Analysis
-
max time kernel
115s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2023 17:04
Behavioral task
behavioral1
Sample
NEAS.bd5b7228bfe118f0ec41b5b331117409.exe
Resource
win7-20231025-en
windows7-x64
27 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.bd5b7228bfe118f0ec41b5b331117409.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
27 signatures
150 seconds
General
-
Target
NEAS.bd5b7228bfe118f0ec41b5b331117409.exe
-
Size
416KB
-
MD5
bd5b7228bfe118f0ec41b5b331117409
-
SHA1
15e26f2a23d770c38ef50b7206f61655680d0d54
-
SHA256
0a2de45f865d4d1f2bfea3230f16169cd0e9ab52adf08ea30d6636d472864fcc
-
SHA512
f284329accc462b881178d33ee391c3b84604068c82a6b74a8c952abb3058d9fbcf90c518bacee644224777fe1413f351a470af654f28ac833dc228f64bca7f7
-
SSDEEP
3072:JNx6AHjYzaFXg+w17jsgS/jHagQg19Vw+HkaxubesmJoZmGr11:JNxzYzaFXi17jkw+Efmm11
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 21 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\system32.exe NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe Gaara.exe -
Executes dropped EXE 30 IoCs
pid Process 2116 smss.exe 3820 smss.exe 1756 Gaara.exe 2784 smss.exe 2776 Gaara.exe 1036 csrss.exe 2676 smss.exe 2988 Gaara.exe 4612 csrss.exe 1440 Kazekage.exe 1796 smss.exe 4716 Gaara.exe 3804 csrss.exe 1284 Kazekage.exe 4240 system32.exe 416 Gaara.exe 4932 smss.exe 4608 csrss.exe 4496 Gaara.exe 1280 Kazekage.exe 1952 csrss.exe 1004 system32.exe 1228 Kazekage.exe 2732 csrss.exe 3700 system32.exe 3068 Kazekage.exe 2964 system32.exe 636 system32.exe 2884 Kazekage.exe 2980 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 2116 smss.exe 3820 smss.exe 1756 Gaara.exe 2784 smss.exe 2776 Gaara.exe 1036 csrss.exe 2676 smss.exe 2988 Gaara.exe 4612 csrss.exe 1796 smss.exe 4716 Gaara.exe 3804 csrss.exe 416 Gaara.exe 4932 smss.exe 4608 csrss.exe 4496 Gaara.exe 1952 csrss.exe 2732 csrss.exe -
resource yara_rule behavioral2/memory/1152-0-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/1152-1-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x0007000000022cd7-12.dat upx behavioral2/files/0x0007000000022cd5-32.dat upx behavioral2/memory/2116-33-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x0007000000022cd5-34.dat upx behavioral2/files/0x0007000000022cd7-46.dat upx behavioral2/files/0x0007000000022cd5-69.dat upx behavioral2/files/0x0006000000022cdc-59.dat upx behavioral2/files/0x0006000000022cdc-58.dat upx behavioral2/files/0x0006000000022cdb-54.dat upx behavioral2/files/0x0006000000022cda-50.dat upx behavioral2/files/0x0007000000022cd6-42.dat upx behavioral2/files/0x0007000000022cd6-74.dat upx behavioral2/files/0x0007000000022cd6-76.dat upx behavioral2/memory/1756-75-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x0007000000022cd7-83.dat upx behavioral2/files/0x0006000000022cda-87.dat upx behavioral2/files/0x0006000000022cdb-91.dat upx behavioral2/files/0x0006000000022cdb-92.dat upx behavioral2/files/0x0006000000022cdc-95.dat upx behavioral2/files/0x0007000000022cd5-106.dat upx behavioral2/files/0x0007000000022cd6-110.dat upx behavioral2/memory/2776-112-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x0007000000022cd7-116.dat upx behavioral2/memory/1036-117-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x0007000000022cd7-118.dat upx behavioral2/files/0x0006000000022cda-126.dat upx behavioral2/files/0x0006000000022cdc-133.dat upx behavioral2/files/0x0006000000022cda-125.dat upx behavioral2/files/0x0006000000022cdb-129.dat upx behavioral2/files/0x0007000000022cd5-144.dat upx behavioral2/files/0x0007000000022cd6-148.dat upx behavioral2/files/0x0007000000022cd7-152.dat upx behavioral2/memory/2116-153-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4612-155-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x0006000000022cdb-159.dat upx behavioral2/memory/3820-160-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/1440-161-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x0006000000022cdb-162.dat upx behavioral2/files/0x0006000000022cda-168.dat upx behavioral2/files/0x0006000000022cda-169.dat upx behavioral2/files/0x0006000000022cdc-172.dat upx behavioral2/files/0x0007000000022cd5-183.dat upx behavioral2/files/0x0007000000022cd6-187.dat upx behavioral2/memory/1756-188-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x0007000000022cd7-192.dat upx behavioral2/memory/2784-193-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x0006000000022cdb-197.dat upx behavioral2/memory/2776-198-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/1284-200-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x0006000000022cdc-202.dat upx behavioral2/memory/1036-204-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x0006000000022cdc-206.dat upx behavioral2/memory/4240-205-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x0007000000022cd6-209.dat upx behavioral2/files/0x0006000000022cda-215.dat upx behavioral2/memory/2676-225-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4932-228-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/2988-230-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4612-231-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/1440-236-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/1284-238-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/2784-242-0x0000000000400000-0x000000000043B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 11 - 2023\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-11-2023.