe 91 PID 2992 wrote to memory of 3300 2992 csrss.exe 92 PID 2992 wrote to memory of 3300 2992 csrss.exe 92 PID 2992 wrote to memory of 3300 2992 csrss.exe 92 PID 3300 wrote to memory of 4348 3300 Kazekage.exe 93 PID 3300 wrote to memory of 4348 3300 Kazekage.exe 93 PID 3300 wrote to memory of 4348 3300 Kazekage.exe 93 PID 3300 wrote to memory of 3280 3300 Kazekage.exe 96 PID 3300 wrote to memory of 3280 3300 Kazekage.exe 96 PID 3300 wrote to memory of 3280 3300 Kazekage.exe 96 PID 3300 wrote to memory of 4860 3300 Kazekage.exe 97 PID 3300 wrote to memory of 4860 3300 Kazekage.exe 97 PID 3300 wrote to memory of 4860 3300 Kazekage.exe 97 PID 3300 wrote to memory of 5020 3300 Kazekage.exe 98 PID 3300 wrote to memory of 5020 3300 Kazekage.exe 98 PID 3300 wrote to memory of 5020 3300 Kazekage.exe 98 PID 3300 wrote to memory of 1820 3300 Kazekage.exe 99 PID 3300 wrote to memory of 1820 3300 Kazekage.exe 99 PID 3300 wrote to memory of 1820 3300 Kazekage.exe 99 PID 1820 wrote to memory of 4492 1820 system32.exe 100 PID 1820 wrote to memory of 4492 1820 system32.exe 100 PID 1820 wrote to memory of 4492 1820 system32.exe 100 PID 1820 wrote to memory of 3044 1820 system32.exe 102 PID 1820 wrote to memory of 3044 1820 system32.exe 102 PID 1820 wrote to memory of 3044 1820 system32.exe 102 PID 1820 wrote to memory of 3584 1820 system32.exe 103 PID 1820 wrote to memory of 3584 1820 system32.exe 103 PID 1820 wrote to memory of 3584 1820 system32.exe 103 PID 1820 wrote to memory of 924 1820 system32.exe 104 PID 1820 wrote to memory of 924 1820 system32.exe 104 PID 1820 wrote to memory of 924 1820 system32.exe 104 PID 1820 wrote to memory of 1636 1820 system32.exe 105 PID 1820 wrote to memory of 1636 1820 system32.exe 105 PID 1820 wrote to memory of 1636 1820 system32.exe 105 PID 2992 wrote to memory of 3676 2992 csrss.exe 106 PID 2992 wrote to memory of 3676 2992 csrss.exe 106 PID 2992 wrote to memory of 3676 2992 csrss.exe 106 PID 2636 wrote to memory of 2532 2636 Gaara.exe 107 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe"C:\Users\Admin\AppData\Local\Temp\ddc5d8e7557d22951c4ade95286786564bc1a53cb45b14d6b7da54036a1564ee.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4520 -
C:\Windows\Fonts\Admin 18 - 10 - 2022\smss.exe"C:\Windows\Fonts\Admin 18 - 10 - 2022\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4868 -
C:\Windows\Fonts\Admin 18 - 10 - 2022\smss.exe"C:\Windows\Fonts\Admin 18 - 10 - 2022\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4356
-
-
C:\Windows\Fonts\Admin 18 - 10 - 2022\Gaara.exe"C:\Windows\Fonts\Admin 18 - 10 - 2022\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2636 -
C:\Windows\Fonts\Admin 18 - 10 - 2022\smss.exe"C:\Windows\Fonts\Admin 18 - 10 - 2022\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1372
-
-
C:\Windows\Fonts\Admin 18 - 10 - 2022\Gaara.exe"C:\Windows\Fonts\Admin 18 - 10 - 2022\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4156
-
-
C:\Windows\Fonts\Admin 18 - 10 - 2022\csrss.exe"C:\Windows\Fonts\Admin 18 - 10 - 2022\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2992 -
