Analysis
-
max time kernel
187s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
01-11-2023 17:04
Behavioral task
behavioral1
Sample
NEAS.bd5b7228bfe118f0ec41b5b331117409.exe
Resource
win7-20231025-en
windows7-x64
27 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.bd5b7228bfe118f0ec41b5b331117409.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
27 signatures
150 seconds
General
-
Target
NEAS.bd5b7228bfe118f0ec41b5b331117409.exe
-
Size
416KB
-
MD5
bd5b7228bfe118f0ec41b5b331117409
-
SHA1
15e26f2a23d770c38ef50b7206f61655680d0d54
-
SHA256
0a2de45f865d4d1f2bfea3230f16169cd0e9ab52adf08ea30d6636d472864fcc
-
SHA512
f284329accc462b881178d33ee391c3b84604068c82a6b74a8c952abb3058d9fbcf90c518bacee644224777fe1413f351a470af654f28ac833dc228f64bca7f7
-
SSDEEP
3072:JNx6AHjYzaFXg+w17jsgS/jHagQg19Vw+HkaxubesmJoZmGr11:JNxzYzaFXi17jkw+Efmm11
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File created C:\Windows\SysWOW64\drivers\system32.exe NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" system32.exe -
Executes dropped EXE 30 IoCs
pid Process 2896 smss.exe 2188 smss.exe 3068 Gaara.exe 112 smss.exe 2860 Gaara.exe 2828 csrss.exe 2120 smss.exe 1480 Gaara.exe 1612 csrss.exe 2040 Kazekage.exe 320 smss.exe 2452 Gaara.exe 1448 csrss.exe 676 Kazekage.exe 1616 Gaara.exe 1676 csrss.exe 560 Kazekage.exe 1780 system32.exe 1540 system32.exe 2308 csrss.exe 2100 Kazekage.exe 1108 system32.exe 1876 Kazekage.exe 2932 smss.exe 1600 system32.exe 1756 system32.exe 2768 Gaara.exe 2092 csrss.exe 2620 Kazekage.exe 796 system32.exe -
Loads dropped DLL 61 IoCs
pid Process 2216 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 2216 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 2896 smss.exe 2896 smss.exe 2188 smss.exe 2896 smss.exe 2896 smss.exe 3068 Gaara.exe 3068 Gaara.exe 112 smss.exe 2860 Gaara.exe 3068 Gaara.exe 3068 Gaara.exe 2828 csrss.exe 2828 csrss.exe 2120 smss.exe 2828 csrss.exe 1480 Gaara.exe 1612 csrss.exe 2828 csrss.exe 2828 csrss.exe 2040 Kazekage.exe 320 smss.exe 2040 Kazekage.exe 2452 Gaara.exe 2040 Kazekage.exe 1448 csrss.exe 2040 Kazekage.exe 2040 Kazekage.exe 2216 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 1616 Gaara.exe 2896 smss.exe 3068 Gaara.exe 3068 Gaara.exe 1676 csrss.exe 2828 csrss.exe 2828 csrss.exe 2040 Kazekage.exe 2040 Kazekage.exe 2216 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 2308 csrss.exe 2896 smss.exe 2896 smss.exe 3068 Gaara.exe 3068 Gaara.exe 2216 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 2216 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 1780 system32.exe 2932 smss.exe 2896 smss.exe 2896 smss.exe 2216 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 2216 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 1780 system32.exe 2768 Gaara.exe 1780 system32.exe 2092 csrss.exe 1780 system32.exe 1780 system32.exe 1780 system32.exe 1780 system32.exe -
resource yara_rule behavioral1/memory/2216-0-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/files/0x000700000001413b-33.dat upx behavioral1/files/0x000700000001413b-36.dat upx behavioral1/files/0x000700000001413b-32.dat upx behavioral1/files/0x000700000001413b-30.dat upx behavioral1/memory/2216-38-0x0000000001D20000-0x0000000001D5B000-memory.dmp upx behavioral1/memory/2896-40-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/files/0x000700000001421b-56.dat upx behavioral1/files/0x0009000000014482-64.dat upx behavioral1/files/0x00090000000142b8-60.dat upx behavioral1/files/0x00070000000141d4-52.dat upx behavioral1/files/0x0007000000014144-48.dat upx behavioral1/files/0x000700000001413b-47.dat upx behavioral1/memory/2188-79-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/files/0x000700000001413b-77.dat upx behavioral1/files/0x000700000001413b-75.dat upx behavioral1/memory/2188-82-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/files/0x0007000000014144-83.dat upx behavioral1/files/0x0007000000014144-87.dat upx behavioral1/memory/3068-93-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/files/0x0007000000014144-91.dat upx behavioral1/files/0x0007000000014144-86.dat upx behavioral1/files/0x0007000000014144-99.dat upx behavioral1/files/0x00090000000142b8-108.dat upx behavioral1/files/0x000700000001421b-104.dat upx behavioral1/files/0x000700000001413b-125.dat upx behavioral1/files/0x0009000000014482-112.dat upx behavioral1/files/0x000700000001413b-123.dat upx behavioral1/files/0x0007000000014144-129.dat upx behavioral1/memory/2216-132-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/112-131-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2860-135-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/files/0x00070000000141d4-143.dat upx behavioral1/files/0x00070000000141d4-141.dat upx behavioral1/memory/2896-140-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/files/0x00070000000141d4-136.dat upx behavioral1/files/0x00070000000141d4-146.dat upx behavioral1/memory/2828-148-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/files/0x00070000000141d4-154.dat upx behavioral1/files/0x000700000001421b-155.dat upx behavioral1/files/0x00090000000142b8-159.dat upx behavioral1/files/0x0009000000014482-163.dat upx behavioral1/memory/2896-176-0x0000000000340000-0x000000000037B000-memory.dmp upx behavioral1/files/0x000700000001413b-174.dat upx behavioral1/files/0x000700000001413b-175.dat upx behavioral1/memory/2120-181-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/files/0x0007000000014144-183.dat upx behavioral1/memory/2120-185-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/3068-187-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/files/0x0007000000014144-184.dat upx