Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
108s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
05/01/2024, 11:58
Behavioral task
behavioral1
Sample
10ff65f6e1cd534ba15eb6e44d9541b4.exe
Resource
win7-20231215-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
10ff65f6e1cd534ba15eb6e44d9541b4.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
27 signatures
150 seconds
General
-
Target
10ff65f6e1cd534ba15eb6e44d9541b4.exe
-
Size
66KB
-
MD5
10ff65f6e1cd534ba15eb6e44d9541b4
-
SHA1
d5088e7f947a0b0fd86d46b7f65d595115e39484
-
SHA256
3dced41060e1f11558c6538ea4dfcbd6511000d03f23792a45f5f1f3ea5503a2
-
SHA512
f63e3e9a4e50a6adc61706a639b2d91a7f35862ddc2cece5e168d49a29576fa181bfe021420a1ed3cca117f103b2e3c3621aba1afc8c3d0c39c37a6bb2ebee6a
-
SSDEEP
1536:o7OE59Vyzrc8K3WgFtKhJP+tcrVOXKzaJThZfaKhQiSEKNJh:WV5998K3WQ8fjEXKgZfnhfxuh
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 10ff65f6e1cd534ba15eb6e44d9541b4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 10ff65f6e1cd534ba15eb6e44d9541b4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 10ff65f6e1cd534ba15eb6e44d9541b4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 10ff65f6e1cd534ba15eb6e44d9541b4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 10ff65f6e1cd534ba15eb6e44d9541b4.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 10ff65f6e1cd534ba15eb6e44d9541b4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" 10ff65f6e1cd534ba15eb6e44d9541b4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" 10ff65f6e1cd534ba15eb6e44d9541b4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe 10ff65f6e1cd534ba15eb6e44d9541b4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe 10ff65f6e1cd534ba15eb6e44d9541b4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe 10ff65f6e1cd534ba15eb6e44d9541b4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe 10ff65f6e1cd534ba15eb6e44d9541b4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe 10ff65f6e1cd534ba15eb6e44d9541b4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe 10ff65f6e1cd534ba15eb6e44d9541b4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe 10ff65f6e1cd534ba15eb6e44d9541b4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" 10ff65f6e1cd534ba15eb6e44d9541b4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" 10ff65f6e1cd534ba15eb6e44d9541b4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe 10ff65f6e1cd534ba15eb6e44d9541b4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe 10ff65f6e1cd534ba15eb6e44d9541b4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Gaara.exe -
Executes dropped EXE 30 IoCs
pid Process 3100 smss.exe 4092 smss.exe 744 Gaara.exe 4660 smss.exe 2520 Gaara.exe 4920 csrss.exe 3884 smss.exe 4328 Gaara.exe 4912 csrss.exe 376 Kazekage.exe 3480 smss.exe 2052 Gaara.exe 3672 csrss.exe 392 Kazekage.exe 4384 system32.exe 4428 smss.exe 1584 Gaara.exe 1248 csrss.exe 224 Kazekage.exe 3700 system32.exe 3784 system32.exe 4092 smss.exe 3636 system32.exe 2784 csrss.exe 3756 Kazekage.exe 1100 system32.exe 2316 Gaara.exe 876 csrss.exe 4492 Kazekage.exe 1256 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 3100 smss.exe 4092 smss.exe 744 Gaara.exe 4660 smss.exe 2520 Gaara.exe 4920 csrss.exe 3884 smss.exe 4328 Gaara.exe 4912 csrss.exe 3480 smss.exe 2052 Gaara.exe 3672 csrss.exe 4428 smss.exe 1584 Gaara.exe 1248 csrss.exe 2784 csrss.exe 2316 Gaara.exe 876 csrss.exe -
resource yara_rule behavioral2/memory/4928-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0006000000023203-117.dat upx behavioral2/files/0x0006000000023202-111.dat upx behavioral2/files/0x0006000000023201-106.dat upx behavioral2/files/0x0006000000023206-97.dat upx behavioral2/files/0x0006000000023206-95.dat upx behavioral2/files/0x0006000000023205-93.dat upx behavioral2/files/0x0006000000023205-91.dat upx behavioral2/files/0x0006000000023204-89.dat upx behavioral2/files/0x0006000000023204-87.dat upx behavioral2/files/0x0006000000023203-85.dat upx behavioral2/memory/4092-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0006000000023202-74.dat upx behavioral2/files/0x0006000000023201-68.dat upx behavioral2/files/0x0006000000023206-57.dat upx behavioral2/files/0x0006000000023205-53.dat upx behavioral2/files/0x0006000000023204-49.dat upx behavioral2/files/0x0006000000023203-45.dat upx behavioral2/memory/4928-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-291-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 5 - 1 - 2024\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 5 - 1 - 2024\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 5 - 1 - 2024\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "5-1-2024.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 5 - 1 - 2024\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "5-1-2024.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 5 - 1 - 2024\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 5 - 1 - 2024\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 5 - 1 - 2024\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 10ff65f6e1cd534ba15eb6e44d9541b4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "5-1-2024.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "5-1-2024.