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-11-2023.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 11 - 2023\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 11 - 2023\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-11-2023.exe" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 11 - 2023\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-11-2023.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 11 - 2023\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 11 - 2023\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 11 - 2023\\smss.exe" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 11 - 2023\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-11-2023.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 11 - 2023\\Gaara.exe" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 11 - 2023\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-11-2023.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 11 - 2023\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 11 - 2023\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Desktop.ini smss.exe File opened for modification \??\M:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini Gaara.exe File opened for modification \??\A:\Desktop.ini smss.exe File opened for modification \??\J:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini smss.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification \??\I:\Desktop.ini system32.exe File opened for modification \??\Y:\Desktop.ini system32.exe File opened for modification \??\G:\Desktop.ini Kazekage.exe File opened for modification \??\E:\Desktop.ini smss.exe File opened for modification \??\H:\Desktop.ini NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification \??\Z:\Desktop.ini NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification \??\K:\Desktop.ini Gaara.exe File opened for modification \??\U:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini csrss.exe File opened for modification \??\E:\Desktop.ini NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification \??\K:\Desktop.ini NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification \??\A:\Desktop.ini Gaara.exe File opened for modification \??\Z:\Desktop.ini csrss.exe File opened for modification \??\M:\Desktop.ini smss.exe File opened for modification \??\G:\Desktop.ini NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification \??\U:\Desktop.ini smss.exe File opened for modification \??\A:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini csrss.exe File opened for modification \??\Z:\Desktop.ini Kazekage.exe File opened for modification \??\N:\Desktop.ini NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification \??\T:\Desktop.ini NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification \??\Y:\Desktop.ini NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification \??\O:\Desktop.ini NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification \??\N:\Desktop.ini Gaara.exe File opened for modification \??\P:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini system32.exe File opened for modification \??\R:\Desktop.ini Kazekage.exe File opened for modification \??\Q:\Desktop.ini csrss.exe File opened for modification \??\T:\Desktop.ini csrss.exe File opened for modification \??\W:\Desktop.ini smss.exe File opened for modification \??\W:\Desktop.ini Gaara.exe File opened for modification \??\Y:\Desktop.ini Kazekage.exe File opened for modification \??\N:\Desktop.ini csrss.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification \??\U:\Desktop.ini NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification D:\Desktop.ini Gaara.exe File opened for modification \??\E:\Desktop.ini system32.exe File opened for modification \??\Y:\Desktop.ini Gaara.exe File opened for modification \??\B:\Desktop.ini smss.exe File opened for modification \??\B:\Desktop.ini Gaara.exe File opened for modification \??\L:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini system32.exe File opened for modification F:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini system32.exe File opened for modification \??\R:\Desktop.ini system32.exe File opened for modification \??\W:\Desktop.ini system32.exe File opened for modification \??\S:\Desktop.ini Kazekage.exe File opened for modification \??\L:\Desktop.ini system32.exe File opened for modification \??\R:\Desktop.ini Gaara.exe File opened for modification \??\X:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini system32.exe File opened for modification \??\Q:\Desktop.ini Gaara.exe File opened for modification \??\B:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini smss.exe File opened for modification \??\M:\Desktop.ini csrss.exe File opened for modification \??\V:\Desktop.ini smss.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: smss.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\Z: NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened (read-only) \??\I: Gaara.exe File opened (read-only) \??\N: Gaara.