behavioral1/memory/1480-194-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/files/0x00070000000141d4-192.dat upx behavioral1/memory/1612-197-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/files/0x00090000000142b8-204.dat upx behavioral1/memory/2040-206-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/files/0x00090000000142b8-205.dat upx behavioral1/files/0x00090000000142b8-201.dat upx behavioral1/memory/2828-200-0x0000000000530000-0x000000000056B000-memory.dmp upx behavioral1/files/0x00090000000142b8-198.dat upx behavioral1/files/0x00090000000142b8-212.dat upx behavioral1/files/0x000700000001421b-213.dat upx behavioral1/files/0x0009000000014482-217.dat upx behavioral1/files/0x000700000001413b-228.dat upx behavioral1/files/0x000700000001413b-229.dat upx -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-11-2023.exe" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 11 - 2023\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-11-2023.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-11-2023.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 11 - 2023\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-11-2023.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-11-2023.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 11 - 2023\\smss.exe" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-11-2023.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 11 - 2023\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 11 - 2023\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 11 - 2023\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 11 - 2023\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 11 - 2023\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 11 - 2023\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 11 - 2023\\Gaara.exe" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 11 - 2023\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 11 - 2023\\Gaara.exe" Gaara.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification F:\Desktop.ini Kazekage.exe File opened for modification \??\Q:\Desktop.ini Kazekage.exe File opened for modification \??\Y:\Desktop.ini Gaara.exe File opened for modification \??\N:\Desktop.ini csrss.exe File opened for modification \??\X:\Desktop.ini smss.exe File opened for modification D:\Desktop.ini system32.exe File opened for modification \??\H:\Desktop.ini csrss.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification \??\J:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini Gaara.exe File opened for modification F:\Desktop.ini system32.exe File opened for modification \??\R:\Desktop.ini csrss.exe File opened for modification \??\Z:\Desktop.ini csrss.exe File opened for modification \??\B:\Desktop.ini Kazekage.exe File opened for modification \??\S:\Desktop.ini Gaara.exe File opened for modification \??\Y:\Desktop.ini NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\X:\Desktop.ini csrss.exe File opened for modification \??\I:\Desktop.ini Kazekage.exe File opened for modification \??\B:\Desktop.ini NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification \??\N:\Desktop.ini smss.exe File opened for modification \??\S:\Desktop.ini system32.exe File opened for modification \??\J:\Desktop.ini csrss.exe File opened for modification C:\Desktop.ini Gaara.exe File opened for modification \??\X:\Desktop.ini Gaara.exe File opened for modification \??\K:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini smss.exe File opened for modification D:\Desktop.ini Gaara.exe File opened for modification \??\M:\Desktop.ini smss.exe File opened for modification F:\Desktop.ini csrss.exe File opened for modification \??\S:\Desktop.ini csrss.exe File opened for modification \??\A:\Desktop.ini Kazekage.exe File opened for modification C:\Desktop.ini Kazekage.exe File opened for modification \??\N:\Desktop.ini Kazekage.exe File opened for modification \??\Y:\Desktop.ini Kazekage.exe File opened for modification \??\V:\Desktop.ini smss.exe File opened for modification \??\O:\Desktop.ini system32.exe File opened for modification F:\Desktop.ini NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification \??\G:\Desktop.ini NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification \??\J:\Desktop.ini NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification \??\B:\Desktop.ini smss.exe File opened for modification \??\Y:\Desktop.ini system32.exe File opened for modification \??\O:\Desktop.ini smss.exe File opened for modification \??\P:\Desktop.ini smss.exe File opened for modification \??\M:\Desktop.ini Kazekage.exe File opened for modification \??\V:\Desktop.ini Kazekage.exe File opened for modification \??\A:\Desktop.ini Gaara.exe File opened for modification \??\L:\Desktop.ini NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification \??\W:\Desktop.ini NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification \??\L:\Desktop.ini smss.exe File opened for modification \??\M:\Desktop.ini system32.exe File opened for modification \??\T:\Desktop.ini NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Desktop.ini csrss.exe File opened for modification \??\G:\Desktop.ini Kazekage.exe File opened for modification \??\L:\Desktop.ini Kazekage.exe File opened for modification \??\W:\Desktop.ini Gaara.exe File opened for modification \??\E:\Desktop.ini system32.exe File opened for modification D:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini csrss.exe File opened for modification \??\U:\Desktop.ini Gaara.exe File opened for modification \??\V:\Desktop.ini NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini csrss.