Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
74s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
14/01/2024, 02:24
Behavioral task
behavioral1
Sample
57677274e811ac80cbc112ea2f6d4ebc.exe
Resource
win7-20231215-en
windows7-x64
27 signatures
150 seconds
Behavioral task
behavioral2
Sample
57677274e811ac80cbc112ea2f6d4ebc.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
27 signatures
150 seconds
General
-
Target
57677274e811ac80cbc112ea2f6d4ebc.exe
-
Size
150KB
-
MD5
57677274e811ac80cbc112ea2f6d4ebc
-
SHA1
a01bf46d2b91144f2c2250501fe21d35b81a90cc
-
SHA256
6f249f6626140d445b7764ea4a06e87a66fb83f1388e9e505338d686778aff47
-
SHA512
f94c39f683ff6f674767461c1343f245fcc2ead7584837b0b3182afa02399209157dc53a677eaa9dc64181247a3dda65359019aa095de6f4df84a0af74c77647
-
SSDEEP
3072:5V5998K3WQ8fjEXKgZfnhfxuYV5998K3WQ8fjEXKgZfnhfxuwV59U:5VG84jqfhZVG84jqfhJV4
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 57677274e811ac80cbc112ea2f6d4ebc.exe File created C:\Windows\SysWOW64\drivers\system32.exe 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe 57677274e811ac80cbc112ea2f6d4ebc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe 57677274e811ac80cbc112ea2f6d4ebc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" 57677274e811ac80cbc112ea2f6d4ebc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" 57677274e811ac80cbc112ea2f6d4ebc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" 57677274e811ac80cbc112ea2f6d4ebc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com 57677274e811ac80cbc112ea2f6d4ebc.exe -
Executes dropped EXE 30 IoCs
pid Process 2080 smss.exe 2640 smss.exe 2740 Gaara.exe 2596 smss.exe 2512 Gaara.exe 2984 csrss.exe 1068 smss.exe 1964 Gaara.exe 1160 csrss.exe 2188 Kazekage.exe 2800 smss.exe 2220 Gaara.exe 2672 csrss.exe 2844 Kazekage.exe 1036 system32.exe 1168 smss.exe 1908 Gaara.exe 1668 csrss.exe 2192 Kazekage.exe 1920 system32.exe 1372 system32.exe 1016 Kazekage.exe 2412 system32.exe 916 csrss.exe 880 Kazekage.exe 3020 system32.exe 1604 Gaara.exe 1528 csrss.exe 2088 Kazekage.exe 2900 system32.exe -
Loads dropped DLL 60 IoCs
pid Process 2432 57677274e811ac80cbc112ea2f6d4ebc.exe 2432 57677274e811ac80cbc112ea2f6d4ebc.exe 2080 smss.exe 2640 smss.exe 2080 smss.exe 2080 smss.exe 2740 Gaara.exe 2740 Gaara.exe 2596 smss.exe 2512 Gaara.exe 2740 Gaara.exe 2740 Gaara.exe 2984 csrss.exe 2984 csrss.exe 1068 smss.exe 2984 csrss.exe 1964 Gaara.exe 1160 csrss.exe 2984 csrss.exe 2984 csrss.exe 2188 Kazekage.exe 2800 smss.exe 2188 Kazekage.exe 2220 Gaara.exe 2188 Kazekage.exe 2672 csrss.exe 2188 Kazekage.exe 2188 Kazekage.exe 2188 Kazekage.exe 2188 Kazekage.exe 1036 system32.exe 1168 smss.exe 1036 system32.exe 1908 Gaara.exe 1036 system32.exe 1668 csrss.exe 1036 system32.exe 1036 system32.exe 1036 system32.exe 1036 system32.exe 2984 csrss.exe 2984 csrss.exe 2740 Gaara.exe 2740 Gaara.exe 2740 Gaara.exe 2740 Gaara.exe 2080 smss.exe 916 csrss.exe 2080 smss.exe 2080 smss.exe 2080 smss.exe 2080 smss.exe 2432 57677274e811ac80cbc112ea2f6d4ebc.exe 1604 Gaara.exe 2432 57677274e811ac80cbc112ea2f6d4ebc.exe 1528 csrss.exe 2432 57677274e811ac80cbc112ea2f6d4ebc.exe 2432 57677274e811ac80cbc112ea2f6d4ebc.exe 2432 57677274e811ac80cbc112ea2f6d4ebc.exe 2432 57677274e811ac80cbc112ea2f6d4ebc.exe -
resource yara_rule behavioral1/memory/2432-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x000a000000016cc4-14.dat upx behavioral1/files/0x0007000000016c74-30.dat upx behavioral1/memory/2432-32-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2080-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x000500000001946e-63.dat upx behavioral1/files/0x0007000000016fb9-59.dat upx behavioral1/files/0x000a000000016cc4-55.dat upx behavioral1/files/0x0007000000016cb0-51.dat upx behavioral1/files/0x0007000000016c8f-47.dat upx behavioral1/memory/2080-81-0x00000000004B0000-0x00000000004DA000-memory.dmp upx behavioral1/memory/2740-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x000500000001946e-108.dat upx behavioral1/files/0x0007000000016fb9-104.dat upx behavioral1/files/0x000a000000016cc4-100.dat upx behavioral1/memory/2596-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000016cb0-96.dat upx behavioral1/memory/2596-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x000500000001946e-158.dat upx behavioral1/files/0x0007000000016c74-170.dat upx behavioral1/memory/2080-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000016fb9-154.dat upx