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\I: NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\L: NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\J: NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened (read-only) \??\Y: Gaara.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\W: Gaara.exe File opened (read-only) \??\O: NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened (read-only) \??\H: Gaara.exe File opened (read-only) \??\H: system32.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\E: Kazekage.exe File opened (read-only) \??\S: Kazekage.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\E: system32.exe File opened (read-only) \??\I: Kazekage.exe File opened (read-only) \??\J: Kazekage.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\S: system32.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\A: NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened (read-only) \??\G: Kazekage.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\W: NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened (read-only) \??\X: system32.exe File opened (read-only) \??\I: system32.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\M: NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened (read-only) \??\Q: NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened (read-only) \??\M: system32.exe File opened (read-only) \??\W: system32.exe File opened (read-only) \??\L: Kazekage.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\N: system32.exe File opened (read-only) \??\V: NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened (read-only) \??\W: csrss.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\M: Gaara.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\G: NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened (read-only) \??\V: smss.exe File opened (read-only) \??\K: NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened (read-only) \??\T: NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened (read-only) \??\U: NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened (read-only) \??\K: system32.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\B: Gaara.exe File opened (read-only) \??\T: system32.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created D:\Autorun.inf smss.exe File opened for modification \??\O:\Autorun.inf Gaara.exe File created \??\L:\Autorun.inf smss.exe File created \??\O:\Autorun.inf system32.exe File created \??\G:\Autorun.inf Gaara.exe File created \??\B:\Autorun.inf system32.exe File created \??\L:\Autorun.inf NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification \??\S:\Autorun.inf NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File created \??\E:\Autorun.inf Gaara.exe File created \??\P:\Autorun.inf Gaara.exe File opened for modification \??\W:\Autorun.inf Gaara.exe File created C:\Autorun.inf smss.exe File opened for modification \??\G:\Autorun.inf Gaara.exe File created \??\K:\Autorun.inf Gaara.exe File opened for modification \??\N:\Autorun.inf Gaara.exe File opened for modification \??\O:\Autorun.inf system32.exe File opened for modification C:\Autorun.inf NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File created \??\R:\Autorun.inf NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File created \??\B:\Autorun.inf Gaara.exe File opened for modification \??\R:\Autorun.inf NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File created \??\E:\Autorun.inf smss.exe File created \??\P:\Autorun.inf smss.exe File opened for modification \??\W:\Autorun.inf system32.exe File opened for modification \??\A:\Autorun.inf NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File created \??\W:\Autorun.inf NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File created \??\H:\Autorun.inf smss.exe File created \??\O:\Autorun.inf smss.exe File opened for modification \??\Q:\Autorun.inf smss.exe File opened for modification \??\U:\Autorun.inf smss.exe File created \??\Y:\Autorun.inf system32.exe File opened for modification \??\W:\Autorun.inf NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification \??\U:\Autorun.inf Gaara.exe File opened for modification \??\R:\Autorun.inf system32.exe File created \??\B:\Autorun.inf NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File created \??\H:\Autorun.inf NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification \??\B:\Autorun.inf Gaara.exe File opened for modification \??\Y:\Autorun.inf smss.exe File opened for modification \??\A:\Autorun.inf system32.exe File created \??\J:\Autorun.inf Gaara.exe File opened for modification \??\R:\Autorun.inf Gaara.exe File created \??\I:\Autorun.inf Gaara.exe File created \??\V:\Autorun.inf Gaara.exe File created \??\X:\Autorun.inf smss.exe File created \??\M:\Autorun.inf NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification F:\Autorun.inf Gaara.exe File created \??\H:\Autorun.inf Gaara.exe File created \??\Z:\Autorun.inf smss.exe File created D:\Autorun.inf system32.exe File opened for modification \??\Q:\Autorun.inf system32.exe File opened for modification \??\U:\Autorun.inf system32.exe File created \??\N:\Autorun.inf system32.exe File created \??\U:\Autorun.inf system32.exe File opened for modification \??\U:\Autorun.inf NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification \??\K:\Autorun.inf Gaara.exe File opened for modification \??\V:\Autorun.inf smss.exe File opened for modification \??\V:\Autorun.inf system32.exe File created \??\Q:\Autorun.inf Gaara.exe File created \??\Q:\Autorun.inf system32.exe File created \??\X:\Autorun.inf system32.exe File opened for modification \??\Z:\Autorun.inf NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File created \??\J:\Autorun.inf NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification \??\P:\Autorun.inf Gaara.exe File created \??\U:\Autorun.inf Gaara.exe File opened for modification \??\O:\Autorun.inf smss.exe -