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\L: NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\B: NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\S: Gaara.exe File opened (read-only) \??\J: NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\P: system32.exe File opened (read-only) \??\G: Kazekage.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\V: Kazekage.exe File opened (read-only) \??\M: Gaara.exe File opened (read-only) \??\Y: Gaara.exe File opened (read-only) \??\R: system32.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\N: system32.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\M: NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened (read-only) \??\B: Kazekage.exe File opened (read-only) \??\O: Kazekage.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\A: Kazekage.exe File opened (read-only) \??\V: NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened (read-only) \??\X: system32.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\G: Gaara.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\P: Kazekage.exe File opened (read-only) \??\Z: Kazekage.exe File opened (read-only) \??\J: Gaara.exe File opened (read-only) \??\N: Gaara.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\U: Kazekage.exe File opened (read-only) \??\E: NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened (read-only) \??\E: Gaara.exe File opened (read-only) \??\H: NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened (read-only) \??\U: NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened (read-only) \??\Y: NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened (read-only) \??\Q: system32.exe File opened (read-only) \??\T: Kazekage.exe File opened (read-only) \??\Y: Kazekage.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\A: system32.exe File opened (read-only) \??\L: system32.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\Q: NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened (read-only) \??\Y: system32.exe File opened (read-only) \??\B: Gaara.exe File opened (read-only) \??\X: Gaara.exe File opened (read-only) \??\M: smss.exe File opened (read-only) \??\U: system32.exe File opened (read-only) \??\A: NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened (read-only) \??\K: NEAS.bd5b7228bfe118f0ec41b5b331117409.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\V:\Autorun.inf NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification \??\J:\Autorun.inf smss.exe File opened for modification \??\T:\Autorun.inf smss.exe File opened for modification \??\M:\Autorun.inf Kazekage.exe File created \??\H:\Autorun.inf system32.exe File opened for modification \??\O:\Autorun.inf system32.exe File opened for modification \??\R:\Autorun.inf system32.exe File opened for modification \??\J:\Autorun.inf csrss.exe File created \??\B:\Autorun.inf NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification \??\H:\Autorun.inf smss.exe File opened for modification \??\M:\Autorun.inf smss.exe File created \??\Z:\Autorun.inf smss.exe File created \??\R:\Autorun.inf Gaara.exe File opened for modification \??\J:\Autorun.inf Kazekage.exe File created \??\K:\Autorun.inf Kazekage.exe File opened for modification \??\S:\Autorun.inf Kazekage.exe File created \??\Y:\Autorun.inf Kazekage.exe File opened for modification \??\B:\Autorun.inf smss.exe File opened for modification \??\N:\Autorun.inf Gaara.exe File opened for modification F:\Autorun.inf Kazekage.exe File opened for modification \??\P:\Autorun.inf NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification \??\L:\Autorun.inf system32.exe File created \??\S:\Autorun.inf system32.exe File created \??\K:\Autorun.inf csrss.exe File opened for modification \??\G:\Autorun.inf NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File created \??\S:\Autorun.inf NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File created \??\O:\Autorun.inf Kazekage.exe File created \??\E:\Autorun.inf smss.exe File opened for modification \??\H:\Autorun.inf Gaara.exe File created \??\L:\Autorun.inf Gaara.exe File created \??\Q:\Autorun.inf Gaara.exe File opened for modification \??\Q:\Autorun.inf csrss.exe File opened for modification \??\U:\Autorun.inf csrss.exe File opened for modification \??\T:\Autorun.inf NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File created \??\Y:\Autorun.inf smss.exe File opened for modification \??\E:\Autorun.inf Gaara.exe File created \??\S:\Autorun.inf Gaara.exe File created \??\T:\Autorun.inf Kazekage.exe File opened for modification \??\J:\Autorun.inf system32.exe File opened for modification \??\Z:\Autorun.inf system32.exe File created \??\A:\Autorun.inf csrss.exe File created \??\H:\Autorun.inf NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File created \??\L:\Autorun.inf NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File created D:\Autorun.inf smss.exe File created \??\L:\Autorun.inf csrss.exe File opened for modification \??\Z:\Autorun.inf NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification \??\R:\Autorun.inf smss.exe File opened for modification \??\M:\Autorun.inf Gaara.exe File created \??\T:\Autorun.inf csrss.exe File created \??\Y:\Autorun.inf NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification \??\Z:\Autorun.inf smss.exe File opened for modification \??\Z:\Autorun.inf Gaara.exe File opened for modification \??\K:\Autorun.inf Kazekage.exe File created \??\N:\Autorun.inf system32.exe File opened for modification \??\V:\Autorun.inf system32.exe File created \??\R:\Autorun.inf NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification \??\W:\Autorun.inf Gaara.exe File opened for modification \??\W:\Autorun.inf Kazekage.exe File created \??\I:\Autorun.inf csrss.exe File opened for modification C:\Autorun.inf Gaara.exe File created D:\Autorun.inf system32.exe File opened for modification \??\K:\Autorun.inf NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File created \??\J:\Autorun.inf Gaara.exe File created \??\B:\Autorun.inf Kazekage.exe -