behavioral1/files/0x000a000000016cc4-150.dat upx behavioral1/memory/1068-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1160-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x000500000001946e-246.dat upx behavioral1/memory/1036-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1168-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1668-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1668-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-283-0x00000000005C0000-0x00000000005EA000-memory.dmp upx behavioral1/memory/1036-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1372-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1016-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/916-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/880-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1528-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1528-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-331-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2088-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-335-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-1-2024.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 1 - 2024\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 1 - 2024\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 1 - 2024\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-1-2024.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 1 - 2024\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 1 - 2024\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 1 - 2024\\smss.exe" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-1-2024.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 1 - 2024\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 1 - 2024\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-1-2024.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-1-2024.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 1 - 2024\\Gaara.exe" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 1 - 2024\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-1-2024.exe" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 1 - 2024\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 1 - 2024\\Gaara.exe" smss.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\P:\Desktop.ini Kazekage.exe File opened for modification \??\N:\Desktop.ini Gaara.exe File opened for modification \??\Y:\Desktop.ini Gaara.exe File opened for modification \??\H:\Desktop.ini Kazekage.exe File opened for modification \??\R:\Desktop.ini Gaara.exe File opened for modification \??\K:\Desktop.ini smss.exe File opened for modification \??\R:\Desktop.ini Kazekage.exe File opened for modification F:\Desktop.ini Gaara.exe File opened for modification \??\O:\Desktop.ini Kazekage.exe File opened for modification \??\O:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification D:\Desktop.ini Kazekage.exe File opened for modification \??\S:\Desktop.ini Kazekage.exe File opened for modification \??\T:\Desktop.ini Gaara.exe File opened for modification \??\B:\Desktop.ini 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification \??\S:\Desktop.ini csrss.exe File opened for modification \??\X:\Desktop.ini 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification \??\X:\Desktop.ini csrss.exe File opened for modification \??\G:\Desktop.ini smss.exe File opened for modification \??\M:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini smss.exe File opened for modification \??\S:\Desktop.ini smss.exe File opened for modification \??\W:\Desktop.ini Gaara.exe File opened for modification \??\G:\Desktop.ini system32.exe File opened for modification \??\W:\Desktop.ini system32.exe File opened for modification \??\E:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification \??\L:\Desktop.ini smss.exe File opened for modification \??\M:\Desktop.ini Kazekage.exe File opened for modification \??\I:\Desktop.ini Kazekage.exe File opened for modification \??\V:\Desktop.ini Gaara.exe File opened for modification \??\H:\Desktop.ini system32.exe File opened for modification \??\R:\Desktop.ini system32.exe File opened for modification \??\S:\Desktop.ini system32.exe File opened for modification \??\X:\Desktop.ini system32.exe File opened for modification \??\N:\Desktop.ini csrss.exe File opened for modification \??\G:\Desktop.ini Kazekage.exe File opened for modification C:\Desktop.ini system32.exe File opened for modification \??