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\SysWOW64\2-11-2023.exe smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\2-11-2023.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\2-11-2023.exe system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File created C:\Windows\SysWOW64\2-11-2023.exe NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\SysWOW64\2-11-2023.exe NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File created C:\Windows\SysWOW64\Desktop.ini smss.exe File created C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\2-11-2023.exe csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\SysWOW64\ NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\SysWOW64\2-11-2023.exe Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll NEAS.bd5b7228bfe118f0ec41b5b331117409.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Fonts\Admin 2 - 11 - 2023\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe csrss.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe system32.exe File opened for modification C:\Windows\ NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe smss.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe Gaara.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File created C:\Windows\WBEM\msvbvm60.dll NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe csrss.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File created C:\Windows\msvbvm60.dll NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File created C:\Windows\system\msvbvm60.dll NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\system\msvbvm60.dll NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe smss.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\msvbvm60.dll csrss.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\msvbvm60.dll NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\msvbvm60.dll system32.exe File opened for modification C:\Windows\system\mscoree.dll NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\ Gaara.exe File created C:\Windows\mscomctl.ocx Gaara.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File opened for modification C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe smss.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe Gaara.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File opened for modification C:\Windows\msvbvm60.dll NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe Gaara.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File created C:\Windows\Fonts\The Kazekage.jpg NEAS.bd5b7228bfe118f0ec41b5b331117409.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe csrss.exe File created C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe system32.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee\Size = "72" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee\Speed = "4" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Internet Explorer\Main NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Internet Explorer\Main smss.exe -
Modifies registry class 51 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command NEAS.bd5b7228bfe118f0ec41b5b331117409.exe -
Runs ping.exe 1 TTPs 20 IoCs
pid Process 552 ping.exe 1652 ping.exe 5028 ping.exe 4496 ping.exe 4396 ping.exe 2044 ping.exe 4128 ping.exe 1192 ping.exe 1004 ping.exe 3636 ping.exe 3524 ping.exe 4796 ping.exe 2908 ping.exe 3896 ping.exe 4216 ping.exe 4868 ping.exe 4776 ping.exe 1528 ping.exe 4876 ping.exe 2244 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1440 Kazekage.exe 1440 Kazekage.exe 1440 Kazekage.exe 1440 Kazekage.exe 1440 Kazekage.exe 1440 Kazekage.exe 1440 Kazekage.exe 1440 Kazekage.exe 1440 Kazekage.exe 1440 Kazekage.exe 1440 Kazekage.exe 1440 Kazekage.exe 1440 Kazekage.exe 1440 Kazekage.exe 1440 Kazekage.exe 1440 Kazekage.exe 1440 Kazekage.exe 1440 Kazekage.exe 1036 csrss.exe 1440 Kazekage.exe 1440 Kazekage.exe 1440 Kazekage.exe 1440 Kazekage.exe 1440 Kazekage.exe 1440 Kazekage.exe 1036 csrss.exe 1036 csrss.exe 1036 csrss.exe 1036 csrss.exe 1036 csrss.exe 1036 csrss.exe 1036 csrss.exe 1036 csrss.exe 1036 csrss.exe 1036 csrss.exe 1036 csrss.exe 1036 csrss.exe 1036 csrss.exe 1036 csrss.exe 1036 csrss.exe 1036 csrss.exe 1036 csrss.exe 1036 csrss.exe 1036 csrss.exe 1036 csrss.exe 1036 csrss.exe 1036 csrss.exe 1036 csrss.exe 2116 smss.exe 2116 smss.exe 2116 smss.exe 2116 smss.exe 2116 smss.exe 2116 smss.exe 2116 smss.exe 2116 smss.exe 2116 smss.exe 2116 smss.exe 2116 smss.exe 2116 smss.exe 2116 smss.exe 2116 smss.exe 2116 smss.exe 2116 smss.