Drops file in System32 directory 40 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File created C:\Windows\SysWOW64\2-11-2023.exe NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\2-11-2023.exe NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File created C:\Windows\SysWOW64\2-11-2023.exe csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\ NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\mscomctl.ocx NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\2-11-2023.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\2-11-2023.exe smss.exe File opened for modification C:\Windows\SysWOW64\2-11-2023.exe csrss.exe File opened for modification C:\Windows\SysWOW64\2-11-2023.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\2-11-2023.exe system32.exe File created C:\Windows\SysWOW64\Desktop.ini NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe csrss.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe csrss.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe system32.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\msvbvm60.dll NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe system32.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\msvbvm60.dll system32.exe File opened for modification C:\Windows\ smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\msvbvm60.dll NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File created C:\Windows\WBEM\msvbvm60.dll NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe Gaara.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\ Kazekage.exe File opened for modification C:\Windows\ csrss.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe smss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File opened for modification C:\Windows\ NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File created C:\Windows\Fonts\The Kazekage.jpg NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\system\mscoree.dll NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe system32.exe File created C:\Windows\mscomctl.ocx csrss.exe File created C:\Windows\mscomctl.ocx NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\system\msvbvm60.dll NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe Gaara.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe system32.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe Gaara.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File created C:\Windows\msvbvm60.dll NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe smss.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\Fonts\Admin 2 - 11 - 2023\msvbvm60.dll NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee\Size = "72" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop\WallpaperStyle = "2" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee\Speed = "4" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main smss.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main system32.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe -
Modifies registry class 48 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe -
Runs ping.exe 1 TTPs 30 IoCs
pid Process 2444 ping.exe 1524 ping.exe 1068 ping.exe 2724 ping.exe 3000 ping.exe 2792 ping.exe 1932 ping.exe 2540 ping.exe 2720 ping.exe 2160 ping.exe 2336 ping.exe 2012 ping.exe 1612 ping.exe 2840 ping.exe 916 ping.exe 796 ping.exe 816 ping.exe 2080 ping.exe 1936 ping.exe 1680 ping.exe 2512 ping.exe 1560 ping.exe 1112 ping.exe 576 ping.exe 2072 ping.exe 1904 ping.exe 2344 ping.exe 976 ping.exe 2284 ping.exe 1932 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2828 csrss.exe 2828 csrss.exe 2828 csrss.exe 2828 csrss.exe 2828 csrss.exe 2828 csrss.exe 2828 csrss.exe 2828 csrss.exe 2828 csrss.exe 2828 csrss.exe 2828 csrss.exe 2828 csrss.exe 2040 Kazekage.exe 2040 Kazekage.exe 2040 Kazekage.exe 2040 Kazekage.exe 2040 Kazekage.exe 2040 Kazekage.exe 2040 Kazekage.exe 2040 Kazekage.exe 2040 Kazekage.exe 2040 Kazekage.exe 2040 Kazekage.exe 2040 Kazekage.exe 3068 Gaara.exe 3068 Gaara.exe 3068 Gaara.exe 3068 Gaara.exe 3068 Gaara.exe 3068 Gaara.exe 3068 Gaara.exe 3068 Gaara.exe 3068 Gaara.exe 3068 Gaara.exe 3068 Gaara.exe 3068 Gaara.exe 2216 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 2216 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 2216 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 2216 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 2216 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 2216 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 2216 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 2216 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 2216 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 2216 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 2216 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 2216 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 2896 smss.exe 2896 smss.exe 2896 smss.exe 2896 smss.exe 2896 smss.exe 2896 smss.exe 2896 smss.exe 2896 smss.exe 2896 smss.exe 2896 smss.exe 2896 smss.exe 2896 smss.exe 2828 csrss.exe 2828 csrss.exe 2828 csrss.exe 2828 csrss.