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "5-1-2024.exe" 10ff65f6e1cd534ba15eb6e44d9541b4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 5 - 1 - 2024\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 5 - 1 - 2024\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 5 - 1 - 2024\\Gaara.exe" 10ff65f6e1cd534ba15eb6e44d9541b4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 5 - 1 - 2024\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "5-1-2024.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 5 - 1 - 2024\\smss.exe" 10ff65f6e1cd534ba15eb6e44d9541b4.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 10ff65f6e1cd534ba15eb6e44d9541b4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\G:\Desktop.ini system32.exe File opened for modification \??\M:\Desktop.ini system32.exe File opened for modification \??\B:\Desktop.ini 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification \??\H:\Desktop.ini smss.exe File opened for modification D:\Desktop.ini Kazekage.exe File opened for modification \??\O:\Desktop.ini Kazekage.exe File opened for modification C:\Desktop.ini system32.exe File opened for modification D:\Desktop.ini 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification \??\E:\Desktop.ini 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification D:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini smss.exe File opened for modification \??\I:\Desktop.ini csrss.exe File opened for modification \??\Z:\Desktop.ini Gaara.exe File opened for modification C:\Desktop.ini csrss.exe File opened for modification \??\M:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini system32.exe File opened for modification \??\V:\Desktop.ini system32.exe File opened for modification \??\A:\Desktop.ini 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification \??\H:\Desktop.ini 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification F:\Desktop.ini smss.exe File opened for modification \??\G:\Desktop.ini csrss.exe File opened for modification \??\W:\Desktop.ini Kazekage.exe File opened for modification \??\V:\Desktop.ini csrss.exe File opened for modification C:\Desktop.ini 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification \??\Q:\Desktop.ini 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification \??\V:\Desktop.ini 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification \??\S:\Desktop.ini smss.exe File opened for modification \??\L:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini Gaara.exe File opened for modification \??\G:\Desktop.ini Gaara.exe File opened for modification \??\R:\Desktop.ini Kazekage.exe File opened for modification \??\N:\Desktop.ini smss.exe File opened for modification \??\Y:\Desktop.ini Gaara.exe File opened for modification \??\H:\Desktop.ini csrss.exe File opened for modification C:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini Kazekage.exe File opened for modification \??\Z:\Desktop.ini 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification C:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini smss.exe File opened for modification \??\Z:\Desktop.ini csrss.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification \??\K:\Desktop.ini Kazekage.exe File opened for modification \??\L:\Desktop.ini Kazekage.exe File opened for modification \??\W:\Desktop.ini 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification \??\X:\Desktop.ini 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification \??\Z:\Desktop.ini smss.exe File opened for modification \??\N:\Desktop.ini Gaara.exe File opened for modification \??\B:\Desktop.ini Kazekage.exe File opened for modification \??\B:\Desktop.ini smss.exe File opened for modification \??\J:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini Gaara.exe File opened for modification \??\N:\Desktop.ini Kazekage.exe File opened for modification \??\O:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini csrss.exe File opened for modification \??\P:\Desktop.ini 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification \??\S:\Desktop.ini 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification F:\Desktop.ini Kazekage.exe File opened for modification \??\O:\Desktop.ini system32.exe File opened for modification \??\Y:\Desktop.ini Kazekage.exe File opened for modification \??\R:\Desktop.ini system32.exe File opened for modification \??\R:\Desktop.ini 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification \??\A:\Desktop.ini Gaara.exe File opened for modification \??\T:\Desktop.ini Gaara.exe File opened for modification \??\V:\Desktop.ini Kazekage.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: csrss.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\Y: system32.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\Q: system32.exe File opened (read-only) \??\A: Kazekage.exe File opened (read-only) \??\I: 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened (read-only) \??\R: 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened (read-only) \??\I: Gaara.exe File opened (read-only) \??\R: Gaara.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\S: 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\O: system32.exe File opened (read-only) \??