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 1152 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 2116 smss.exe 3820 smss.exe 1756 Gaara.exe 2784 smss.exe 2776 Gaara.exe 1036 csrss.exe 2676 smss.exe 2988 Gaara.exe 4612 csrss.exe 1440 Kazekage.exe 1796 smss.exe 4716 Gaara.exe 3804 csrss.exe 1284 Kazekage.exe 4240 system32.exe 416 Gaara.exe 4932 smss.exe 4608 csrss.exe 4496 Gaara.exe 1280 Kazekage.exe 1952 csrss.exe 1004 system32.exe 1228 Kazekage.exe 2732 csrss.exe 3700 system32.exe 3068 Kazekage.exe 636 system32.exe 2964 system32.exe 2884 Kazekage.exe 2980 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1152 wrote to memory of 2116 1152 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 92 PID 1152 wrote to memory of 2116 1152 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 92 PID 1152 wrote to memory of 2116 1152 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 92 PID 2116 wrote to memory of 3820 2116 smss.exe 93 PID 2116 wrote to memory of 3820 2116 smss.exe 93 PID 2116 wrote to memory of 3820 2116 smss.exe 93 PID 2116 wrote to memory of 1756 2116 smss.exe 94 PID 2116 wrote to memory of 1756 2116 smss.exe 94 PID 2116 wrote to memory of 1756 2116 smss.exe 94 PID 1756 wrote to memory of 2784 1756 Gaara.exe 95 PID 1756 wrote to memory of 2784 1756 Gaara.exe 95 PID 1756 wrote to memory of 2784 1756 Gaara.exe 95 PID 1756 wrote to memory of 2776 1756 Gaara.exe 96 PID 1756 wrote to memory of 2776 1756 Gaara.exe 96 PID 1756 wrote to memory of 2776 1756 Gaara.exe 96 PID 1756 wrote to memory of 1036 1756 Gaara.exe 97 PID 1756 wrote to memory of 1036 1756 Gaara.exe 97 PID 1756 wrote to memory of 1036 1756 Gaara.exe 97 PID 1036 wrote to memory of 2676 1036 csrss.exe 98 PID 1036 wrote to memory of 2676 1036 csrss.exe 98 PID 1036 wrote to memory of 2676 1036 csrss.exe 98 PID 1036 wrote to memory of 2988 1036 csrss.exe 99 PID 1036 wrote to memory of 2988 1036 csrss.exe 99 PID 1036 wrote to memory of 2988 1036 csrss.exe 99 PID 1036 wrote to memory of 4612 1036 csrss.exe 100 PID 1036 wrote to memory of 4612 1036 csrss.exe 100 PID 1036 wrote to memory of 4612 1036 csrss.exe 100 PID 1036 wrote to memory of 1440 1036 csrss.exe 101 PID 1036 wrote to memory of 1440 1036 csrss.exe 101 PID 1036 wrote to memory of 1440 1036 csrss.exe 101 PID 1440 wrote to memory of 1796 1440 Kazekage.exe 102 PID 1440 wrote to memory of 1796 1440 Kazekage.exe 102 PID 1440 wrote to memory of 1796 1440 Kazekage.exe 102 PID 1440 wrote to memory of 4716 1440 Kazekage.exe 103 PID 1440 wrote to memory of 4716 1440 Kazekage.exe 103 PID 1440 wrote to memory of 4716 1440 Kazekage.exe 103 PID 1440 wrote to memory of 3804 1440 Kazekage.exe 104 PID 1440 wrote to memory of 3804 1440 Kazekage.exe 104 PID 1440 wrote to memory of 3804 1440 Kazekage.exe 104 PID 1440 wrote to memory of 1284 1440 Kazekage.exe 105 PID 1440 wrote to memory of 1284 1440 Kazekage.exe 105 PID 1440 wrote to memory of 1284 1440 Kazekage.exe 105 PID 1440 wrote to memory of 4240 1440 Kazekage.exe 106 PID 1440 wrote to memory of 4240 1440 Kazekage.exe 106 PID 1440 wrote to memory of 4240 1440 Kazekage.exe 106 PID 1152 wrote to memory of 416 1152 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 107 PID 1152 wrote to memory of 416 1152 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 107 PID 1152 wrote to memory of 416 1152 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 107 PID 4240 wrote to memory of 4932 4240 system32.exe 108 PID 4240 wrote to memory of 4932 4240 system32.exe 108 PID 4240 wrote to memory of 4932 4240 system32.exe 108 PID 1152 wrote to memory of 4608 1152 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 109 PID 1152 wrote to memory of 4608 1152 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 109 PID 1152 wrote to memory of 4608 1152 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 109 PID 4240 wrote to memory of 4496 4240 system32.exe 110 PID 4240 wrote to memory of 4496 4240 system32.exe 110 PID 4240 wrote to memory of 4496 4240 system32.exe 110 PID 1152 wrote to memory of 1280 1152 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 111 PID 1152 wrote to memory of 1280 1152 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 111 PID 1152 wrote to memory of 1280 1152 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 111 PID 4240 wrote to memory of 1952 4240 system32.exe 112 PID 4240 wrote to memory of 1952 4240 system32.exe 112 PID 4240 wrote to memory of 1952 4240 system32.exe 112 PID 1152 wrote to memory of 1004 1152 NEAS.bd5b7228bfe118f0ec41b5b331117409.exe 113 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.bd5b7228bfe118f0ec41b5b331117409.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.bd5b7228bfe118f0ec41b5b331117409.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.bd5b7228bfe118f0ec41b5b331117409.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1152 -
C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2116 -
C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3820
-
-
C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1756 -
C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2784
-
-
C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2776
-
-
C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1036 -
C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2676