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 2216 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 2896 smss.exe 2188 smss.exe 3068 Gaara.exe 112 smss.exe 2860 Gaara.exe 2828 csrss.exe 2120 smss.exe 1480 Gaara.exe 1612 csrss.exe 2040 Kazekage.exe 320 smss.exe 2452 Gaara.exe 1448 csrss.exe 676 Kazekage.exe 1616 Gaara.exe 560 Kazekage.exe 1676 csrss.exe 1780 system32.exe 1540 system32.exe 2308 csrss.exe 2100 Kazekage.exe 1108 system32.exe 1876 Kazekage.exe 2932 smss.exe 1600 system32.exe 1756 system32.exe 2768 Gaara.exe 2092 csrss.exe 2620 Kazekage.exe 796 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2216 wrote to memory of 2896 2216 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 29 PID 2216 wrote to memory of 2896 2216 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 29 PID 2216 wrote to memory of 2896 2216 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 29 PID 2216 wrote to memory of 2896 2216 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 29 PID 2896 wrote to memory of 2188 2896 smss.exe 30 PID 2896 wrote to memory of 2188 2896 smss.exe 30 PID 2896 wrote to memory of 2188 2896 smss.exe 30 PID 2896 wrote to memory of 2188 2896 smss.exe 30 PID 2896 wrote to memory of 3068 2896 smss.exe 31 PID 2896 wrote to memory of 3068 2896 smss.exe 31 PID 2896 wrote to memory of 3068 2896 smss.exe 31 PID 2896 wrote to memory of 3068 2896 smss.exe 31 PID 3068 wrote to memory of 112 3068 Gaara.exe 32 PID 3068 wrote to memory of 112 3068 Gaara.exe 32 PID 3068 wrote to memory of 112 3068 Gaara.exe 32 PID 3068 wrote to memory of 112 3068 Gaara.exe 32 PID 3068 wrote to memory of 2860 3068 Gaara.exe 33 PID 3068 wrote to memory of 2860 3068 Gaara.exe 33 PID 3068 wrote to memory of 2860 3068 Gaara.exe 33 PID 3068 wrote to memory of 2860 3068 Gaara.exe 33 PID 3068 wrote to memory of 2828 3068 Gaara.exe 34 PID 3068 wrote to memory of 2828 3068 Gaara.exe 34 PID 3068 wrote to memory of 2828 3068 Gaara.exe 34 PID 3068 wrote to memory of 2828 3068 Gaara.exe 34 PID 2828 wrote to memory of 2120 2828 csrss.exe 35 PID 2828 wrote to memory of 2120 2828 csrss.exe 35 PID 2828 wrote to memory of 2120 2828 csrss.exe 35 PID 2828 wrote to memory of 2120 2828 csrss.exe 35 PID 2828 wrote to memory of 1480 2828 csrss.exe 36 PID 2828 wrote to memory of 1480 2828 csrss.exe 36 PID 2828 wrote to memory of 1480 2828 csrss.exe 36 PID 2828 wrote to memory of 1480 2828 csrss.exe 36 PID 2828 wrote to memory of 1612 2828 csrss.exe 37 PID 2828 wrote to memory of 1612 2828 csrss.exe 37 PID 2828 wrote to memory of 1612 2828 csrss.exe 37 PID 2828 wrote to memory of 1612 2828 csrss.exe 37 PID 2828 wrote to memory of 2040 2828 csrss.exe 38 PID 2828 wrote to memory of 2040 2828 csrss.exe 38 PID 2828 wrote to memory of 2040 2828 csrss.exe 38 PID 2828 wrote to memory of 2040 2828 csrss.exe 38 PID 2040 wrote to memory of 320 2040 Kazekage.exe 39 PID 2040 wrote to memory of 320 2040 Kazekage.exe 39 PID 2040 wrote to memory of 320 2040 Kazekage.exe 39 PID 2040 wrote to memory of 320 2040 Kazekage.exe 39 PID 2040 wrote to memory of 2452 2040 Kazekage.exe 40 PID 2040 wrote to memory of 2452 2040 Kazekage.exe 40 PID 2040 wrote to memory of 2452 2040 Kazekage.exe 40 PID 2040 wrote to memory of 2452 2040 Kazekage.exe 40 PID 2040 wrote to memory of 1448 2040 Kazekage.exe 41 PID 2040 wrote to memory of 1448 2040 Kazekage.exe 41 PID 2040 wrote to memory of 1448 2040 Kazekage.exe 41 PID 2040 wrote to memory of 1448 2040 Kazekage.exe 41 PID 2040 wrote to memory of 676 2040 Kazekage.exe 42 PID 2040 wrote to memory of 676 2040 Kazekage.exe 42 PID 2040 wrote to memory of 676 2040 Kazekage.exe 42 PID 2040 wrote to memory of 676 2040 Kazekage.exe 42 PID 2216 wrote to memory of 1616 2216 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 43 PID 2216 wrote to memory of 1616 2216 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 43 PID 2216 wrote to memory of 1616 2216 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 43 PID 2216 wrote to memory of 1616 2216 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 43 PID 2896 wrote to memory of 1676 2896 smss.exe 44 PID 2896 wrote to memory of 1676 2896 smss.exe 44 PID 2896 wrote to memory of 1676 2896 smss.exe 44 PID 2896 wrote to memory of 1676 2896 smss.exe 44 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.bd5b7228bfe118f0ec41b5b331117409.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.bd5b7228bfe118f0ec41b5b331117409.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2216 -
C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2896 -
C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2188
-
-
C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3068 -
C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:112
-
-
C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2860
-
-
C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2828 -
C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2120
-
-
C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1480
-
-
C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1612
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2040 -
C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:320
-
-
C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2452
-
-
C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1448
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:676
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1540
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:1524
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:816
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:1612
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:2840
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:796
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:2720
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1780 -
C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2932
-
-
C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2768