\N: 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\N: Gaara.exe File opened (read-only) \??\J: system32.exe File opened (read-only) \??\I: Kazekage.exe File opened (read-only) \??\E: 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\P: 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\W: csrss.exe File opened (read-only) \??\I: system32.exe File opened (read-only) \??\H: Gaara.exe File opened (read-only) \??\Y: Gaara.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\B: csrss.exe File opened (read-only) \??\X: system32.exe File opened (read-only) \??\T: Gaara.exe File opened (read-only) \??\M: 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened (read-only) \??\O: 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\B: Gaara.exe File opened (read-only) \??\L: 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened (read-only) \??\Z: 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened (read-only) \??\E: Gaara.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\N: system32.exe File opened (read-only) \??\K: Kazekage.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\K: 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened (read-only) \??\T: 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\P: Gaara.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\Q: 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\P: system32.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\W: system32.exe File opened (read-only) \??\X: 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\J: Gaara.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\S: system32.exe File opened (read-only) \??\V: 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened (read-only) \??\U: smss.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created \??\L:\Autorun.inf Gaara.exe File opened for modification D:\Autorun.inf Kazekage.exe File created \??\M:\Autorun.inf Kazekage.exe File created \??\S:\Autorun.inf Kazekage.exe File opened for modification \??\H:\Autorun.inf smss.exe File created \??\I:\Autorun.inf smss.exe File opened for modification \??\K:\Autorun.inf Gaara.exe File opened for modification \??\S:\Autorun.inf 10ff65f6e1cd534ba15eb6e44d9541b4.exe File created \??\G:\Autorun.inf smss.exe File opened for modification D:\Autorun.inf system32.exe File created \??\B:\Autorun.inf Kazekage.exe File created \??\W:\Autorun.inf Kazekage.exe File opened for modification \??\R:\Autorun.inf system32.exe File created \??\Z:\Autorun.inf system32.exe File opened for modification \??\I:\Autorun.inf Gaara.exe File created \??\N:\Autorun.inf csrss.exe File opened for modification \??\P:\Autorun.inf csrss.exe File opened for modification F:\Autorun.inf Kazekage.exe File opened for modification \??\P:\Autorun.inf 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification \??\N:\Autorun.inf Gaara.exe File opened for modification \??\E:\Autorun.inf Kazekage.exe File created \??\M:\Autorun.inf system32.exe File opened for modification \??\X:\Autorun.inf Kazekage.exe File created \??\A:\Autorun.inf 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification F:\Autorun.inf system32.exe File opened for modification \??\J:\Autorun.inf system32.exe File opened for modification \??\I:\Autorun.inf system32.exe File created \??\E:\Autorun.inf csrss.exe File created \??\Q:\Autorun.inf csrss.exe File created \??\Z:\Autorun.inf csrss.exe File opened for modification \??\O:\Autorun.inf Kazekage.exe File opened for modification \??\M:\Autorun.inf 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification \??\P:\Autorun.inf smss.exe File opened for modification \??\T:\Autorun.inf Gaara.exe File created \??\N:\Autorun.inf system32.exe File created \??\P:\Autorun.inf system32.exe File opened for modification \??\T:\Autorun.inf 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification \??\S:\Autorun.inf smss.exe File opened for modification \??\U:\Autorun.inf csrss.exe File opened for modification \??\B:\Autorun.inf csrss.exe File opened for modification C:\Autorun.inf csrss.exe File opened for modification D:\Autorun.inf csrss.exe File created \??\H:\Autorun.inf Kazekage.exe File created \??\K:\Autorun.inf 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification \??\X:\Autorun.inf 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification \??\X:\Autorun.inf Gaara.exe File opened for modification \??\L:\Autorun.inf Gaara.exe File opened for modification \??\R:\Autorun.inf Gaara.exe File created \??\R:\Autorun.inf 10ff65f6e1cd534ba15eb6e44d9541b4.exe File created \??\U:\Autorun.inf 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification \??\O:\Autorun.inf smss.exe File created \??\S:\Autorun.inf Gaara.exe File created \??\R:\Autorun.inf system32.exe File opened for modification \??\B:\Autorun.inf smss.exe File created \??\Y:\Autorun.inf smss.exe File opened for modification \??\A:\Autorun.inf Gaara.exe File created \??\P:\Autorun.inf smss.exe File created \??\S:\Autorun.inf csrss.exe File opened for modification \??\O:\Autorun.inf 10ff65f6e1cd534ba15eb6e44d9541b4.exe File created \??\S:\Autorun.inf 10ff65f6e1cd534ba15eb6e44d9541b4.exe File created \??