-
-
C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2988
-
-
C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4612
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1440 -
C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1796
-
-
C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4716
-
-
C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3804
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1284
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4240 -
C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4932
-
-
C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4496
-
-
C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1952
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1228
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3700
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:552
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:4216
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:3896
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:1652
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:2044
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:4796
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2964
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:4776
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:3524
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2884
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2980
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:2244
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:4868
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:2908
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:4876
-
-
-
C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2732
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3068
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:636
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:4396
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:5028
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:4128
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:1004
-
-
-
C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:416
-
-
C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe"C:\Windows\Fonts\Admin 2 - 11 - 2023\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4608
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1280
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1004
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:3636
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:4496
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:1192
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:1528
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
416KB
MD5c0840901e675ca966033cce17299614a
SHA14fc5b4197612bcef0b54c79cd43102691dd6c694
SHA256281f9c20941290c597717044e396e01a4eb979804017b205e0f08378dd0af72d
SHA5125388edb9ade2f77d0d5b2a4992f50d4aca0c418c72381a3ab310bf76d2130609d0bc28b43002b61ab2c9fa5f12f71ad4a0838a32e4418620f703a34dd01c0966
-
Filesize
416KB
MD5c0840901e675ca966033cce17299614a
SHA14fc5b4197612bcef0b54c79cd43102691dd6c694
SHA256281f9c20941290c597717044e396e01a4eb979804017b205e0f08378dd0af72d
SHA5125388edb9ade2f77d0d5b2a4992f50d4aca0c418c72381a3ab310bf76d2130609d0bc28b43002b61ab2c9fa5f12f71ad4a0838a32e4418620f703a34dd01c0966
-
Filesize
416KB
MD5c0840901e675ca966033cce17299614a
SHA14fc5b4197612bcef0b54c79cd43102691dd6c694
SHA256281f9c20941290c597717044e396e01a4eb979804017b205e0f08378dd0af72d
SHA5125388edb9ade2f77d0d5b2a4992f50d4aca0c418c72381a3ab310bf76d2130609d0bc28b43002b61ab2c9fa5f12f71ad4a0838a32e4418620f703a34dd01c0966
-
Filesize
416KB
MD5c0840901e675ca966033cce17299614a
SHA14fc5b4197612bcef0b54c79cd43102691dd6c694
SHA256281f9c20941290c597717044e396e01a4eb979804017b205e0f08378dd0af72d
SHA5125388edb9ade2f77d0d5b2a4992f50d4aca0c418c72381a3ab310bf76d2130609d0bc28b43002b61ab2c9fa5f12f71ad4a0838a32e4418620f703a34dd01c0966
-
Filesize
416KB
MD57b057c25839da1b22eb0d066fa8d0490
SHA101e3d14d25246ab7ff5ad3d0a34c849449ede70e
SHA25626507b1153e89836cc476bb34d48213777b8249e4b0c94aee94d2f3d035089cb
SHA512fc7d95533b790f4a6d073ce454460e86b87030dd287b812fa675e2390170b9b16110f4e05cf3d962d52429ac11563b6dfa45fdfaa377fd4d606e6b8c85ef2429
-
Filesize
416KB
MD5c0840901e675ca966033cce17299614a
SHA14fc5b4197612bcef0b54c79cd43102691dd6c694
SHA256281f9c20941290c597717044e396e01a4eb979804017b205e0f08378dd0af72d
SHA5125388edb9ade2f77d0d5b2a4992f50d4aca0c418c72381a3ab310bf76d2130609d0bc28b43002b61ab2c9fa5f12f71ad4a0838a32e4418620f703a34dd01c0966
-
Filesize
416KB
MD5c0840901e675ca966033cce17299614a
SHA14fc5b4197612bcef0b54c79cd43102691dd6c694
SHA256281f9c20941290c597717044e396e01a4eb979804017b205e0f08378dd0af72d
SHA5125388edb9ade2f77d0d5b2a4992f50d4aca0c418c72381a3ab310bf76d2130609d0bc28b43002b61ab2c9fa5f12f71ad4a0838a32e4418620f703a34dd01c0966
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
416KB
MD524158a602139f6ab85a3fa28cf94be53
SHA1ac9a2d8cb9913eebdc7dce58b009dcd9f1ad0649
SHA2561862ec6453a1d255686c50245404a5d50dc06ca553dd12755f231a4a22c24c2a
SHA512e199d4187b8e30d10836afebd5102f47f0d677319f0399c1ff7bacda3ea867847519e55bd618d58f9539d85a66b2a67b93d37ad3de4f78c5a0b867fba35f9259
-
Filesize
416KB
MD524158a602139f6ab85a3fa28cf94be53