-
-
C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2092
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2620
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:796
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:1904
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:1932
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:916
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:976
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:2344
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:1560
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:1932
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:2724
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:560
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1108
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:2444
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:2336
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:2012
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:2792
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:576
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:3000
-
-
-
C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1676
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2100
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1600
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:1936
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:1680
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:1068
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:2284
-
-
-
C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1616
-
-
C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2308
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1876
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1756
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:2160
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:2072
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:2512
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:2540
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:1112
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:2080
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
416KB
MD5784b75fb21fc7f23e5d7095b8abcab10
SHA1e10dcd1fe571ea48e63a1cb9c8349b3eb2f877eb
SHA256b5e26cbf8a4321c3113e04738a7df7dddebeb9fc9dacad32a9561fe50a59839e
SHA512b649552c9c9e00e6612508d98e7514ecc83cc2fece659184b4f97d15064108d85f534cfcd348ba71def40afdc6abc46e59ae4b52ef825077a12a002daacbef01
-
Filesize
416KB
MD5784b75fb21fc7f23e5d7095b8abcab10
SHA1e10dcd1fe571ea48e63a1cb9c8349b3eb2f877eb
SHA256b5e26cbf8a4321c3113e04738a7df7dddebeb9fc9dacad32a9561fe50a59839e
SHA512b649552c9c9e00e6612508d98e7514ecc83cc2fece659184b4f97d15064108d85f534cfcd348ba71def40afdc6abc46e59ae4b52ef825077a12a002daacbef01
-
Filesize
416KB
MD5784b75fb21fc7f23e5d7095b8abcab10
SHA1e10dcd1fe571ea48e63a1cb9c8349b3eb2f877eb
SHA256b5e26cbf8a4321c3113e04738a7df7dddebeb9fc9dacad32a9561fe50a59839e
SHA512b649552c9c9e00e6612508d98e7514ecc83cc2fece659184b4f97d15064108d85f534cfcd348ba71def40afdc6abc46e59ae4b52ef825077a12a002daacbef01
-
Filesize
416KB
MD5784b75fb21fc7f23e5d7095b8abcab10
SHA1e10dcd1fe571ea48e63a1cb9c8349b3eb2f877eb
SHA256b5e26cbf8a4321c3113e04738a7df7dddebeb9fc9dacad32a9561fe50a59839e
SHA512b649552c9c9e00e6612508d98e7514ecc83cc2fece659184b4f97d15064108d85f534cfcd348ba71def40afdc6abc46e59ae4b52ef825077a12a002daacbef01
-
Filesize
416KB
MD5784b75fb21fc7f23e5d7095b8abcab10
SHA1e10dcd1fe571ea48e63a1cb9c8349b3eb2f877eb
SHA256b5e26cbf8a4321c3113e04738a7df7dddebeb9fc9dacad32a9561fe50a59839e
SHA512b649552c9c9e00e6612508d98e7514ecc83cc2fece659184b4f97d15064108d85f534cfcd348ba71def40afdc6abc46e59ae4b52ef825077a12a002daacbef01
-
Filesize
416KB
MD5784b75fb21fc7f23e5d7095b8abcab10
SHA1e10dcd1fe571ea48e63a1cb9c8349b3eb2f877eb
SHA256b5e26cbf8a4321c3113e04738a7df7dddebeb9fc9dacad32a9561fe50a59839e
SHA512b649552c9c9e00e6612508d98e7514ecc83cc2fece659184b4f97d15064108d85f534cfcd348ba71def40afdc6abc46e59ae4b52ef825077a12a002daacbef01
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
416KB
MD56340a6599d5c7df27fc4f60ab685e58a
SHA16e14fbdaf35e3e931802a64b60021c15d506448f
SHA2566d706a6378d16cceb368fd21f41f3bbc2d4c0e20da211ad28ede5bd534af9f5d
SHA512d139ebf398d9444afd11a43d1167bf009dbba714ed4dce691dd12d53ad8aaa74c2c93a66721683ecd5297827c8d17b8d554ca7aba74bbfde065ee16d6907cbba
-
Filesize
416KB
MD56340a6599d5c7df27fc4f60ab685e58a
SHA16e14fbdaf35e3e931802a64b60021c15d506448f
SHA2566d706a6378d16cceb368fd21f41f3bbc2d4c0e20da211ad28ede5bd534af9f5d
SHA512d139ebf398d9444afd11a43d1167bf009dbba714ed4dce691dd12d53ad8aaa74c2c93a66721683ecd5297827c8d17b8d554ca7aba74bbfde065ee16d6907cbba
-
Filesize
416KB
MD56340a6599d5c7df27fc4f60ab685e58a
SHA16e14fbdaf35e3e931802a64b60021c15d506448f
SHA2566d706a6378d16cceb368fd21f41f3bbc2d4c0e20da211ad28ede5bd534af9f5d
SHA512d139ebf398d9444afd11a43d1167bf009dbba714ed4dce691dd12d53ad8aaa74c2c93a66721683ecd5297827c8d17b8d554ca7aba74bbfde065ee16d6907cbba
-
Filesize
416KB
MD56340a6599d5c7df27fc4f60ab685e58a
SHA16e14fbdaf35e3e931802a64b60021c15d506448f
SHA2566d706a6378d16cceb368fd21f41f3bbc2d4c0e20da211ad28ede5bd534af9f5d
SHA512d139ebf398d9444afd11a43d1167bf009dbba714ed4dce691dd12d53ad8aaa74c2c93a66721683ecd5297827c8d17b8d554ca7aba74bbfde065ee16d6907cbba
-
Filesize
416KB
MD56afe30eb8363bd741a4663fb1c062eac
SHA1eea81c912615e7440871e5fb8b479131ff4929e8
SHA256ef2688f3b8db0bae8ac71a930e8839b482c74874b428aacaf528b73e616ab58d
SHA51200f32fb3987d362b3ae60e42cc16d9d339bb872ab8b4051d6c723392f982f8b5d8f20475dd2f21c300e7aa262c1e3794b6f427f9281f1c6fbfc6c2dd3f48d633
-
Filesize
416KB
MD565e35438f876364dec46febcc586819c
SHA1e363856cf02a97ab035f710d46685dc08223f014