\L:\Autorun.inf smss.exe File created \??\G:\Autorun.inf system32.exe File opened for modification \??\M:\Autorun.inf Kazekage.exe File created \??\Q:\Autorun.inf Kazekage.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\5-1-2024.exe smss.exe File opened for modification C:\Windows\SysWOW64\ 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\5-1-2024.exe csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\5-1-2024.exe system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\Desktop.ini 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification C:\Windows\SysWOW64\5-1-2024.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File created C:\Windows\SysWOW64\5-1-2024.exe 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\5-1-2024.exe 10ff65f6e1cd534ba15eb6e44d9541b4.exe File created C:\Windows\SysWOW64\msvbvm60.dll 10ff65f6e1cd534ba15eb6e44d9541b4.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\5-1-2024.exe Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\mscomctl.ocx 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 10ff65f6e1cd534ba15eb6e44d9541b4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\system\msvbvm60.dll 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File created C:\Windows\mscomctl.ocx 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification C:\Windows\ 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification C:\Windows\Fonts\Admin 5 - 1 - 2024\smss.exe 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification C:\Windows\msvbvm60.dll 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File opened for modification C:\Windows\Fonts\Admin 5 - 1 - 2024\msvbvm60.dll 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 5 - 1 - 2024\csrss.exe Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification C:\Windows\Fonts\Admin 5 - 1 - 2024\Gaara.exe smss.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification C:\Windows\Fonts\Admin 5 - 1 - 2024\csrss.exe smss.exe File created C:\Windows\Fonts\Admin 5 - 1 - 2024\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 5 - 1 - 2024\Gaara.exe csrss.exe File created C:\Windows\Fonts\Admin 5 - 1 - 2024\smss.exe system32.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File created C:\Windows\Fonts\Admin 5 - 1 - 2024\Gaara.exe 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File created C:\Windows\Fonts\Admin 5 - 1 - 2024\csrss.exe csrss.exe File created C:\Windows\WBEM\msvbvm60.dll 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 5 - 1 - 2024\smss.exe csrss.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File created C:\Windows\Fonts\Admin 5 - 1 - 2024\msvbvm60.dll system32.exe File opened for modification C:\Windows\ system32.exe File opened for modification C:\Windows\ Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 10ff65f6e1cd534ba15eb6e44d9541b4.exe File created C:\Windows\Fonts\Admin 5 - 1 - 2024\csrss.exe 10ff65f6e1cd534ba15eb6e44d9541b4.exe File created C:\Windows\Fonts\Admin 5 - 1 - 2024\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File opened for modification C:\Windows\Fonts\Admin 5 - 1 - 2024\csrss.exe csrss.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 5 - 1 - 2024\smss.exe Kazekage.exe File opened for modification C:\Windows\ Gaara.exe File opened for modification C:\Windows\Fonts\Admin 5 - 1 - 2024\smss.exe smss.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File opened for modification C:\Windows\Fonts\Admin 5 - 1 - 2024\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 5 - 1 - 2024\Gaara.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 5 - 1 - 2024\Gaara.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 5 - 1 - 2024\csrss.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 5 - 1 - 2024\Gaara.exe 10ff65f6e1cd534ba15eb6e44d9541b4.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 5 - 1 - 2024\Gaara.exe Gaara.exe File created C:\Windows\Fonts\Admin 5 - 1 - 2024\Gaara.exe Kazekage.exe File opened for modification C:\Windows\ smss.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File created C:\Windows\Fonts\Admin 5 - 1 - 2024\msvbvm60.dll 10ff65f6e1cd534ba15eb6e44d9541b4.exe File created C:\Windows\Fonts\Admin 5 - 1 - 2024\smss.exe smss.exe File created C:\Windows\Fonts\Admin 5 - 1 - 2024\csrss.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 5 - 1 - 2024\csrss.exe Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee system32.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop 10ff65f6e1cd534ba15eb6e44d9541b4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 10ff65f6e1cd534ba15eb6e44d9541b4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 10ff65f6e1cd534ba15eb6e44d9541b4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 10ff65f6e1cd534ba15eb6e44d9541b4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 10ff65f6e1cd534ba15eb6e44d9541b4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 10ff65f6e1cd534ba15eb6e44d9541b4.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 10ff65f6e1cd534ba15eb6e44d9541b4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\WallpaperStyle = "2" 10ff65f6e1cd534ba15eb6e44d9541b4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 10ff65f6e1cd534ba15eb6e44d9541b4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Internet Explorer\Main system32.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Internet Explorer\Main 10ff65f6e1cd534ba15eb6e44d9541b4.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 10ff65f6e1cd534ba15eb6e44d9541b4.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe -
Modifies registry class 51 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 10ff65f6e1cd534ba15eb6e44d9541b4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 10ff65f6e1cd534ba15eb6e44d9541b4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile 10ff65f6e1cd534ba15eb6e44d9541b4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 10ff65f6e1cd534ba15eb6e44d9541b4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 10ff65f6e1cd534ba15eb6e44d9541b4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 10ff65f6e1cd534ba15eb6e44d9541b4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 10ff65f6e1cd534ba15eb6e44d9541b4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell 10ff65f6e1cd534ba15eb6e44d9541b4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install 10ff65f6e1cd534ba15eb6e44d9541b4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 10ff65f6e1cd534ba15eb6e44d9541b4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 10ff65f6e1cd534ba15eb6e44d9541b4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe -
Runs ping.exe 1 TTPs 34 IoCs
pid Process 2524 ping.exe 5024 ping.exe 4468 ping.exe 5072 ping.exe 1464 ping.exe 4528 ping.exe 3528 ping.exe 412 ping.exe 2688 ping.exe 3744 ping.exe 548 ping.exe 1492 ping.exe 3168 ping.exe 2688 ping.exe 3424 ping.exe 3808 ping.exe 3580 ping.exe 940 ping.exe 2344 ping.exe 3436 ping.exe 4360 ping.exe 516 ping.exe 1904 ping.exe 4360 ping.exe 4528 ping.exe 3136 ping.exe 3460 ping.exe 2716 ping.exe 876 ping.exe 1328 ping.exe 2476 ping.exe 1156 ping.exe 3744 ping.exe 3712 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4928 10ff65f6e1cd534ba15eb6e44d9541b4.exe 4928 10ff65f6e1cd534ba15eb6e44d9541b4.exe 4928 10ff65f6e1cd534ba15eb6e44d9541b4.exe 4928 10ff65f6e1cd534ba15eb6e44d9541b4.exe 4928 10ff65f6e1cd534ba15eb6e44d9541b4.exe 4928 10ff65f6e1cd534ba15eb6e44d9541b4.exe 4928 10ff65f6e1cd534ba15eb6e44d9541b4.exe 4928 10ff65f6e1cd534ba15eb6e44d9541b4.exe 4928 10ff65f6e1cd534ba15eb6e44d9541b4.exe 4928 10ff65f6e1cd534ba15eb6e44d9541b4.exe 4928 10ff65f6e1cd534ba15eb6e44d9541b4.exe 4928 10ff65f6e1cd534ba15eb6e44d9541b4.exe 4928 10ff65f6e1cd534ba15eb6e44d9541b4.exe 4928 10ff65f6e1cd534ba15eb6e44d9541b4.exe 4928 10ff65f6e1cd534ba15eb6e44d9541b4.exe 4928 10ff65f6e1cd534ba15eb6e44d9541b4.exe 4928 10ff65f6e1cd534ba15eb6e44d9541b4.exe 4928 10ff65f6e1cd534ba15eb6e44d9541b4.exe 4928 10ff65f6e1cd534ba15eb6e44d9541b4.exe 4928 10ff65f6e1cd534ba15eb6e44d9541b4.exe 4928 10ff65f6e1cd534ba15eb6e44d9541b4.exe 4928 10ff65f6e1cd534ba15eb6e44d9541b4.exe 4928 10ff65f6e1cd534ba15eb6e44d9541b4.exe 4928 10ff65f6e1cd534ba15eb6e44d9541b4.exe 3100 smss.exe 3100 smss.exe 3100 smss.exe 3100 smss.exe 3100 smss.exe 3100 smss.exe 3100 smss.exe 3100 smss.exe 3100 smss.exe 3100 smss.exe 3100 smss.exe 3100 smss.exe 3100 smss.exe 3100 smss.exe 3100 smss.exe 3100 smss.exe 3100 smss.exe 3100 smss.exe 3100 smss.exe 3100 smss.exe 3100 smss.exe 3100 smss.exe 3100 smss.exe 3100 smss.exe 744 Gaara.exe 744 Gaara.exe 744 Gaara.exe 744 Gaara.exe 744 Gaara.exe 744 Gaara.exe 744 Gaara.exe 744 Gaara.exe 744 Gaara.exe 744 Gaara.exe 744 Gaara.exe 744 Gaara.exe 744 Gaara.exe 744 Gaara.exe 744 Gaara.exe 744 Gaara.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 4928 10ff65f6e1cd534ba15eb6e44d9541b4.exe 3100 smss.exe 4092 smss.exe 744 Gaara.exe 4660 smss.exe 2520 Gaara.exe 4920 csrss.exe 3884 smss.exe 4328 Gaara.exe 4912 csrss.exe 376 Kazekage.exe 3480 smss.exe 2052 Gaara.exe 3672 csrss.exe 392 Kazekage.exe 4384 system32.exe 4428 smss.exe 1584 Gaara.exe 1248 csrss.exe 224 Kazekage.exe 3700 system32.exe 3784 system32.exe 4092 smss.exe 3636 system32.exe 2784 csrss.exe 3756 Kazekage.exe 1100 system32.exe 2316 Gaara.exe 876 csrss.exe 4492 Kazekage.exe 1256 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4928 wrote to memory of 3100 4928 10ff65f6e1cd534ba15eb6e44d9541b4.exe 54 PID 4928 wrote to memory of 3100 4928 10ff65f6e1cd534ba15eb6e44d9541b4.exe 54 PID 4928 wrote to memory of 3100 4928 10ff65f6e1cd534ba15eb6e44d9541b4.exe 54 PID 3100 wrote to memory of 4092 3100 smss.exe 53 PID 3100 wrote to memory of 4092 3100 smss.exe 53 PID 3100 wrote to memory of 4092 3100 smss.exe 53 PID 3100 wrote to memory of 744 3100 smss.exe 52 PID 3100 wrote to memory of 744 3100 smss.exe 52 PID 3100 wrote to memory of 744 3100 smss.exe 52 PID 744 wrote to memory of 4660 744 Gaara.exe 49 PID 744 wrote to memory of 4660 744 Gaara.exe 49 PID 744 wrote to memory of 4660 744 Gaara.exe 49 PID 744 wrote to memory of 2520 744 Gaara.exe 48 PID 744 wrote to memory of 2520 744 Gaara.exe 48 PID 744 wrote to memory of 2520 744 Gaara.exe 48 PID 744 wrote to memory of 4920 744 Gaara.exe 47 PID 744 wrote to memory of 4920 744 Gaara.exe 47 PID 744 wrote to memory of 4920 744 Gaara.exe 47 PID 4920 wrote to memory of 3884 4920 csrss.exe 44 PID 4920 wrote to memory of 