\J:\Desktop.ini system32.exe File opened for modification \??\U:\Desktop.ini system32.exe File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification \??\U:\Desktop.ini Kazekage.exe File opened for modification \??\Q:\Desktop.ini Gaara.exe File opened for modification \??\U:\Desktop.ini csrss.exe File opened for modification F:\Desktop.ini smss.exe File opened for modification \??\J:\Desktop.ini Kazekage.exe File opened for modification \??\W:\Desktop.ini 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\H:\Desktop.ini 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification \??\Z:\Desktop.ini Gaara.exe File opened for modification \??\J:\Desktop.ini 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification \??\U:\Desktop.ini 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification \??\U:\Desktop.ini smss.exe File opened for modification \??\A:\Desktop.ini Kazekage.exe File opened for modification \??\Y:\Desktop.ini smss.exe File opened for modification \??\Z:\Desktop.ini 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification F:\Desktop.ini system32.exe File opened for modification \??\I:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini csrss.exe File opened for modification \??\P:\Desktop.ini smss.exe File opened for modification \??\H:\Desktop.ini Gaara.exe File opened for modification \??\A:\Desktop.ini smss.exe File opened for modification \??\E:\Desktop.ini Kazekage.exe File opened for modification F:\Desktop.ini Kazekage.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: 57677274e811ac80cbc112ea2f6d4ebc.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\V: system32.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\W: system32.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\W: 57677274e811ac80cbc112ea2f6d4ebc.exe File opened (read-only) \??\K: Kazekage.exe File opened (read-only) \??\H: Gaara.exe File opened (read-only) \??\O: Kazekage.exe File opened (read-only) \??\L: Kazekage.exe File opened (read-only) \??\X: 57677274e811ac80cbc112ea2f6d4ebc.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\S: 57677274e811ac80cbc112ea2f6d4ebc.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\M: Kazekage.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\S: Gaara.exe File opened (read-only) \??\V: Kazekage.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\B: Gaara.exe File opened (read-only) \??\P: Kazekage.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\P: Gaara.exe File opened (read-only) \??\W: Gaara.exe File opened (read-only) \??\A: csrss.exe File opened (read-only) \??\X: system32.exe File opened (read-only) \??\Y: 57677274e811ac80cbc112ea2f6d4ebc.exe File opened (read-only) \??\J: Gaara.exe File opened (read-only) \??\L: Gaara.exe File opened (read-only) \??\N: Gaara.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\A: 57677274e811ac80cbc112ea2f6d4ebc.exe File opened (read-only) \??\B: 57677274e811ac80cbc112ea2f6d4ebc.exe File opened (read-only) \??\V: 57677274e811ac80cbc112ea2f6d4ebc.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\G: Kazekage.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\E: system32.exe File opened (read-only) \??\Z: Kazekage.exe File opened (read-only) \??\G: system32.exe File opened (read-only) \??\K: system32.exe File opened (read-only) \??\K: 57677274e811ac80cbc112ea2f6d4ebc.exe File opened (read-only) \??\J: Kazekage.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\Q: Gaara.exe File opened (read-only) \??\M: Gaara.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\N: system32.exe File opened (read-only) \??\Q: system32.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\X: Kazekage.exe File opened (read-only) \??\B: system32.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created \??\Q:\Autorun.inf Gaara.exe File opened for modification \??\R:\Autorun.inf csrss.exe File created \??\R:\Autorun.inf Kazekage.exe File opened for modification \??\M:\Autorun.inf 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification \??\X:\Autorun.inf smss.exe File opened for modification \??\E:\Autorun.inf smss.exe File opened for modification \??\R:\Autorun.inf smss.exe File created \??\K:\Autorun.inf Kazekage.exe File created \??\S:\Autorun.inf system32.exe File opened for modification \??\Z:\Autorun.inf system32.exe File opened for modification \??\L:\Autorun.inf 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification \??\W:\Autorun.inf 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification \??\S:\Autorun.inf Kazekage.exe File opened for modification \??\U:\Autorun.inf Kazekage.exe File opened for modification \??\R:\Autorun.inf system32.exe File opened for modification \??\A:\Autorun.inf Gaara.exe File opened for modification F:\Autorun.inf csrss.exe File opened for modification \??\T:\Autorun.inf csrss.exe File opened for modification \??\I:\Autorun.inf Gaara.exe File created \??\J:\Autorun.inf Gaara.exe File opened for modification \??\Y:\Autorun.inf Kazekage.exe File created \??\V:\Autorun.inf Gaara.exe File opened for modification \??\G:\Autorun.inf Kazekage.exe File created \??\P:\Autorun.inf csrss.exe File opened for modification F:\Autorun.inf Kazekage.exe File opened for modification \??\N:\Autorun.inf Kazekage.exe File created \??\U:\Autorun.inf Kazekage.exe File created \??\A:\Autorun.inf system32.exe File created \??\Q:\Autorun.inf system32.exe File created \??\A:\Autorun.inf 57677274e811ac80cbc112ea2f6d4ebc.exe File created D:\Autorun.inf 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification \??\Z:\Autorun.inf Kazekage.exe File created \??\J:\Autorun.inf system32.exe File created \??\N:\Autorun.inf smss.exe File opened for modification \??\P:\Autorun.inf smss.exe File opened for modification \??\B:\Autorun.inf Gaara.exe File opened for modification \??\M:\Autorun.inf Gaara.exe File created \??\W:\Autorun.inf csrss.exe File created \??\L:\Autorun.inf Kazekage.exe File opened for modification \??\V:\Autorun.inf 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification \??\B:\Autorun.inf smss.exe File opened for modification \??\Y:\Autorun.inf system32.exe File opened for modification \??\Q:\Autorun.inf Kazekage.exe File opened for modification \??\L:\Autorun.inf system32.exe File created \??\G:\Autorun.inf 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification \??\Z:\Autorun.inf smss.exe File opened for modification \??\R:\Autorun.inf Gaara.exe File opened for modification \??\A:\Autorun.inf csrss.exe File opened for modification \??\Z:\Autorun.inf 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification \??\V:\Autorun.inf smss.exe File created \??\X:\Autorun.inf smss.exe File created \??\O:\Autorun.inf csrss.exe File created \??\V:\Autorun.inf csrss.exe File opened for modification \??\E:\Autorun.inf Kazekage.exe File opened for modification \??\A:\Autorun.inf 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification \??\U:\Autorun.inf 57677274e811ac80cbc112ea2f6d4ebc.exe File created \??\J:\Autorun.inf Kazekage.exe File opened for modification \??\V:\Autorun.inf system32.exe File opened for modification \??\T:\Autorun.inf Kazekage.exe File created \??\M:\Autorun.inf system32.exe File opened for modification \??\J:\Autorun.inf smss.exe File opened for modification \??\B:\Autorun.inf Kazekage.exe File created \??\A:\Autorun.inf Gaara.exe File created \??\E:\Autorun.inf Gaara.exe -
Drops file in System32 directory 38 IoCs
description ioc Process File created C:\Windows\SysWOW64\14-1-2024.exe 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 57677274e811ac80cbc112ea2f6d4ebc.exe File created C:\Windows\SysWOW64\Desktop.ini 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\SysWOW64\14-1-2024.exe smss.exe File opened for modification C:\Windows\SysWOW64\ 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\14-1-2024.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\14-1-2024.exe csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\14-1-2024.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\14-1-2024.exe 57677274e811ac80cbc112ea2f6d4ebc.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\14-1-2024.exe system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File opened for modification C:\Windows\ Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe Kazekage.exe File opened for modification C:\Windows\ system32.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File created C:\Windows\system\msvbvm60.dll 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe smss.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe csrss.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe system32.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\msvbvm60.dll 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\system\msvbvm60.dll 57677274e811ac80cbc112ea2f6d4ebc.exe File created C:\Windows\WBEM\msvbvm60.dll 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe Gaara.