SHA256ed1db20d757cd11afbe61cf66dd28f3c2d43fddee2d0729b581fbe1c34c2284e
SHA512c84001a1b4fec1f9fa26f7389db42d89028f558733c1e62c964d80a5b9cfec5c3258290846223708b27f26c94b04b7cb5972eefa5ddc8b2b2c3ab43c74f3b3b6
-
Filesize
416KB
MD565e35438f876364dec46febcc586819c
SHA1e363856cf02a97ab035f710d46685dc08223f014
SHA256ed1db20d757cd11afbe61cf66dd28f3c2d43fddee2d0729b581fbe1c34c2284e
SHA512c84001a1b4fec1f9fa26f7389db42d89028f558733c1e62c964d80a5b9cfec5c3258290846223708b27f26c94b04b7cb5972eefa5ddc8b2b2c3ab43c74f3b3b6
-
Filesize
416KB
MD565e35438f876364dec46febcc586819c
SHA1e363856cf02a97ab035f710d46685dc08223f014
SHA256ed1db20d757cd11afbe61cf66dd28f3c2d43fddee2d0729b581fbe1c34c2284e
SHA512c84001a1b4fec1f9fa26f7389db42d89028f558733c1e62c964d80a5b9cfec5c3258290846223708b27f26c94b04b7cb5972eefa5ddc8b2b2c3ab43c74f3b3b6
-
Filesize
416KB
MD565e35438f876364dec46febcc586819c
SHA1e363856cf02a97ab035f710d46685dc08223f014
SHA256ed1db20d757cd11afbe61cf66dd28f3c2d43fddee2d0729b581fbe1c34c2284e
SHA512c84001a1b4fec1f9fa26f7389db42d89028f558733c1e62c964d80a5b9cfec5c3258290846223708b27f26c94b04b7cb5972eefa5ddc8b2b2c3ab43c74f3b3b6
-
Filesize
416KB
MD565e35438f876364dec46febcc586819c
SHA1e363856cf02a97ab035f710d46685dc08223f014
SHA256ed1db20d757cd11afbe61cf66dd28f3c2d43fddee2d0729b581fbe1c34c2284e
SHA512c84001a1b4fec1f9fa26f7389db42d89028f558733c1e62c964d80a5b9cfec5c3258290846223708b27f26c94b04b7cb5972eefa5ddc8b2b2c3ab43c74f3b3b6
-
Filesize
416KB
MD565e35438f876364dec46febcc586819c
SHA1e363856cf02a97ab035f710d46685dc08223f014
SHA256ed1db20d757cd11afbe61cf66dd28f3c2d43fddee2d0729b581fbe1c34c2284e
SHA512c84001a1b4fec1f9fa26f7389db42d89028f558733c1e62c964d80a5b9cfec5c3258290846223708b27f26c94b04b7cb5972eefa5ddc8b2b2c3ab43c74f3b3b6
-
Filesize
416KB
MD565e35438f876364dec46febcc586819c
SHA1e363856cf02a97ab035f710d46685dc08223f014
SHA256ed1db20d757cd11afbe61cf66dd28f3c2d43fddee2d0729b581fbe1c34c2284e
SHA512c84001a1b4fec1f9fa26f7389db42d89028f558733c1e62c964d80a5b9cfec5c3258290846223708b27f26c94b04b7cb5972eefa5ddc8b2b2c3ab43c74f3b3b6
-
Filesize
64KB
MD539f79bb9bde0ce5a8e10f200d947be82
SHA1ca9c386f064ca1ed15b1dd68c51f0ecfd6342e6d
SHA2562f1e8342eb4b9a7a44c95bb730fafd4edafb36eeb8b81a2201ef509ab5d0ee2b
SHA512d69b3f8a4f11ad9c5ddcb5633195cccc5c9f303531e0ec97ca7c78b47bf2413e00b2f4e72f49b9265e828d4d5d3582573b169876148b5af72f6cfd6783e3e7f8
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
416KB
MD526053ca2a6fc5b5dc233c5f4165794be
SHA128741659f82cbbb3a6957c860dd7e68a698b18f3
SHA256e27ea28b531f66a8b9292926c92d4f2178c0fe935956c03f6369cfdc90825af2
SHA512f6cce8083df5d39a3d09740958044ac501fd676701192396d047aae39e4963f8b363e4cd8179725bf7c7126f38d76f3e3b148e5a01ce39b1e242ec26fa4be00e
-
Filesize
416KB
MD56340a6599d5c7df27fc4f60ab685e58a
SHA16e14fbdaf35e3e931802a64b60021c15d506448f
SHA2566d706a6378d16cceb368fd21f41f3bbc2d4c0e20da211ad28ede5bd534af9f5d
SHA512d139ebf398d9444afd11a43d1167bf009dbba714ed4dce691dd12d53ad8aaa74c2c93a66721683ecd5297827c8d17b8d554ca7aba74bbfde065ee16d6907cbba
-
Filesize
416KB
MD564df8394413df3116f1ac22571c70ff7
SHA18213f84777ec95372e174596155c20be457ffef5
SHA256c3b1968cf7d7aeeb3abd06aaf3df284948e2d57cf86c24a1d952fb1e095d70c4
SHA512375f3dc72890c17b123e227ea0b17f3b341b1d24c8373054d7e48dd8645a51cab20e3651bb7191bfa6b9da2e0fe3c14e783d538867b3996e6b3e3fef825b7aa5
-
Filesize
416KB
MD531cc9b9aefa20d0c1992a82b8096405d
SHA16d489c77b45b512fc96ac50d3b6696dfaed1b410
SHA256e56c1439cee04851c5eae78a1b66c7f19c1334bea07151c1117b0928136515ed
SHA51263a85ede0fc98d9a319f2b93dc7094e74cbea14d9c205efca471b369fab5bf8aa57eca2b0abc366cc1d43e242155ff015e61357755be197e841ff04bed1ca7c6
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
416KB
MD5e7f12115938fb933e8643ab7aa079a5d
SHA16e3972d8360a08dc781b54febd5aa3d790101056
SHA2564d6db15b1df831ba417e63ba2c2436e5d8a3d2d6ef116b54c698cdbd4af1eb93
SHA51295d3db2585431e73c12576362b20e472c3db20ee5075b6b5999f09f0c5ba881434ccf8d06db40094707a0402ebd7caefe76c4bca7bc4d6d7f05d947a57ecdd2c
-
Filesize
416KB
MD56340a6599d5c7df27fc4f60ab685e58a
SHA16e14fbdaf35e3e931802a64b60021c15d506448f
SHA2566d706a6378d16cceb368fd21f41f3bbc2d4c0e20da211ad28ede5bd534af9f5d
SHA512d139ebf398d9444afd11a43d1167bf009dbba714ed4dce691dd12d53ad8aaa74c2c93a66721683ecd5297827c8d17b8d554ca7aba74bbfde065ee16d6907cbba
-
Filesize
416KB
MD564df8394413df3116f1ac22571c70ff7
SHA18213f84777ec95372e174596155c20be457ffef5
SHA256c3b1968cf7d7aeeb3abd06aaf3df284948e2d57cf86c24a1d952fb1e095d70c4
SHA512375f3dc72890c17b123e227ea0b17f3b341b1d24c8373054d7e48dd8645a51cab20e3651bb7191bfa6b9da2e0fe3c14e783d538867b3996e6b3e3fef825b7aa5
-
Filesize
416KB
MD564df8394413df3116f1ac22571c70ff7
SHA18213f84777ec95372e174596155c20be457ffef5
SHA256c3b1968cf7d7aeeb3abd06aaf3df284948e2d57cf86c24a1d952fb1e095d70c4
SHA512375f3dc72890c17b123e227ea0b17f3b341b1d24c8373054d7e48dd8645a51cab20e3651bb7191bfa6b9da2e0fe3c14e783d538867b3996e6b3e3fef825b7aa5
-
Filesize
416KB
MD564df8394413df3116f1ac22571c70ff7
SHA18213f84777ec95372e174596155c20be457ffef5
SHA256c3b1968cf7d7aeeb3abd06aaf3df284948e2d57cf86c24a1d952fb1e095d70c4
SHA512375f3dc72890c17b123e227ea0b17f3b341b1d24c8373054d7e48dd8645a51cab20e3651bb7191bfa6b9da2e0fe3c14e783d538867b3996e6b3e3fef825b7aa5
-
Filesize
416KB
MD5ac005f22b5d7416e034acdd3c4b1ed30
SHA1736f0e265ef2a4657568d5d46a680652ec145443
SHA2560dc464d5e0b24c087663f6f07ab00aeb7bcb629dc6d3ca7bea706af699b5448a
SHA5126c26d5d8ab037eaaceedb9b9820b53a71ea67151430582b69d0a51bce2671498e15b35df61121716e1859e12bd06b33432942f0acf224e4447fabb2178e7bb45
-
Filesize
416KB
MD554e202f4272c853039261678e80dd298
SHA195331d847c317ceec334a0d4094a904e892659a0
SHA25682bdc9f5ccb3404a3f32179284afa980b7166e1abd767a4407abbb3945641abf