3884 4920 csrss.exe 44 PID 4920 wrote to memory of 3884 4920 csrss.exe 44 PID 4920 wrote to memory of 4328 4920 csrss.exe 43 PID 4920 wrote to memory of 4328 4920 csrss.exe 43 PID 4920 wrote to memory of 4328 4920 csrss.exe 43 PID 4920 wrote to memory of 4912 4920 csrss.exe 42 PID 4920 wrote to memory of 4912 4920 csrss.exe 42 PID 4920 wrote to memory of 4912 4920 csrss.exe 42 PID 4920 wrote to memory of 376 4920 csrss.exe 41 PID 4920 wrote to memory of 376 4920 csrss.exe 41 PID 4920 wrote to memory of 376 4920 csrss.exe 41 PID 376 wrote to memory of 3480 376 Kazekage.exe 40 PID 376 wrote to memory of 3480 376 Kazekage.exe 40 PID 376 wrote to memory of 3480 376 Kazekage.exe 40 PID 376 wrote to memory of 2052 376 Kazekage.exe 39 PID 376 wrote to memory of 2052 376 Kazekage.exe 39 PID 376 wrote to memory of 2052 376 Kazekage.exe 39 PID 376 wrote to memory of 3672 376 Kazekage.exe 38 PID 376 wrote to memory of 3672 376 Kazekage.exe 38 PID 376 wrote to memory of 3672 376 Kazekage.exe 38 PID 376 wrote to memory of 392 376 Kazekage.exe 37 PID 376 wrote to memory of 392 376 Kazekage.exe 37 PID 376 wrote to memory of 392 376 Kazekage.exe 37 PID 376 wrote to memory of 4384 376 Kazekage.exe 36 PID 376 wrote to memory of 4384 376 Kazekage.exe 36 PID 376 wrote to memory of 4384 376 Kazekage.exe 36 PID 4384 wrote to memory of 4428 4384 system32.exe 35 PID 4384 wrote to memory of 4428 4384 system32.exe 35 PID 4384 wrote to memory of 4428 4384 system32.exe 35 PID 4384 wrote to memory of 1584 4384 system32.exe 34 PID 4384 wrote to memory of 1584 4384 system32.exe 34 PID 4384 wrote to memory of 1584 4384 system32.exe 34 PID 4384 wrote to memory of 1248 4384 system32.exe 33 PID 4384 wrote to memory of 1248 4384 system32.exe 33 PID 4384 wrote to memory of 1248 4384 system32.exe 33 PID 4384 wrote to memory of 224 4384 system32.exe 32 PID 4384 wrote to memory of 224 4384 system32.exe 32 PID 4384 wrote to memory of 224 4384 system32.exe 32 PID 4384 wrote to memory of 3700 4384 system32.exe 31 PID 4384 wrote to memory of 3700 4384 system32.exe 31 PID 4384 wrote to memory of 3700 4384 system32.exe 31 PID 4920 wrote to memory of 3784 4920 csrss.exe 30 PID 4920 wrote to memory of 3784 4920 csrss.exe 30 PID 4920 wrote to memory of 3784 4920 csrss.exe 30 PID 744 wrote to memory of 4092 744 Gaara.exe 53 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 10ff65f6e1cd534ba15eb6e44d9541b4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 10ff65f6e1cd534ba15eb6e44d9541b4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\10ff65f6e1cd534ba15eb6e44d9541b4.exe"C:\Users\Admin\AppData\Local\Temp\10ff65f6e1cd534ba15eb6e44d9541b4.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4928 -
C:\Windows\Fonts\Admin 5 - 1 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 5 - 1 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2316
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1256
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4492
-
-
C:\Windows\Fonts\Admin 5 - 1 - 2024\csrss.exe"C:\Windows\Fonts\Admin 5 - 1 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:876 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1904
-
-
-
C:\Windows\Fonts\Admin 5 - 1 - 2024\smss.exe"C:\Windows\Fonts\Admin 5 - 1 - 2024\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3100 -
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:3808
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:412
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:3744
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:3168
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:5024
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:548
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:4360
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:4468
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:2716
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:2688
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1100
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3756
-
C:\Windows\Fonts\Admin 5 - 1 - 2024\csrss.exe"C:\Windows\Fonts\Admin 5 - 1 - 2024\csrss.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2784
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3636
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe1⤵PID:4092
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3784
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3700
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:224
-
C:\Windows\Fonts\Admin 5 - 1 - 2024\csrss.exe"C:\Windows\Fonts\Admin 5 - 1 - 2024\csrss.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1248
-
C:\Windows\Fonts\Admin 5 - 1 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 5 - 1 - 2024\Gaara.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1584
-
C:\Windows\Fonts\Admin 5 - 1 - 2024\smss.exe"C:\Windows\Fonts\Admin 5 - 1 - 2024\smss.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4428
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4384 -
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:1492
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:3136
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:5072
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:1156