SHA1ac9a2d8cb9913eebdc7dce58b009dcd9f1ad0649
SHA2561862ec6453a1d255686c50245404a5d50dc06ca553dd12755f231a4a22c24c2a
SHA512e199d4187b8e30d10836afebd5102f47f0d677319f0399c1ff7bacda3ea867847519e55bd618d58f9539d85a66b2a67b93d37ad3de4f78c5a0b867fba35f9259
-
Filesize
416KB
MD5bd5b7228bfe118f0ec41b5b331117409
SHA115e26f2a23d770c38ef50b7206f61655680d0d54
SHA2560a2de45f865d4d1f2bfea3230f16169cd0e9ab52adf08ea30d6636d472864fcc
SHA512f284329accc462b881178d33ee391c3b84604068c82a6b74a8c952abb3058d9fbcf90c518bacee644224777fe1413f351a470af654f28ac833dc228f64bca7f7
-
Filesize
416KB
MD524158a602139f6ab85a3fa28cf94be53
SHA1ac9a2d8cb9913eebdc7dce58b009dcd9f1ad0649
SHA2561862ec6453a1d255686c50245404a5d50dc06ca553dd12755f231a4a22c24c2a
SHA512e199d4187b8e30d10836afebd5102f47f0d677319f0399c1ff7bacda3ea867847519e55bd618d58f9539d85a66b2a67b93d37ad3de4f78c5a0b867fba35f9259
-
Filesize
416KB
MD524158a602139f6ab85a3fa28cf94be53
SHA1ac9a2d8cb9913eebdc7dce58b009dcd9f1ad0649
SHA2561862ec6453a1d255686c50245404a5d50dc06ca553dd12755f231a4a22c24c2a
SHA512e199d4187b8e30d10836afebd5102f47f0d677319f0399c1ff7bacda3ea867847519e55bd618d58f9539d85a66b2a67b93d37ad3de4f78c5a0b867fba35f9259
-
Filesize
416KB
MD532677dd91dcdeaf185af0280fdcb79f8
SHA1b4a958800868dcb6273c4e611dd280b438a0a9ae
SHA2565abb65d3ac08b75f86acf6bcb6662a230d6e7934f4daf10728c49f206884dcbf
SHA5129a67a97489c94a45239121fda26f647844d00d762dc9ce8aca53b136453208df5109859ba6b49de305506da536a5a3cf07f2688046cd5eca72401d5b43fbdf3a
-
Filesize
416KB
MD524158a602139f6ab85a3fa28cf94be53
SHA1ac9a2d8cb9913eebdc7dce58b009dcd9f1ad0649
SHA2561862ec6453a1d255686c50245404a5d50dc06ca553dd12755f231a4a22c24c2a
SHA512e199d4187b8e30d10836afebd5102f47f0d677319f0399c1ff7bacda3ea867847519e55bd618d58f9539d85a66b2a67b93d37ad3de4f78c5a0b867fba35f9259
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
416KB
MD57b057c25839da1b22eb0d066fa8d0490
SHA101e3d14d25246ab7ff5ad3d0a34c849449ede70e
SHA25626507b1153e89836cc476bb34d48213777b8249e4b0c94aee94d2f3d035089cb
SHA512fc7d95533b790f4a6d073ce454460e86b87030dd287b812fa675e2390170b9b16110f4e05cf3d962d52429ac11563b6dfa45fdfaa377fd4d606e6b8c85ef2429
-
Filesize
416KB
MD57b057c25839da1b22eb0d066fa8d0490
SHA101e3d14d25246ab7ff5ad3d0a34c849449ede70e
SHA25626507b1153e89836cc476bb34d48213777b8249e4b0c94aee94d2f3d035089cb
SHA512fc7d95533b790f4a6d073ce454460e86b87030dd287b812fa675e2390170b9b16110f4e05cf3d962d52429ac11563b6dfa45fdfaa377fd4d606e6b8c85ef2429
-
Filesize
416KB
MD57b057c25839da1b22eb0d066fa8d0490
SHA101e3d14d25246ab7ff5ad3d0a34c849449ede70e
SHA25626507b1153e89836cc476bb34d48213777b8249e4b0c94aee94d2f3d035089cb
SHA512fc7d95533b790f4a6d073ce454460e86b87030dd287b812fa675e2390170b9b16110f4e05cf3d962d52429ac11563b6dfa45fdfaa377fd4d606e6b8c85ef2429
-
Filesize
416KB
MD57b057c25839da1b22eb0d066fa8d0490
SHA101e3d14d25246ab7ff5ad3d0a34c849449ede70e
SHA25626507b1153e89836cc476bb34d48213777b8249e4b0c94aee94d2f3d035089cb
SHA512fc7d95533b790f4a6d073ce454460e86b87030dd287b812fa675e2390170b9b16110f4e05cf3d962d52429ac11563b6dfa45fdfaa377fd4d606e6b8c85ef2429
-
Filesize
416KB
MD57b057c25839da1b22eb0d066fa8d0490
SHA101e3d14d25246ab7ff5ad3d0a34c849449ede70e
SHA25626507b1153e89836cc476bb34d48213777b8249e4b0c94aee94d2f3d035089cb
SHA512fc7d95533b790f4a6d073ce454460e86b87030dd287b812fa675e2390170b9b16110f4e05cf3d962d52429ac11563b6dfa45fdfaa377fd4d606e6b8c85ef2429
-
Filesize
416KB
MD57b057c25839da1b22eb0d066fa8d0490
SHA101e3d14d25246ab7ff5ad3d0a34c849449ede70e
SHA25626507b1153e89836cc476bb34d48213777b8249e4b0c94aee94d2f3d035089cb
SHA512fc7d95533b790f4a6d073ce454460e86b87030dd287b812fa675e2390170b9b16110f4e05cf3d962d52429ac11563b6dfa45fdfaa377fd4d606e6b8c85ef2429
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
128KB
MD502770ec1a321e19ddd06cdb29d69ffe3
SHA1d51b0b4d5de7a3c64dd320cfddd06614a2ab7af2
SHA25672424cc8831eccd132639f5a2b6541c9bb2d638baf4397186a984bc353b7b579
SHA512d816faa1abdee5c0879a4240b30abd156962a5dabb6d072bfcb84aae1d69d8c50ad8f8519db1db9a6fbdeee8a10c643f110800aed1c84957573501bcae178d4f
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
416KB
MD5b68f59e68be452540fb5a762a9666163
SHA177a92d038a359d49c6c11bc67bc1a6bac9b450a7
SHA256511af1bc0f31993a5fdc55e3e2bc1995fe7d3fd189772ebff76798fb4606156d
SHA512d6a1d95ebdc011afc81f235bf437fd27e514a378e8416f477ef8648284c8cec7f9e1019ad9982d8a8b71422e707b3f30b2fb7c6aa310d8fd9fd57d4a09f74c29
-
Filesize
416KB
MD5b68f59e68be452540fb5a762a9666163
SHA177a92d038a359d49c6c11bc67bc1a6bac9b450a7
SHA256511af1bc0f31993a5fdc55e3e2bc1995fe7d3fd189772ebff76798fb4606156d
SHA512d6a1d95ebdc011afc81f235bf437fd27e514a378e8416f477ef8648284c8cec7f9e1019ad9982d8a8b71422e707b3f30b2fb7c6aa310d8fd9fd57d4a09f74c29
-
Filesize
416KB
MD5f38d473c3526c5ea387587bcc0046458
SHA1200a3106ad3eaf5435e118075327b82479e12e3d
SHA256d86335e16653ae445b0be8e577aee2001794285cbc0840d1507ee017eb60fbfe
SHA51268ebe1535f49c0a17a1fecfdc3d503967be419b328d5e9df9f615b4929eada373f74c1e8e191e7b427ca0e8ba92391fed18378d85176ba0a93cafe6db0443040
-
Filesize
416KB
MD5f38d473c3526c5ea387587bcc0046458
SHA1200a3106ad3eaf5435e118075327b82479e12e3d
SHA256d86335e16653ae445b0be8e577aee2001794285cbc0840d1507ee017eb60fbfe
SHA51268ebe1535f49c0a17a1fecfdc3d503967be419b328d5e9df9f615b4929eada373f74c1e8e191e7b427ca0e8ba92391fed18378d85176ba0a93cafe6db0443040
-
Filesize
416KB