SHA51218e4e04d5e6ce4f488117e4446a4e750b22f613ea44709332842183fc117207a51cd060cbe0e02f57860f3ef2baa2e53dcffbbe8570ac0f7317947c9b8749ce9
-
Filesize
416KB
MD56340a6599d5c7df27fc4f60ab685e58a
SHA16e14fbdaf35e3e931802a64b60021c15d506448f
SHA2566d706a6378d16cceb368fd21f41f3bbc2d4c0e20da211ad28ede5bd534af9f5d
SHA512d139ebf398d9444afd11a43d1167bf009dbba714ed4dce691dd12d53ad8aaa74c2c93a66721683ecd5297827c8d17b8d554ca7aba74bbfde065ee16d6907cbba
-
Filesize
416KB
MD5e5acf9e1ce4bc2db6afd842f3429cd38
SHA19852d93ba03ec2a9734d79c0f28ceb5f864f57f3
SHA256cb2920bb6b937a84db36bb90a1ef8eb0ea96d7d71cb2f8e306074832b7062469
SHA5125a8fce1c350ea2b1c419e9a19603c7f8d2dd0d2d0dbef07128d4aebbc91740acdb0df2382c86ba1a287a6537705f395ade7cc8c691f9d43ff2af752a16fcb837
-
Filesize
416KB
MD5425f683bddf0c335106d1e6d1889e03b
SHA1508a4a0da3b97e5ce0755c4dafd8e03c55bcf336
SHA2561775da95285954b7041a6f323f29c2001971deddaac7fa17868bd1aa94de95f9
SHA512ce657381a8f861712c5b5c551a6c37d7baca6703385620a57ec55cb31844db99f7dd03a95eb71780c40fab753abccd4423f947df8915e8bbc9f1c69093c0f2f8
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
416KB
MD5e5acf9e1ce4bc2db6afd842f3429cd38
SHA19852d93ba03ec2a9734d79c0f28ceb5f864f57f3
SHA256cb2920bb6b937a84db36bb90a1ef8eb0ea96d7d71cb2f8e306074832b7062469
SHA5125a8fce1c350ea2b1c419e9a19603c7f8d2dd0d2d0dbef07128d4aebbc91740acdb0df2382c86ba1a287a6537705f395ade7cc8c691f9d43ff2af752a16fcb837
-
Filesize
416KB
MD5bd5b7228bfe118f0ec41b5b331117409
SHA115e26f2a23d770c38ef50b7206f61655680d0d54
SHA2560a2de45f865d4d1f2bfea3230f16169cd0e9ab52adf08ea30d6636d472864fcc
SHA512f284329accc462b881178d33ee391c3b84604068c82a6b74a8c952abb3058d9fbcf90c518bacee644224777fe1413f351a470af654f28ac833dc228f64bca7f7
-
Filesize
416KB
MD5784b75fb21fc7f23e5d7095b8abcab10
SHA1e10dcd1fe571ea48e63a1cb9c8349b3eb2f877eb
SHA256b5e26cbf8a4321c3113e04738a7df7dddebeb9fc9dacad32a9561fe50a59839e
SHA512b649552c9c9e00e6612508d98e7514ecc83cc2fece659184b4f97d15064108d85f534cfcd348ba71def40afdc6abc46e59ae4b52ef825077a12a002daacbef01
-
Filesize
416KB
MD5784b75fb21fc7f23e5d7095b8abcab10
SHA1e10dcd1fe571ea48e63a1cb9c8349b3eb2f877eb
SHA256b5e26cbf8a4321c3113e04738a7df7dddebeb9fc9dacad32a9561fe50a59839e
SHA512b649552c9c9e00e6612508d98e7514ecc83cc2fece659184b4f97d15064108d85f534cfcd348ba71def40afdc6abc46e59ae4b52ef825077a12a002daacbef01
-
Filesize
416KB
MD5784b75fb21fc7f23e5d7095b8abcab10
SHA1e10dcd1fe571ea48e63a1cb9c8349b3eb2f877eb
SHA256b5e26cbf8a4321c3113e04738a7df7dddebeb9fc9dacad32a9561fe50a59839e
SHA512b649552c9c9e00e6612508d98e7514ecc83cc2fece659184b4f97d15064108d85f534cfcd348ba71def40afdc6abc46e59ae4b52ef825077a12a002daacbef01
-
Filesize
416KB
MD56340a6599d5c7df27fc4f60ab685e58a
SHA16e14fbdaf35e3e931802a64b60021c15d506448f
SHA2566d706a6378d16cceb368fd21f41f3bbc2d4c0e20da211ad28ede5bd534af9f5d
SHA512d139ebf398d9444afd11a43d1167bf009dbba714ed4dce691dd12d53ad8aaa74c2c93a66721683ecd5297827c8d17b8d554ca7aba74bbfde065ee16d6907cbba
-
Filesize
416KB
MD56340a6599d5c7df27fc4f60ab685e58a
SHA16e14fbdaf35e3e931802a64b60021c15d506448f
SHA2566d706a6378d16cceb368fd21f41f3bbc2d4c0e20da211ad28ede5bd534af9f5d
SHA512d139ebf398d9444afd11a43d1167bf009dbba714ed4dce691dd12d53ad8aaa74c2c93a66721683ecd5297827c8d17b8d554ca7aba74bbfde065ee16d6907cbba
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
416KB
MD565e35438f876364dec46febcc586819c
SHA1e363856cf02a97ab035f710d46685dc08223f014
SHA256ed1db20d757cd11afbe61cf66dd28f3c2d43fddee2d0729b581fbe1c34c2284e
SHA512c84001a1b4fec1f9fa26f7389db42d89028f558733c1e62c964d80a5b9cfec5c3258290846223708b27f26c94b04b7cb5972eefa5ddc8b2b2c3ab43c74f3b3b6
-
Filesize
416KB
MD565e35438f876364dec46febcc586819c
SHA1e363856cf02a97ab035f710d46685dc08223f014
SHA256ed1db20d757cd11afbe61cf66dd28f3c2d43fddee2d0729b581fbe1c34c2284e
SHA512c84001a1b4fec1f9fa26f7389db42d89028f558733c1e62c964d80a5b9cfec5c3258290846223708b27f26c94b04b7cb5972eefa5ddc8b2b2c3ab43c74f3b3b6
-
Filesize
416KB
MD565e35438f876364dec46febcc586819c
SHA1e363856cf02a97ab035f710d46685dc08223f014
SHA256ed1db20d757cd11afbe61cf66dd28f3c2d43fddee2d0729b581fbe1c34c2284e
SHA512c84001a1b4fec1f9fa26f7389db42d89028f558733c1e62c964d80a5b9cfec5c3258290846223708b27f26c94b04b7cb5972eefa5ddc8b2b2c3ab43c74f3b3b6
-
Filesize
416KB
MD565e35438f876364dec46febcc586819c
SHA1e363856cf02a97ab035f710d46685dc08223f014
SHA256ed1db20d757cd11afbe61cf66dd28f3c2d43fddee2d0729b581fbe1c34c2284e
SHA512c84001a1b4fec1f9fa26f7389db42d89028f558733c1e62c964d80a5b9cfec5c3258290846223708b27f26c94b04b7cb5972eefa5ddc8b2b2c3ab43c74f3b3b6
-
Filesize
416KB
MD565e35438f876364dec46febcc586819c
SHA1e363856cf02a97ab035f710d46685dc08223f014
SHA256ed1db20d757cd11afbe61cf66dd28f3c2d43fddee2d0729b581fbe1c34c2284e
SHA512c84001a1b4fec1f9fa26f7389db42d89028f558733c1e62c964d80a5b9cfec5c3258290846223708b27f26c94b04b7cb5972eefa5ddc8b2b2c3ab43c74f3b3b6
-
Filesize
416KB
MD565e35438f876364dec46febcc586819c
SHA1e363856cf02a97ab035f710d46685dc08223f014
SHA256ed1db20d757cd11afbe61cf66dd28f3c2d43fddee2d0729b581fbe1c34c2284e
SHA512c84001a1b4fec1f9fa26f7389db42d89028f558733c1e62c964d80a5b9cfec5c3258290846223708b27f26c94b04b7cb5972eefa5ddc8b2b2c3ab43c74f3b3b6
-
Filesize
416KB
MD564df8394413df3116f1ac22571c70ff7
SHA18213f84777ec95372e174596155c20be457ffef5
SHA256c3b1968cf7d7aeeb3abd06aaf3df284948e2d57cf86c24a1d952fb1e095d70c4
SHA512375f3dc72890c17b123e227ea0b17f3b341b1d24c8373054d7e48dd8645a51cab20e3651bb7191bfa6b9da2e0fe3c14e783d538867b3996e6b3e3fef825b7aa5
-
Filesize
416KB
MD564df8394413df3116f1ac22571c70ff7
SHA18213f84777ec95372e174596155c20be457ffef5
SHA256c3b1968cf7d7aeeb3abd06aaf3df284948e2d57cf86c24a1d952fb1e095d70c4
SHA512375f3dc72890c17b123e227ea0b17f3b341b1d24c8373054d7e48dd8645a51cab20e3651bb7191bfa6b9da2e0fe3c14e783d538867b3996e6b3e3fef825b7aa5