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe 57677274e811ac80cbc112ea2f6d4ebc.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe Gaara.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe csrss.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe system32.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe smss.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe Gaara.exe File created C:\Windows\Fonts\The Kazekage.jpg 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe Gaara.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe smss.exe File opened for modification C:\Windows\ csrss.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 57677274e811ac80cbc112ea2f6d4ebc.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee\Size = "72" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\WallpaperStyle = "2" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 57677274e811ac80cbc112ea2f6d4ebc.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main smss.exe -
Modifies registry class 48 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 57677274e811ac80cbc112ea2f6d4ebc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 57677274e811ac80cbc112ea2f6d4ebc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 57677274e811ac80cbc112ea2f6d4ebc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 57677274e811ac80cbc112ea2f6d4ebc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe -
Runs ping.exe 1 TTPs 34 IoCs
pid Process 2724 ping.exe 2980 ping.exe 1260 ping.exe 2900 ping.exe 1752 ping.exe 1800 ping.exe 2864 ping.exe 1928 ping.exe 2756 ping.exe 1476 ping.exe 2392 ping.exe 2976 ping.exe 2548 ping.exe 1536 ping.exe 2564 ping.exe 2620 ping.exe 408 ping.exe 1660 ping.exe 2916 ping.exe 1748 ping.exe 932 ping.exe 1508 ping.exe 1320 ping.exe 2980 ping.exe 796 ping.exe 2072 ping.exe 2556 ping.exe 2800 ping.exe 2320 ping.exe 1140 ping.exe 524 ping.exe 1656 ping.exe 660 ping.exe 1256 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2188 Kazekage.exe 2188 Kazekage.exe 2188 Kazekage.exe 2188 Kazekage.exe 2188 Kazekage.exe 2188 Kazekage.exe 2188 Kazekage.exe 2188 Kazekage.exe 2188 Kazekage.exe 2188 Kazekage.exe 2188 Kazekage.exe 2188 Kazekage.exe 2740 Gaara.exe 2740 Gaara.exe 2740 Gaara.exe 2740 Gaara.exe 2740 Gaara.exe 2740 Gaara.exe 2740 Gaara.exe 2740 Gaara.exe 2740 Gaara.exe 2740 Gaara.exe 2740 Gaara.exe 2740 Gaara.exe 1036 system32.exe 1036 system32.exe 1036 system32.exe 1036 system32.exe 1036 system32.exe 1036 system32.exe 1036 system32.exe 1036 system32.exe 1036 system32.exe 1036 system32.exe 1036 system32.exe 1036 system32.exe 2432 57677274e811ac80cbc112ea2f6d4ebc.exe 2432 57677274e811ac80cbc112ea2f6d4ebc.exe 2432 57677274e811ac80cbc112ea2f6d4ebc.exe 2432 57677274e811ac80cbc112ea2f6d4ebc.exe 2432 57677274e811ac80cbc112ea2f6d4ebc.exe 2432 57677274e811ac80cbc112ea2f6d4ebc.exe 2432 57677274e811ac80cbc112ea2f6d4ebc.exe 2432 57677274e811ac80cbc112ea2f6d4ebc.exe 2432 57677274e811ac80cbc112ea2f6d4ebc.exe 2432 57677274e811ac80cbc112ea2f6d4ebc.exe 2432 57677274e811ac80cbc112ea2f6d4ebc.exe 2432 57677274e811ac80cbc112ea2f6d4ebc.exe 2984 csrss.exe 2984 csrss.exe 2984 csrss.exe 2984 csrss.exe 2984 csrss.exe 2984 csrss.exe 2984 csrss.exe 2984 csrss.exe 2984 csrss.exe 2984 csrss.exe 2984 csrss.exe 2984 csrss.exe 2080 smss.exe 2080 smss.exe 2080 smss.exe 2080 smss.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 2432 57677274e811ac80cbc112ea2f6d4ebc.exe 2080 smss.exe 2640 smss.exe 2740 Gaara.exe 2596 smss.exe 2512 Gaara.exe 2984 csrss.exe 1068 smss.exe 1964 Gaara.exe 1160 csrss.exe 2188 Kazekage.exe 2800 smss.exe 2220 Gaara.exe 2672 csrss.exe 2844 Kazekage.exe 1036 system32.exe 1168 smss.exe 1908 Gaara.exe 1668 csrss.exe 2192 Kazekage.exe 1920 system32.exe 1372 system32.exe 1016 Kazekage.exe 2412 system32.exe 916 csrss.exe 880 Kazekage.exe 3020 system32.exe 1604 Gaara.exe 1528 csrss.exe 2088 Kazekage.exe 2900 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2432 wrote to memory of 2080 2432 57677274e811ac80cbc112ea2f6d4ebc.exe 28 PID 2432 wrote to memory of 2080 2432 57677274e811ac80cbc112ea2f6d4ebc.exe 28 PID 2432 wrote to memory of 2080 2432 57677274e811ac80cbc112ea2f6d4ebc.exe 28 PID 2432 wrote to memory of 2080 2432 57677274e811ac80cbc112ea2f6d4ebc.exe 28 PID 2080 wrote to memory of 2640 2080 smss.exe 29 PID 2080 wrote to memory of 2640 2080 smss.exe 29 PID 2080 wrote to memory