C:\Windows\Fonts\Admin 18 - 10 - 2022\smss.exe"C:\Windows\Fonts\Admin 18 - 10 - 2022\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:32
-
-
C:\Windows\Fonts\Admin 18 - 10 - 2022\Gaara.exe"C:\Windows\Fonts\Admin 18 - 10 - 2022\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:112
-
-
C:\Windows\Fonts\Admin 18 - 10 - 2022\csrss.exe"C:\Windows\Fonts\Admin 18 - 10 - 2022\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3548
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3300 -
C:\Windows\Fonts\Admin 18 - 10 - 2022\smss.exe"C:\Windows\Fonts\Admin 18 - 10 - 2022\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4348
-
-
C:\Windows\Fonts\Admin 18 - 10 - 2022\Gaara.exe"C:\Windows\Fonts\Admin 18 - 10 - 2022\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3280
-
-
C:\Windows\Fonts\Admin 18 - 10 - 2022\csrss.exe"C:\Windows\Fonts\Admin 18 - 10 - 2022\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4860
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5020
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1820 -
C:\Windows\Fonts\Admin 18 - 10 - 2022\smss.exe"C:\Windows\Fonts\Admin 18 - 10 - 2022\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4492
-
-
C:\Windows\Fonts\Admin 18 - 10 - 2022\Gaara.exe"C:\Windows\Fonts\Admin 18 - 10 - 2022\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3044
-
-
C:\Windows\Fonts\Admin 18 - 10 - 2022\csrss.exe"C:\Windows\Fonts\Admin 18 - 10 - 2022\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3584
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:924
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1636
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:1708
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:3760
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:4844
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:3548
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:2632
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:3232
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:1608
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:4644
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:4476
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:2400
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3676
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:4316
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:3580
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:2556
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:392
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2532
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2884
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:4780
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:4860
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:4404
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:1444
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:3044
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:3264
-
-
-
C:\Windows\Fonts\Admin 18 - 10 - 2022\csrss.exe"C:\Windows\Fonts\Admin 18 - 10 - 2022\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2404
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:364