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:3528
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:4360
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:392
-
C:\Windows\Fonts\Admin 5 - 1 - 2024\csrss.exe"C:\Windows\Fonts\Admin 5 - 1 - 2024\csrss.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3672
-
C:\Windows\Fonts\Admin 5 - 1 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 5 - 1 - 2024\Gaara.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2052
-
C:\Windows\Fonts\Admin 5 - 1 - 2024\smss.exe"C:\Windows\Fonts\Admin 5 - 1 - 2024\smss.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3480
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:376 -
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:3580
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:1328
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:940
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:3436
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:876
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:2688
-
-
C:\Windows\Fonts\Admin 5 - 1 - 2024\csrss.exe"C:\Windows\Fonts\Admin 5 - 1 - 2024\csrss.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4912
-
C:\Windows\Fonts\Admin 5 - 1 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 5 - 1 - 2024\Gaara.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4328
-
C:\Windows\Fonts\Admin 5 - 1 - 2024\smss.exe"C:\Windows\Fonts\Admin 5 - 1 - 2024\smss.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3884
-
C:\Windows\Fonts\Admin 5 - 1 - 2024\csrss.exe"C:\Windows\Fonts\Admin 5 - 1 - 2024\csrss.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4920 -
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:4528
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:3712
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:1904
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:2476
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:4528
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:3424
-
-
C:\Windows\Fonts\Admin 5 - 1 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 5 - 1 - 2024\Gaara.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2520
-
C:\Windows\Fonts\Admin 5 - 1 - 2024\smss.exe"C:\Windows\Fonts\Admin 5 - 1 - 2024\smss.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4660
-
C:\Windows\Fonts\Admin 5 - 1 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 5 - 1 - 2024\Gaara.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:744 -
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:2524
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:2344
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:516
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:3460
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:3744
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:1464
-
-
C:\Windows\Fonts\Admin 5 - 1 - 2024\smss.exe"C:\Windows\Fonts\Admin 5 - 1 - 2024\smss.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4092
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:3808
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD52f779017e2684acbc69894a9dcaf9f0d
SHA12ee641b0925e1afd954c82294ddbf5dbec4825ab
SHA256ffee4f12a9a70942ce35bae686c04bcb5a6cdc3ce21cff80fea4187138668685
SHA512714efcf1aa1e809f1bfa3260cffc2bf74636e92023d43df59c1cf51f39134401c55429cc8bb1bf3dd90a9efbc7818dfc784e67e6991b76910c0103137faf53a4
-
Filesize
66KB
MD58274fc75f14409f2b6a848e29988017e
SHA1cd35575f7081a6174349e8faa1bcec96560747a5
SHA25652dbc87a62b75aa11824aafd722354a791c30bfbc16d7bd5fdaec110eca42812
SHA51247e7ad6bcfec35717dd087172fe126aea6c391c08e57c56a6dee9d1eb43c8c9f6bf137c10d80ef64b48c1f4ee32b55b39e9881a8a563496e6842d9a7355de320
-
Filesize
161KB
MD5cf0efba857bf59cc17fc0450a77340fe
SHA13830e7c2ea02a53c31a2bf74e19a542fe5d46ecf
SHA25675861d19990898d12137152be8f7b461f22874162538d2cee8440e34ec9b82a1
SHA51277a2fb740119115353dd4009ad763d7de7d68f1bc158266c2cce1eab440d2ac6b06195e6c479b9bfac6362b4740ccf8749ac41be84a3695d71ebb7de5c533789
-
Filesize
15KB
MD56d711bf7df3a1cfa964205a7d0a60d68
SHA14217295d4e91a5b9bc2a6fccbf5635bcb3f6708f
SHA2561a9625a8635b357e4b42ae3c1e4b9ee20ec1b6053dbf8e1d438703b4cc04ecc2
SHA5125fb8c7490f9909dd56029bf18acd35458a833e59c8b5427a54f1b9af141f958cd4be3ed8ba0c4516c16a06bb9a0182031bbba788ac452bda82917a7c10825d52
-
Filesize
66KB
MD5218fdc971544d8f3c61dcd559f935f21
SHA148baf1913b47c69690c03e9928cc112bf47578b9
SHA256b65c8ef3a80f338f8d4daab6f0b0778aff32379eb3e9a1d1cefc1a9e139ea3e3
SHA512ebf04da9c9965f77a22678c731f42bf459fdaa5ce4a9227a45af88e3d477459a887061e711716600087190511be4eaa7662bac310556e38dcb1a67a66e12cf9a
-
Filesize
66KB
MD5465283997ebd78b19d1c5bbf097aee07
SHA1062f299d7fa9bc2272ee2d223618e456e347c36b
SHA2561c1f7903ed10a2c4975084c9401d14f61f0d344f672dad7d6ca0cb61f61d9586
SHA51257acbbb557cc81fc00b710b7f37aa79dcdd6b236d7cf61db5ab46dd3fd8a79bd52ab42c00badbd24495e7ceb733c5945286510c29999ecc634b633008a5d1f7e
-
Filesize
65KB
MD5fd8191efb6b9e27454023d6e4111c2f5
SHA12ca5bfeb5ea510c7abcaf229ed408cc534c889e5
SHA256d6f8e180fda2b8df4a028d71fbb0c344b1fdf42c7d7217075ea762d6b3158caf
SHA512ebb63af1f92fc8fa9bf0ff6ab7656137a186d712f40706f2ab0d1c72ea167cb43f4bc099cadc6013c7e4fe5f824c075f81936fadedbc83be005f9c27266102d5