of 2640 2080 smss.exe 29 PID 2080 wrote to memory of 2640 2080 smss.exe 29 PID 2080 wrote to memory of 2740 2080 smss.exe 30 PID 2080 wrote to memory of 2740 2080 smss.exe 30 PID 2080 wrote to memory of 2740 2080 smss.exe 30 PID 2080 wrote to memory of 2740 2080 smss.exe 30 PID 2740 wrote to memory of 2596 2740 Gaara.exe 31 PID 2740 wrote to memory of 2596 2740 Gaara.exe 31 PID 2740 wrote to memory of 2596 2740 Gaara.exe 31 PID 2740 wrote to memory of 2596 2740 Gaara.exe 31 PID 2740 wrote to memory of 2512 2740 Gaara.exe 32 PID 2740 wrote to memory of 2512 2740 Gaara.exe 32 PID 2740 wrote to memory of 2512 2740 Gaara.exe 32 PID 2740 wrote to memory of 2512 2740 Gaara.exe 32 PID 2740 wrote to memory of 2984 2740 Gaara.exe 33 PID 2740 wrote to memory of 2984 2740 Gaara.exe 33 PID 2740 wrote to memory of 2984 2740 Gaara.exe 33 PID 2740 wrote to memory of 2984 2740 Gaara.exe 33 PID 2984 wrote to memory of 1068 2984 csrss.exe 34 PID 2984 wrote to memory of 1068 2984 csrss.exe 34 PID 2984 wrote to memory of 1068 2984 csrss.exe 34 PID 2984 wrote to memory of 1068 2984 csrss.exe 34 PID 2984 wrote to memory of 1964 2984 csrss.exe 35 PID 2984 wrote to memory of 1964 2984 csrss.exe 35 PID 2984 wrote to memory of 1964 2984 csrss.exe 35 PID 2984 wrote to memory of 1964 2984 csrss.exe 35 PID 2984 wrote to memory of 1160 2984 csrss.exe 36 PID 2984 wrote to memory of 1160 2984 csrss.exe 36 PID 2984 wrote to memory of 1160 2984 csrss.exe 36 PID 2984 wrote to memory of 1160 2984 csrss.exe 36 PID 2984 wrote to memory of 2188 2984 csrss.exe 37 PID 2984 wrote to memory of 2188 2984 csrss.exe 37 PID 2984 wrote to memory of 2188 2984 csrss.exe 37 PID 2984 wrote to memory of 2188 2984 csrss.exe 37 PID 2188 wrote to memory of 2800 2188 Kazekage.exe 38 PID 2188 wrote to memory of 2800 2188 Kazekage.exe 38 PID 2188 wrote to memory of 2800 2188 Kazekage.exe 38 PID 2188 wrote to memory of 2800 2188 Kazekage.exe 38 PID 2188 wrote to memory of 2220 2188 Kazekage.exe 39 PID 2188 wrote to memory of 2220 2188 Kazekage.exe 39 PID 2188 wrote to memory of 2220 2188 Kazekage.exe 39 PID 2188 wrote to memory of 2220 2188 Kazekage.exe 39 PID 2188 wrote to memory of 2672 2188 Kazekage.exe 40 PID 2188 wrote to memory of 2672 2188 Kazekage.exe 40 PID 2188 wrote to memory of 2672 2188 Kazekage.exe 40 PID 2188 wrote to memory of 2672 2188 Kazekage.exe 40 PID 2188 wrote to memory of 2844 2188 Kazekage.exe 41 PID 2188 wrote to memory of 2844 2188 Kazekage.exe 41 PID 2188 wrote to memory of 2844 2188 Kazekage.exe 41 PID 2188 wrote to memory of 2844 2188 Kazekage.exe 41 PID 2188 wrote to memory of 1036 2188 Kazekage.exe 42 PID 2188 wrote to memory of 1036 2188 Kazekage.exe 42 PID 2188 wrote to memory of 1036 2188 Kazekage.exe 42 PID 2188 wrote to memory of 1036 2188 Kazekage.exe 42 PID 1036 wrote to memory of 1168 1036 system32.exe 43 PID 1036 wrote to memory of 1168 1036 system32.exe 43 PID 1036 wrote to memory of 1168 1036 system32.exe 43 PID 1036 wrote to memory of 1168 1036 system32.exe 43 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 57677274e811ac80cbc112ea2f6d4ebc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\57677274e811ac80cbc112ea2f6d4ebc.exe"C:\Users\Admin\AppData\Local\Temp\57677274e811ac80cbc112ea2f6d4ebc.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2432 -
C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2080 -
C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2640
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2740 -
C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2596
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2512
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2984 -
C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1068
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1964
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1160
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2188 -
C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2800
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2220
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2672
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2844
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1036 -
C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1168
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1908
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1668
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2192