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2324
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:4516
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:3256
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:1956
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:1844
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:5020
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:4116
-
-
-
C:\Windows\Fonts\Admin 18 - 10 - 2022\Gaara.exe"C:\Windows\Fonts\Admin 18 - 10 - 2022\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4164
-
-
C:\Windows\Fonts\Admin 18 - 10 - 2022\csrss.exe"C:\Windows\Fonts\Admin 18 - 10 - 2022\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2096
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4852
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4284
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:344
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:32
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:4436
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:5000
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:4468
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:3108
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Bypass User Account Control
1Disabling Security Tools
1Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD5ca6f131164c958f16d3c2f9c21645d34
SHA1b45773b6583408c39da3f5bff34c4cd8cf884999
SHA256268c0f5a49a697ce71d9664bc7dbd01b1005a15b5a8889cbf71b58923ef046c9
SHA512a07cf61b9fd5acd215cd9e921415d1c1f6dad0d58fd703e5be45032c060dd0472f8f2d6b5705c002fac681e517f761bdfd8ca3ae85940c3f8ea1100a075159f7
-
Filesize
236KB
MD5ca6f131164c958f16d3c2f9c21645d34
SHA1b45773b6583408c39da3f5bff34c4cd8cf884999
SHA256268c0f5a49a697ce71d9664bc7dbd01b1005a15b5a8889cbf71b58923ef046c9
SHA512a07cf61b9fd5acd215cd9e921415d1c1f6dad0d58fd703e5be45032c060dd0472f8f2d6b5705c002fac681e517f761bdfd8ca3ae85940c3f8ea1100a075159f7
-
Filesize
236KB
MD5ca6f131164c958f16d3c2f9c21645d34
SHA1b45773b6583408c39da3f5bff34c4cd8cf884999
SHA256268c0f5a49a697ce71d9664bc7dbd01b1005a15b5a8889cbf71b58923ef046c9
SHA512a07cf61b9fd5acd215cd9e921415d1c1f6dad0d58fd703e5be45032c060dd0472f8f2d6b5705c002fac681e517f761bdfd8ca3ae85940c3f8ea1100a075159f7
-
Filesize
236KB
MD5ca6f131164c958f16d3c2f9c21645d34
SHA1b45773b6583408c39da3f5bff34c4cd8cf884999
SHA256268c0f5a49a697ce71d9664bc7dbd01b1005a15b5a8889cbf71b58923ef046c9
SHA512a07cf61b9fd5acd215cd9e921415d1c1f6dad0d58fd703e5be45032c060dd0472f8f2d6b5705c002fac681e517f761bdfd8ca3ae85940c3f8ea1100a075159f7
-
Filesize
236KB
MD5ca6f131164c958f16d3c2f9c21645d34
SHA1b45773b6583408c39da3f5bff34c4cd8cf884999
SHA256268c0f5a49a697ce71d9664bc7dbd01b1005a15b5a8889cbf71b58923ef046c9
SHA512a07cf61b9fd5acd215cd9e921415d1c1f6dad0d58fd703e5be45032c060dd0472f8f2d6b5705c002fac681e517f761bdfd8ca3ae85940c3f8ea1100a075159f7
-
Filesize
236KB
MD5ca6f131164c958f16d3c2f9c21645d34
SHA1b45773b6583408c39da3f5bff34c4cd8cf884999
SHA256268c0f5a49a697ce71d9664bc7dbd01b1005a15b5a8889cbf71b58923ef046c9
SHA512a07cf61b9fd5acd215cd9e921415d1c1f6dad0d58fd703e5be45032c060dd0472f8f2d6b5705c002fac681e517f761bdfd8ca3ae85940c3f8ea1100a075159f7