-
Filesize
56KB
MD5fcd5abdef677b26cd52384ff0de3bff7
SHA1ff6a92538a9ba78ad010fefeb07e209dc90b717a
SHA256608be666ba45de5d2a602a035a7d78b896adbbae72da593019934316ad16de7e
SHA512564a74ec4e150fa6d1a6be175d468815b476493f1740788f88c0921014dcf2cd559e31db47e66756ead9b02dadb5a9bb9f74f6c14e3bc9abd618fdc7e302c531
-
Filesize
66KB
MD5d6e680c95b50ccaa7c42ef604b97decf
SHA1b2313997870c0349d00dea7b7e72de79347f2f41
SHA25608be2665703d130715a9042f3ae605ff9ab479857a2e07c6447a1bd0869bc275
SHA512a5b573fd9ff42cad2a633dbb4f142cd8cf2f5ad1c74e9e5eead222b255ef9939da2181d5917f2c6f4e7b113c92e723f30048cb55e9dde7b8c23e92ba1e804524
-
Filesize
128KB
MD5bbd836c37374bd25563c663cf8198390
SHA17e55b6becc50387a17551c04338f3e35171144c3
SHA2566d77cb251805c918c270752ab76e7c9349a5f7da8baf49c21ad17532b5410eb6
SHA5125fca6d042f0b2282a8bb2b6404e0af083ba90665799daa2bc1b3ccbe1fcb95dc1c5f8422c7309d0fae4ac7d6b6951c250a44f4f182b06f82bc2903c01e0685e3
-
Filesize
199KB
MD5c497dfc47b57432965f2f960fe975b1b
SHA19e2c3205c3dfdb73146bf1e633ee59be900361e2
SHA2560ed6fab630a91cccc35ca354f93d70ab1e210c1ba7e867e9f82dd69396848970
SHA512629466c5dfcccd957b6ed12154049b9d512d69ff8062127e0ca192fe9e2ec9429ba71793771520c22aa23231271f72ba9c4f6ad26abad51381711804f2500099
-
Filesize
66KB
MD5ad02794727a0cb5b5ea1754160b60bb8
SHA1a823f23ffe0144c420780bf6770ddd8b1f682545
SHA25683965bc97f36fa3f1b9265b957ab08416750e5cef3424d01384c76ede47dde3a
SHA512699e83991d2c55ba547134d9af70da588b8070d21acf48a82c361b0c342748ba1e76e11f4737ccc0e3bc63620a2d094d1a84c137b50a88e9014b8ffde933b4eb
-
Filesize
66KB
MD5aa2f405e6cddab394d04bc3babd91665
SHA193b7c34e52854d67ef1877bd0645ddde62004ec5
SHA2569215a02322cd6bd2db54b73d5ba9437127a1bff415424ffb00c09a2864f9d0ee
SHA512b7b07cb574997148442df1aa920f7979ee9aa7112febd6e9fdb9cabbccdff5c9776e07a2287721ebad2930e2b5eedbe62276421ba125ee0bf0b31e887c43f5e5
-
Filesize
65KB
MD518c7228d861c014095f9cb4c1eecf7a6
SHA173c4327c7bab195b792424ebdcd1a351b6adc094
SHA256252182d8bb4672cc7e2f51fdcc528420e350de0a178ab0d8a30b579bcf4d08bb
SHA51268c863f04495351eba19223df27893f43d62e91191f9f03f8ff9d4456d541a07dc9388db5a30c2bc94931b0815ea9542c4147bf56b87bcda7a3cd06f7fcc7a8e
-
Filesize
66KB
MD5369154192189d39dc565e3a43c7e85a1
SHA146b8dddfd154da5ba0516408b70d24da9f3fa2ed
SHA256fccd39bef385f42b5dd9e2cc9fcf494306a06bd90ff45961aaeee3194696bf57
SHA512a973ae7280f3b24e448a9ef448135f504d1ca1ec3f61fe1d4a69f71bead4fbbd936500cb263ff36bec551d0f9ea3e42bcff86eb493f9638ef36794aa4748fba2
-
Filesize
31KB
MD5f73bb70dda5e9df88ee94519ffc8b8a3
SHA120d2f9e42a6c34fe402fb6ffa5b3b7f29d915c5f
SHA25659c1369594a5eff2cb860807cf4e8ae2fe089a0916f0dc78a6ee725b75bb879b
SHA5125a6066cc8b73a150e39f4d81ede640d65ab233541685b12878900310168c4854f635b5a5b295338dafdbdf954c2117cd681a2060266dff81363b6140949c8f17
-
Filesize
41KB
MD5df97c3eb0d2e7efe02605ca2e68cb9c3
SHA1497898d21f6457465dc2273596f0b390cc8c1bc4
SHA2564baadfe51800676893d929e404bf855b19b6c84175bf047929d5c48450341e14
SHA51234458d2d8c6c7dfeaaf5642c236a44c0a726622aec3af32d44feeb52e5f047b332d6d9fd5804dc96212fae8c357aedc5acf5ea52f43e41761ab10362c8b56372
-
Filesize
66KB
MD59434d5534a27dc76a036ef09e0bee7af
SHA15af0970e9cab657448f3ced48a9d7b0b0e0da976
SHA256492dbc898ac0e5833f726483c05c2ad5e3ff932c565f62d7892d8a1cc63f35db
SHA512da0e7f8c2bd6b7b100f0393ad8594f7fe70c6cba45c0cb7d688bc20dd334cd887f76cb6bfd7954b6bac3472bf66254e2fb950ab26e6a001555f6d2acdfae3ad3
-
Filesize
66KB
MD5e59b7be6ec8fd86bc2dc649326210f48
SHA18cbc277c2e4f007601a972bbc1338d5beb18d57b
SHA25698d97f54a54cc0d17fbb6236e60be658a7b98c8626afee304b87d9f18ac7613f
SHA5127d7ab1a59b6603619d899bfaedc6b4679ae438edf2a8d2967a12e9082665806b90a24c1186d53fbc0b5239ccf7a2d85c7b59593a75fabfa8fc3476a39238b055
-
Filesize
63KB
MD538658c1631520307f80c4ad1306eb203
SHA101b723bae0bb64aee5850e5ea67a23b5e327ef84
SHA256fb677711f601c794a81d67ca6c142943a41775bcf2fd4e7adef6e4f6a90811fa
SHA5124e3e38c402f8959cf2f4737c75d6ab605ba801597421f3cd969c5783a3a38ec9b24edaaead2d436fbbcd68685c5db1f7d3a5f55648a7155dde76d9f84d1dccd2
-
Filesize
147KB
MD508ff3ab313147f26e719b635415d9ac7
SHA1633656374598ed7b35cb121f3a73c913bbbf7567
SHA25662c55d55b0f77dadd4a25dcf8931e0415ac2a36518e9b9161ec83afcbdb38a63
SHA5129ecfb8ee072653d64dc9c72f89f746072cbd07e7b1e273056abe42582ae820456f4076234d1df9a84b316f5b256ac8d28658e017050edfb94ee029de32ac832b
-
Filesize
228KB
MD573c77e023cc500076123a7c99360ef0f
SHA145a11a6a078b17dae362e0f669b8c8ac4e29a1d1
SHA2565c0c8e69dd90479c4192b7599c3ff345890c01e49da3bbe14a8823135d2b62b3
SHA51239c1a38182cce6a80b20d987fbfff5a9056bbaa868aa574ed68527e830d39f8d7fed21cf5d09959dbda22bbfa1d6558f91275d0544775f335128ab0c606c1c00
-
Filesize
33KB
MD5a01da1695c364b6a796291c06561179f
SHA123d71a3eda712993e40427224107589d4378575b
SHA256345ada0c90a7bfe5ad778debf36e03b2b1a5d2e957077b6a6553f0ca147e5536
SHA512f16dd9ab3ac5e66dc2ee5af5702f8ae36d4710c639485f667d031f4d2583413adedb6523661751935125cb537ea42cccb4e346c13ec8338593b5ffac12bf1578
-
Filesize
156KB
MD586a1ec7747c61c124acba50fe7e58fc5
SHA180d05f916fb5011b0bd1ff87053fc3c47d9651cf
SHA25601d92a5040115bef6feb013eb9a7ad125ff8d8b46796c2686ac565fdc95ff073
SHA51286e8a11b3c53a612eeb0e30b2d47f7eed5db69e8b020d67ae7c94b7fd31d453a2b6a0f082a48409a85ce678c842d43d72fa7a9a153b0e04bd665e2841e144602