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1920
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:2976
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:2724
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:2564
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:2756
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:1752
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:2320
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:2864
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:2392
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:1656
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:1660
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:2800
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:1320
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1372
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:1536
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:1140
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:2556
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:2980
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:1748
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:2900
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1016
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2412
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:1800
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:2548
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:1508
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:2072
-
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:916
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:880
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3020
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:1476
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:796
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:524
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:932
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:660
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:2916
-
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1604
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1528
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2088
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2900
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:2980
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:2620
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:1928
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:408
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:1260
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:1256
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
150KB
MD5169181659b8943198fcbd437001e1e38
SHA1c3e69fae62c630f8b0058d33f2d33fd26e781f53
SHA2560eb664f3ea15b89f21d18f3d908af2c225ae3eaceb0d0e1af421dd24bffd915a
SHA512333cc6472e6c447944018a872aa8566fd38cd6c3bc025dd7fdc7c88a7b415b4a796ec66b4365eecde416b86c72fc8415cf3acc1fe69f3a101f62c2ce430eaf7f
-
Filesize
150KB
MD54a4a6564dd2f09146823493d81219fb8
SHA114ff6577363991132e1453d7425a928fbc3d8cb8
SHA2567ed92b190ec89d9d97ab9b19a74b6118100625ed224382b8d7584548a8894082
SHA5120a8edce2c3413d1b883a0303f261f852b24dd850470c3e99e8cf4b89eee84c11a021ff58ec4ce83dbacfa9a9d1a243893cd4d9d27a8b7b6faf2fdcba1d175d9c
-
Filesize
150KB
MD53f9b9eb09ef4a2c1fc1fb7ffb42ef1a8
SHA1dd3526aeeaf976844ffc967f591d32dbf495e952
SHA256619edeeaef92284f84fced51541f50600d28e258f11bcd2ac9079fa02ba35d76
SHA5125082adad45d292768adcb846811fec392d09d0b405cb35d33e32cde1553d88d8348ed9f9f0a27d96c6e6a2aa067d9f5bc7bb2a89aa34d1d14d3a7cee1a7f43a6
-
Filesize
64KB
MD5bfd370847d7eda45e5c9816094cd8fb8
SHA1a289344190f558a3ce56ab217da46d71f228e18f
SHA256bd10cf4cb44cc2262409a6ddb41dc1373bb63a1d1e858d0109c54672905d3ddf
SHA51241ac4710851f11641591108774fbffb75e36d58179ba2687d7e11cc8ced33d466746eab86acf4a8edc7fdec23c3f5f917edd35a766b72048cc3f3c5fdb1d6efb
-
Filesize
704KB
MD5434c7e38f10079e516d56c50896c958a
SHA13c95af3c3cb7bc6691e9be12619549601ddcc4c0
SHA2562962161d865cf39d447d3a4df0ed45a773099a1a41bebfa80e74071f2f1f28c3
SHA512edd05ca9cfa47ec1fed12ad92040f6f1b8bcf2d538201e2643029336d7850a64a353f0367b51ec32b85ac6638b4e9f0509b1a72f66ef9a3d599fcbf340911634
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
192KB
MD5ca8609f3eb4c6e461d3582ff9234b309
SHA1702ccf95aaa1a5de3982d3d8a2d58d95fea3e7a5
SHA256277d5e607db233f135fd637900124c7f315dc0ce4a86fe5b65ca9d03040e41f3