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
236KB
MD5e60e2b4040c43f347ec81ff7a36f242e
SHA11927fbd37f3d5861e738c9556f1abfebea359e0f
SHA2568cac1ff88967b68a64c5d4b9227b02c7845c149b592724b1e5361fc6387cd0e5
SHA5129d91cbc0f837300e5cb6952ca9b7079a98a14a02b894e5b445f8dc8517740ed58e38a247c5ac52d53f546ba7c456b7bb09b6406bae545abd63c44c035c66c1e2
-
Filesize
236KB
MD5025d3d53a7b42f1602a06edc52bf5c80
SHA1be7c5791d75f9c8c487b9cb7888e8be61871f1f4
SHA256ddaccdaac81cddecccb417a5c228c169135b0f715dc9328a44ac2a6374d724fe
SHA512c51daead67233baae535f84b9290b58417f1548ffac477db40a4bc75ad5efcfbb79cb7cc73869aa720660cca3c7447fd5a3ea00f2c5c49929e4832f763c5afb7
-
Filesize
236KB
MD5025d3d53a7b42f1602a06edc52bf5c80
SHA1be7c5791d75f9c8c487b9cb7888e8be61871f1f4
SHA256ddaccdaac81cddecccb417a5c228c169135b0f715dc9328a44ac2a6374d724fe
SHA512c51daead67233baae535f84b9290b58417f1548ffac477db40a4bc75ad5efcfbb79cb7cc73869aa720660cca3c7447fd5a3ea00f2c5c49929e4832f763c5afb7
-
Filesize
236KB
MD5025d3d53a7b42f1602a06edc52bf5c80
SHA1be7c5791d75f9c8c487b9cb7888e8be61871f1f4
SHA256ddaccdaac81cddecccb417a5c228c169135b0f715dc9328a44ac2a6374d724fe
SHA512c51daead67233baae535f84b9290b58417f1548ffac477db40a4bc75ad5efcfbb79cb7cc73869aa720660cca3c7447fd5a3ea00f2c5c49929e4832f763c5afb7
-
Filesize
236KB
MD5025d3d53a7b42f1602a06edc52bf5c80
SHA1be7c5791d75f9c8c487b9cb7888e8be61871f1f4
SHA256ddaccdaac81cddecccb417a5c228c169135b0f715dc9328a44ac2a6374d724fe
SHA512c51daead67233baae535f84b9290b58417f1548ffac477db40a4bc75ad5efcfbb79cb7cc73869aa720660cca3c7447fd5a3ea00f2c5c49929e4832f763c5afb7
-
Filesize
236KB
MD5025d3d53a7b42f1602a06edc52bf5c80
SHA1be7c5791d75f9c8c487b9cb7888e8be61871f1f4
SHA256ddaccdaac81cddecccb417a5c228c169135b0f715dc9328a44ac2a6374d724fe
SHA512c51daead67233baae535f84b9290b58417f1548ffac477db40a4bc75ad5efcfbb79cb7cc73869aa720660cca3c7447fd5a3ea00f2c5c49929e4832f763c5afb7
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
236KB
MD559a367cefa0a178ad2cd187e5f2bb81e
SHA15d36ec53bc2a7041edf6a9810f2f3fb8333aa9d4
SHA2568ab1c9f47397ccc52092813f384eecd7af7fb5e1e9497b906705057a88968164
SHA5121af185373dfa3e83f3078add27a13e8e9cda52aca94a0c046cb3389774e57804fa5f15db8587f13ecf93c114bbb3216c366cc4ba9314b853aae14c31a6813b18
-
Filesize
236KB
MD559a367cefa0a178ad2cd187e5f2bb81e
SHA15d36ec53bc2a7041edf6a9810f2f3fb8333aa9d4
SHA2568ab1c9f47397ccc52092813f384eecd7af7fb5e1e9497b906705057a88968164
SHA5121af185373dfa3e83f3078add27a13e8e9cda52aca94a0c046cb3389774e57804fa5f15db8587f13ecf93c114bbb3216c366cc4ba9314b853aae14c31a6813b18
-
Filesize
236KB
MD559a367cefa0a178ad2cd187e5f2bb81e
SHA15d36ec53bc2a7041edf6a9810f2f3fb8333aa9d4
SHA2568ab1c9f47397ccc52092813f384eecd7af7fb5e1e9497b906705057a88968164
SHA5121af185373dfa3e83f3078add27a13e8e9cda52aca94a0c046cb3389774e57804fa5f15db8587f13ecf93c114bbb3216c366cc4ba9314b853aae14c31a6813b18
-
Filesize
236KB
MD559a367cefa0a178ad2cd187e5f2bb81e
SHA15d36ec53bc2a7041edf6a9810f2f3fb8333aa9d4
SHA2568ab1c9f47397ccc52092813f384eecd7af7fb5e1e9497b906705057a88968164
SHA5121af185373dfa3e83f3078add27a13e8e9cda52aca94a0c046cb3389774e57804fa5f15db8587f13ecf93c114bbb3216c366cc4ba9314b853aae14c31a6813b18