MD58b9e35e10acd4e5bb4bd82604101a026
SHA1a2dbf7c74061831756503bc3ce52986a25f61d4d
SHA256595e7b29ee23329e6fc65a37ce5c163e951c3d6768dc3f2f359c364a0c51947c
SHA51211e2e7ef7357ac7e9eb342fb675973543b30e6c0c7a81b18c4feaa5b9bf3870a589471cbc4f7fb28e75230f46b27b51d33be96f6292d18cdd9212d8b4d42c6e7
-
Filesize
416KB
MD5e63304551e923e1a0d351215e8dd2fa7
SHA177af81878db619880a0c3d40bc8f455dd901d672
SHA256115585dd8633f6eb3293a651fb1f7fe981fe7050874ab6ba4653e66bb49dbb56
SHA512b2c80259e417836a116067a852e65a848f9bd357beb8dd8e43e2a8b7ddd5a2ca7860c69bec6acf7ea5ba43270d464c467881f2b6adae91aa30110bfe28d46107
-
Filesize
416KB
MD5b3a1ce49a304f18085ad25e2bb1ace68
SHA1abac8eac856dc6de1c95a1f56bd7a0ed625322d3
SHA256512d1421148c5c1e61a762d793621e1c7ff02d90619f941efdb46de166e411b3
SHA51256a433e89871536f1265cd36488846b05d5060dac441d3d34da90dd6429a374d90f5e099f0ac8547d703865a94eee73c87e3545108fdf4c964d47274815a2eab
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
416KB
MD5f38d473c3526c5ea387587bcc0046458
SHA1200a3106ad3eaf5435e118075327b82479e12e3d
SHA256d86335e16653ae445b0be8e577aee2001794285cbc0840d1507ee017eb60fbfe
SHA51268ebe1535f49c0a17a1fecfdc3d503967be419b328d5e9df9f615b4929eada373f74c1e8e191e7b427ca0e8ba92391fed18378d85176ba0a93cafe6db0443040
-
Filesize
416KB
MD5f38d473c3526c5ea387587bcc0046458
SHA1200a3106ad3eaf5435e118075327b82479e12e3d
SHA256d86335e16653ae445b0be8e577aee2001794285cbc0840d1507ee017eb60fbfe
SHA51268ebe1535f49c0a17a1fecfdc3d503967be419b328d5e9df9f615b4929eada373f74c1e8e191e7b427ca0e8ba92391fed18378d85176ba0a93cafe6db0443040
-
Filesize
416KB
MD5f38d473c3526c5ea387587bcc0046458
SHA1200a3106ad3eaf5435e118075327b82479e12e3d
SHA256d86335e16653ae445b0be8e577aee2001794285cbc0840d1507ee017eb60fbfe
SHA51268ebe1535f49c0a17a1fecfdc3d503967be419b328d5e9df9f615b4929eada373f74c1e8e191e7b427ca0e8ba92391fed18378d85176ba0a93cafe6db0443040
-
Filesize
416KB
MD5f38d473c3526c5ea387587bcc0046458
SHA1200a3106ad3eaf5435e118075327b82479e12e3d
SHA256d86335e16653ae445b0be8e577aee2001794285cbc0840d1507ee017eb60fbfe
SHA51268ebe1535f49c0a17a1fecfdc3d503967be419b328d5e9df9f615b4929eada373f74c1e8e191e7b427ca0e8ba92391fed18378d85176ba0a93cafe6db0443040
-
Filesize
416KB
MD57b057c25839da1b22eb0d066fa8d0490
SHA101e3d14d25246ab7ff5ad3d0a34c849449ede70e
SHA25626507b1153e89836cc476bb34d48213777b8249e4b0c94aee94d2f3d035089cb
SHA512fc7d95533b790f4a6d073ce454460e86b87030dd287b812fa675e2390170b9b16110f4e05cf3d962d52429ac11563b6dfa45fdfaa377fd4d606e6b8c85ef2429
-
Filesize
416KB
MD5c0840901e675ca966033cce17299614a
SHA14fc5b4197612bcef0b54c79cd43102691dd6c694
SHA256281f9c20941290c597717044e396e01a4eb979804017b205e0f08378dd0af72d
SHA5125388edb9ade2f77d0d5b2a4992f50d4aca0c418c72381a3ab310bf76d2130609d0bc28b43002b61ab2c9fa5f12f71ad4a0838a32e4418620f703a34dd01c0966
-
Filesize
416KB
MD5c0840901e675ca966033cce17299614a
SHA14fc5b4197612bcef0b54c79cd43102691dd6c694
SHA256281f9c20941290c597717044e396e01a4eb979804017b205e0f08378dd0af72d
SHA5125388edb9ade2f77d0d5b2a4992f50d4aca0c418c72381a3ab310bf76d2130609d0bc28b43002b61ab2c9fa5f12f71ad4a0838a32e4418620f703a34dd01c0966
-
Filesize
416KB
MD5979c2e6dfdc33037ed47132d1636743c
SHA1a2959f54e0670433b7bdf0590b04dd43555bf9a8
SHA256c5957f76d53abe9892e22305cccc29d1b1b2a660815f2162bf719f998fb7594e
SHA5124f39ea8a3810388966be8888f8dcbeddc76ee2b2d663ff7acbeb34ccda9744108e78866443cba91878c67fa46f426c07290dea76038a9d2cb28b01281d523969
-
Filesize
416KB
MD5f38d473c3526c5ea387587bcc0046458
SHA1200a3106ad3eaf5435e118075327b82479e12e3d
SHA256d86335e16653ae445b0be8e577aee2001794285cbc0840d1507ee017eb60fbfe
SHA51268ebe1535f49c0a17a1fecfdc3d503967be419b328d5e9df9f615b4929eada373f74c1e8e191e7b427ca0e8ba92391fed18378d85176ba0a93cafe6db0443040
-
Filesize
416KB
MD575f92c30a7e948d12b4b30564d5c6fc7
SHA1993a46241321d5b1d92749ba35af18ee64298a2f
SHA25683a17ebe0c2441a18c93815d44b3533fdad0a8d8595ad3a02da4ea143f06b5af
SHA512462395ab71d09c2652cdf8c3ae64b62c31664af012c7a992cb3a25581e29335cb17acb2bd7e53842a4ad793756b78999c17717f07b8d9579b3751cb4e521e919
-
Filesize
416KB
MD575f92c30a7e948d12b4b30564d5c6fc7
SHA1993a46241321d5b1d92749ba35af18ee64298a2f
SHA25683a17ebe0c2441a18c93815d44b3533fdad0a8d8595ad3a02da4ea143f06b5af
SHA512462395ab71d09c2652cdf8c3ae64b62c31664af012c7a992cb3a25581e29335cb17acb2bd7e53842a4ad793756b78999c17717f07b8d9579b3751cb4e521e919
-
Filesize
416KB
MD57b057c25839da1b22eb0d066fa8d0490
SHA101e3d14d25246ab7ff5ad3d0a34c849449ede70e
SHA25626507b1153e89836cc476bb34d48213777b8249e4b0c94aee94d2f3d035089cb
SHA512fc7d95533b790f4a6d073ce454460e86b87030dd287b812fa675e2390170b9b16110f4e05cf3d962d52429ac11563b6dfa45fdfaa377fd4d606e6b8c85ef2429
-
Filesize
416KB
MD57b057c25839da1b22eb0d066fa8d0490
SHA101e3d14d25246ab7ff5ad3d0a34c849449ede70e
SHA25626507b1153e89836cc476bb34d48213777b8249e4b0c94aee94d2f3d035089cb
SHA512fc7d95533b790f4a6d073ce454460e86b87030dd287b812fa675e2390170b9b16110f4e05cf3d962d52429ac11563b6dfa45fdfaa377fd4d606e6b8c85ef2429
-
Filesize
416KB
MD5c0840901e675ca966033cce17299614a
SHA14fc5b4197612bcef0b54c79cd43102691dd6c694
SHA256281f9c20941290c597717044e396e01a4eb979804017b205e0f08378dd0af72d
SHA5125388edb9ade2f77d0d5b2a4992f50d4aca0c418c72381a3ab310bf76d2130609d0bc28b43002b61ab2c9fa5f12f71ad4a0838a32e4418620f703a34dd01c0966
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