SHA51254432d2b7abffbac97d8a1768d081c874120ea86c3e2335e880acf54280f5ec7bca38016e6c51d4dc3115270edb9680c29487895a4d236ee140d8bd73836201d
-
Filesize
150KB
MD55f0927391a26a7de8d5833029738574b
SHA193e4a613c6f170664c2ba0a1a7281b5d07741679
SHA256e954d2d3de84bc92085ba8d84c50460bd3eeda4df9355f49a664f65c9738df85
SHA512d2f85aa8c747020d2a6d3dd11b463f79dc2ee4e79f2130b084267ad664f9348acd99e724a2aead5e8f3e998849d326edf34551a5ac4834ac9ec43b0556bed0a0
-
Filesize
150KB
MD557677274e811ac80cbc112ea2f6d4ebc
SHA1a01bf46d2b91144f2c2250501fe21d35b81a90cc
SHA2566f249f6626140d445b7764ea4a06e87a66fb83f1388e9e505338d686778aff47
SHA512f94c39f683ff6f674767461c1343f245fcc2ead7584837b0b3182afa02399209157dc53a677eaa9dc64181247a3dda65359019aa095de6f4df84a0af74c77647
-
Filesize
150KB
MD5ce9929de1652e9ced028e8d0dc56523e
SHA1c1825b47f4bec039a5673dd35ee3cad75e897394
SHA25636877796e769510c52da49dfeefad9ee72a220532295ad5027410183ad8f13fe
SHA512f38a498d3648512c5ee003c8adb990fd2d45ee05504dee86f2b9746b8840f62aa409e3b4f8a946615a82782ee901694563c75e21a920fcea6d411034b2e6a350
-
Filesize
150KB
MD5abf2386d8a7ef0c6d8ee058b36873341
SHA1dc1a03e4a3bea8c905aaf91b2d85dde6ac7a1a31
SHA25671211da771785a645fd13dc2537047af2cce0f15f57b49cca50c23ec472198d1
SHA5128ea01703c360f50cd05c44bd4b467c3648055b3b87e8c3cbe9da148e41fb9508451d0a258727dbd34d1864b127b8be85cec1c1e346cb59cc98a11df802db9f7a
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
150KB
MD58bd9086eb072bd68321ea9075fd1498f
SHA1e3a0cf1e5ceb13e17377dc53569deda560ac4a70
SHA256e2630062dc407b3380a2f90273bccd813326d3e7a43af1ec9b4a0a21dac39b43
SHA51253b019f422f256f7fdc298e1628892246d4780b0df3397025fa0c1fe0f2e5779aa392734e95953408036b121c7b133efb78c0e90eea7d5eb5e95d1c88a7cad88
-
Filesize
150KB
MD5763186ca462fa3fa1e51ce4ebcbdbe7e
SHA15ce947a7026f5e20c2610e38022a31100c4fc906
SHA2569e865b35cab844d987d1e28387af821f69fdf25356cb4f2468e20449e580f88c
SHA512d763ecef295b4f847ab231b8468e5cf6e3c08021adf60d4a02ada3a3619dbf7641769d3bdaca9a01a6acbe70bec0c1ed0935b9a347d566546ff7347b5e36c7fd
-
Filesize
150KB
MD509efacc546ccde4e0f53049cea9912e0
SHA1aa1b3ca586bbec00d3eaf8435159dcba616a018b
SHA256e9cedff3fa293d1a190fbc38ee922e05d78aa24a79cfbc49ec7f8ab6fdbe2c92
SHA5128064cf2d1027a504101a53477bf2d4222ec8f7d700d8df06e4ee40735d357b13f919f05fdfbfa1156bc1ae6014b03e0f149b281ccf8bf6e2cf5a1b0b5b443b16
-
Filesize
150KB
MD58576f279c7ea057dbcc8e3abf1cb40e4
SHA1df71512c8a319cf1f93d705286b0b4ccf7f4323f
SHA256c72ec67cd112355c32c93f6b07e8e8a90bfdc8347bd5b6799b0d725d63110035
SHA512ebb7436dd532e94e36152d0ec4043885660f0d52e54cde9ca1f647b42549e25453f3958dcbcc6b1e3d89772cc6f2ea4659c8828acaf4dcfb5499c8d8a86e59c6
-
Filesize
150KB
MD58eba8352aad6b9cfa8205f43ef966454
SHA1cc9bf7cf2082ee93710656d55beb4053689f861c
SHA25617a11ca72a38fd0fc025656a604c387674abf309b169c28cdb822c16e640981c
SHA5121f376afe24d3e18f4f0b37b3024f724fd3d1325d9a690c3fdae187dbe54b5d95f2eda16231c89b4669319c28f4f03664e24da46a6615b82c04455e298797b696
-
Filesize
150KB
MD5be9a105e307585f3eb423ebb2a3a7e46
SHA1ebe03651008e35d0f5204105e00b307bed68423e
SHA256d1779e8861d78a7ce94c46f9553ecbc8505c8d7faa553f007dd0c3938971f569
SHA5122804367bed4961cd41bd3b3bb1909edcc970ae4e2ccf355370a5c45034d403b8d9f47f634cfa373394aa0f49e1d254ecb3e69f52d9567cdee617dd47ce9ddf41
-
Filesize
150KB
MD51bacf7604911e34d0c74fa3ce536ab79
SHA15787fdf81dc2937effb6d3f7cd8f0e21a5ea0311
SHA2565658639b3c01de8631b0e5c18aeb70eb3f372ef199d8470c3fe376ee997ec86e
SHA512e9b44f8e49ac9face17a4ad295c9285618983983af8825b48c233ade37aa3777aae3f608d9bd29f7186e4f759b87c8f043ee76b7dd889db9ec1de2ee0b5cc457
-
Filesize
127KB
MD58f9d668a46ee090718a56eb74c404188
SHA17b96425d56e79b6b087f43040a210fa48fa8bdfd
SHA256fde9013cde5deec6ae2b5998991269409bffe58a32ebbe575ceac84debec96db
SHA5128619cafb29dd5b8969da5b084162ae2ffd699ded9ec6d23e5e28e77f2dcbc738e98759845a9e0db4b9269442a26ba69e64ce762304e8c499668708126aba20e7
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
64KB
MD51a1b7cdaf2908857c3bebb9c8f387541
SHA1fcde10269617c828fb18bb636fad7eab2a259477
SHA256e49b2d6b04b4fd2d6ad3b05c0b24b2d31d50463ebd7f4ca887cb52307aa7030c
SHA5126278e5f6c93354cc17360eae470eb5371a336e0fd5f92eaffc2deb218be540dbfabaf3061c99020b7b686871ac825f33032fa88efba5f6cf6db709b6908d38a1
-
Filesize
150KB
MD5156a3aedb8e42ba4c329c7d17c96b6b4
SHA1da3d90cd52ff3ff290ca5dffb0cc8276889ebba9
SHA25609d27349dcd5c59794754a807edc9a72a34d5187b15b0590f898051bb2f175e2
SHA512524c773b0a040d22704273d0f545196e1f3f08fd9f88dc39593ce8122b2dd736ae5de2508c03ad78025a99375a4712805c947bba7e00aa554844c405ddf5fa3d