-
Filesize
236KB
MD559a367cefa0a178ad2cd187e5f2bb81e
SHA15d36ec53bc2a7041edf6a9810f2f3fb8333aa9d4
SHA2568ab1c9f47397ccc52092813f384eecd7af7fb5e1e9497b906705057a88968164
SHA5121af185373dfa3e83f3078add27a13e8e9cda52aca94a0c046cb3389774e57804fa5f15db8587f13ecf93c114bbb3216c366cc4ba9314b853aae14c31a6813b18
-
Filesize
236KB
MD559a367cefa0a178ad2cd187e5f2bb81e
SHA15d36ec53bc2a7041edf6a9810f2f3fb8333aa9d4
SHA2568ab1c9f47397ccc52092813f384eecd7af7fb5e1e9497b906705057a88968164
SHA5121af185373dfa3e83f3078add27a13e8e9cda52aca94a0c046cb3389774e57804fa5f15db8587f13ecf93c114bbb3216c366cc4ba9314b853aae14c31a6813b18
-
Filesize
236KB
MD559a367cefa0a178ad2cd187e5f2bb81e
SHA15d36ec53bc2a7041edf6a9810f2f3fb8333aa9d4
SHA2568ab1c9f47397ccc52092813f384eecd7af7fb5e1e9497b906705057a88968164
SHA5121af185373dfa3e83f3078add27a13e8e9cda52aca94a0c046cb3389774e57804fa5f15db8587f13ecf93c114bbb3216c366cc4ba9314b853aae14c31a6813b18
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
236KB
MD59b87c6a69424f1d55836b90642b9c5de
SHA10c169ab23d07821c5564513206da4dbf1db11f30
SHA256ba57c1309b8f77d4969b0e71dfe9b0eafd92eb5c576e6af9b45458ee1d098dbe
SHA5120fe66064a444774fb3cbe44310fbabddc51d39af3360f4a966326e0e264ee2f25ef9271aa1028eb3e0b40b3ba0d5d839cc1fedd872ff7407c560679aa560120d
-
Filesize
236KB
MD5b2053e2b206efe38babc0dbf1dd6e81f
SHA187c98060f9b15a512c3b817029079795306723cc
SHA256af10aaf65f55984918c5c0c29e5a29d104fb99f8ecba5a71dd9d88d40ed68f22
SHA5123e598fd8ea97bd1ac4f427aa73a455d03a3bcfb35658043b4b0ef0df4416055171c8a741b99533979b9273e7f5d1b7d29f68368295f540a7885a1cf7b6a482fa
-
Filesize
236KB
MD5e0fee95170ad72482474fe7bab46bb7e
SHA1ca1841de394fbd07dec6f367c72f16c8bd806543
SHA2569ed08ecdad1fd9e61357b90b61de7426d681ad7dc88b4d0808fee1a675ddc97c
SHA512b34e4f3647babafa3c6cd652a80e8ca0170dc92e84c112bfff317f49905ebacfd56b8b1255262b24bdbcf0503dc2059af35b406efec7e80430ecca235120e091
-
Filesize
236KB
MD5c509fc4d50fe24fbe328a8fa50782833
SHA1b75d67690e18a29287bc4a5bf5618fb757e2a608
SHA256572ac7091bce397dade537ddfc01cbd699ea6e90465eb3a23cc86ae55de9c0f9
SHA512f3a7890f08c6d5cb4eff26afa066900290028def833a97c51938fc58e0541e47b0fdb874e846a15f608abf109789b65fd3df5926f7915d7b92cf0ca467dd48ca
-
Filesize
236KB
MD55d2853bacc27897916b7354cc34a72ad
SHA1130f5e572a399e04194b22c52e8ed15e328cefed
SHA2562ef78e38b4cd57b5bcc8121def833e0fb7f499627f27d386336ea9d988a40c4a
SHA5125babc23b028b74141ae35a74fbf22d518ce565bdee1f723472ea29e468b839b09e162af0228e2a825e249daccd1f68bd1074a751712f57d5375a13599a76942e
-
Filesize
236KB
MD599e7ae6e301b674ed5ef154974b36933
SHA1a18baf271b5c57107965e757cbf5eb5566734a14
SHA256c1ff6c865d370afe7de65f8b15667218a50ced1146c94756259a3d281ab427fd
SHA51279f04e506597d55949b79ea1eeb79b6a0a82450b428ff34fe36c6004813ddd2721de2b5b6330ce109713eaf5a81b62fcd5ff7b636050c5a1eacf5882ccd1ece7
-
Filesize
236KB
MD52b27223fec93b79a9e46e702ed17643c
SHA11d807837073abc4c14c695f0769d4db5d164b5ae
SHA25624b67ba07cee913a8e57f2e221fe53f02c8a15d2973bd284c3066be2a543f1b4
SHA51249ec7e0c9ff9729f00ae9aba2c092b62f6dd4241ca83166e80108e65e55bb6b14ab7df3e45fa8a2755106fe159d4bc1190cf2917488e57399bf236cd9fed4189
-
Filesize
236KB
MD573edec148eaebaa7ff85dc4c8b983c2e
SHA17dd797d740792ab17ce8b47befe0f68d23bb721f
SHA2563b2da01b9a9b130da4151688fb9a126567d1f4f084e6837cb8dbe9c7685ca678
SHA5126366a78262f8a9a4fd144f4a49aacc9aa1ceab9057a89e50ffc629431e25c6f3b2e7d1dcdca97d6fb82db330e0a3be57f01330dd2c92f5da720364bcc88e59a5
-
Filesize
236KB
MD573edec148eaebaa7ff85dc4c8b983c2e
SHA17dd797d740792ab17ce8b47befe0f68d23bb721f
SHA2563b2da01b9a9b130da4151688fb9a126567d1f4f084e6837cb8dbe9c7685ca678
SHA5126366a78262f8a9a4fd144f4a49aacc9aa1ceab9057a89e50ffc629431e25c6f3b2e7d1dcdca97d6fb82db330e0a3be57f01330dd2c92f5da720364bcc88e59a5
-
Filesize
236KB
MD573edec148eaebaa7ff85dc4c8b983c2e
SHA17dd797d740792ab17ce8b47befe0f68d23bb721f
SHA2563b2da01b9a9b130da4151688fb9a126567d1f4f084e6837cb8dbe9c7685ca678
SHA5126366a78262f8a9a4fd144f4a49aacc9aa1ceab9057a89e50ffc629431e25c6f3b2e7d1dcdca97d6fb82db330e0a3be57f01330dd2c92f5da720364bcc88e59a5
-
Filesize
236KB
MD573edec148eaebaa7ff85dc4c8b983c2e
SHA17dd797d740792ab17ce8b47befe0f68d23bb721f
SHA2563b2da01b9a9b130da4151688fb9a126567d1f4f084e6837cb8dbe9c7685ca678
SHA5126366a78262f8a9a4fd144f4a49aacc9aa1ceab9057a89e50ffc629431e25c6f3b2e7d1dcdca97d6fb82db330e0a3be57f01330dd2c92f5da720364bcc88e59a5
-
Filesize
236KB
MD5ad677f130cde0bb5b4febe33d4404a5b
SHA1362da04ce57b3e3aad742231a4178da328dfa430
SHA25609f06746114006b479b89553e2c7bdf96c73d6c15d1eceac51c08405045625fa
SHA5126bc065217e05eff6b64c75d097d91932272cd5e9b503336468ead00fe1a2d4881d1e2932d54304fad47754aedc887cedf8d77fa827f59183ac4cd5f2f930f851
-
Filesize
236KB
MD554c054af9a852dc03bbc9f07e87d33df
SHA1f225c9b00416663c30c09428735896b9c7a7d011
SHA2562249a0cbf7de1cc01a574c0acc26c27e4ce99796f13742ac7f5786231700c95f
SHA512dae2a844b038dcaf963e82ca0dc5ff35d6e341ae0ad848e1829a5407744ac18050f39802cdeff40256470ef029fac303fb7ed7941140f2afb9d1b89d187424d9
-
Filesize
236KB
MD58b88b1bdc3b5f556a5a8c86cac2e0a7c
SHA1b10f7739577bff79d5c79367cd000d3398ee415d
SHA256b2bd165bdd98d0951e59904991766c2bbc5e606f614ed3f7f62c259888efd2b3
SHA512e00bc7a99493c77ce1d4d51520ad5651a13a84c08d6293e1b67567819a2deb1a93a6826cb50b4d15edad33f9d7e63cdb04bd4b0cc927eceeffcaa79cdf11c3d6
-
Filesize
236KB
MD58867c0fe28aeed8f4160740a090aa654
SHA1cea888b2c12686a8438bf7d49def2d08208bab0f
SHA25638e2ab79dd4ef94f8aa2c9f722a0e3631923d8898bdd334f412b723e9438a464
SHA512b29292c8b12d05d5fd03869f3052f05aa1002980715acedb40533829dc21d27681c0e301985d8affd1e6f1ab00af60f5321ac9c801fbf31701ae97772684caa4
-
Filesize
236KB
MD58867c0fe28aeed8f4160740a090aa654
SHA1cea888b2c12686a8438bf7d49def2d08208bab0f
SHA25638e2ab79dd4ef94f8aa2c9f722a0e3631923d8898bdd334f412b723e9438a464
SHA512b29292c8b12d05d5fd03869f3052f05aa1002980715acedb40533829dc21d27681c0e301985d8affd1e6f1ab00af60f5321ac9c801fbf31701ae97772684caa4
-
Filesize
236KB
MD58867c0fe28aeed8f4160740a090aa654
SHA1cea888b2c12686a8438bf7d49def2d08208bab0f
SHA25638e2ab79dd4ef94f8aa2c9f722a0e3631923d8898bdd334f412b723e9438a464
SHA512b29292c8b12d05d5fd03869f3052f05aa1002980715acedb40533829dc21d27681c0e301985d8affd1e6f1ab00af60f5321ac9c801fbf31701ae97772684caa4
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
