Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
106s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
14/01/2024, 02:24
Behavioral task
behavioral1
Sample
57677274e811ac80cbc112ea2f6d4ebc.exe
Resource
win7-20231215-en
windows7-x64
27 signatures
150 seconds
Behavioral task
behavioral2
Sample
57677274e811ac80cbc112ea2f6d4ebc.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
27 signatures
150 seconds
General
-
Target
57677274e811ac80cbc112ea2f6d4ebc.exe
-
Size
150KB
-
MD5
57677274e811ac80cbc112ea2f6d4ebc
-
SHA1
a01bf46d2b91144f2c2250501fe21d35b81a90cc
-
SHA256
6f249f6626140d445b7764ea4a06e87a66fb83f1388e9e505338d686778aff47
-
SHA512
f94c39f683ff6f674767461c1343f245fcc2ead7584837b0b3182afa02399209157dc53a677eaa9dc64181247a3dda65359019aa095de6f4df84a0af74c77647
-
SSDEEP
3072:5V5998K3WQ8fjEXKgZfnhfxuYV5998K3WQ8fjEXKgZfnhfxuwV59U:5VG84jqfhZVG84jqfhJV4
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 57677274e811ac80cbc112ea2f6d4ebc.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 57677274e811ac80cbc112ea2f6d4ebc.exe File created C:\Windows\SysWOW64\drivers\system32.exe 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" 57677274e811ac80cbc112ea2f6d4ebc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe 57677274e811ac80cbc112ea2f6d4ebc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe 57677274e811ac80cbc112ea2f6d4ebc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" 57677274e811ac80cbc112ea2f6d4ebc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" 57677274e811ac80cbc112ea2f6d4ebc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe 57677274e811ac80cbc112ea2f6d4ebc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" 57677274e811ac80cbc112ea2f6d4ebc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Gaara.exe -
Executes dropped EXE 30 IoCs
pid Process 3896 smss.exe 3656 smss.exe 668 Gaara.exe 1840 smss.exe 1800 Gaara.exe 1764 csrss.exe 1544 smss.exe 1884 Gaara.exe 3548 csrss.exe 1192 Kazekage.exe 4752 smss.exe 4264 Gaara.exe 3260 csrss.exe 868 Kazekage.exe 4100 system32.exe 1044 smss.exe 1604 Gaara.exe 2312 csrss.exe 4716 Kazekage.exe 3032 system32.exe 4868 system32.exe 4976 Kazekage.exe 4184 system32.exe 4380 csrss.exe 2624 Kazekage.exe 4268 system32.exe 4892 Gaara.exe 4476 csrss.exe 4464 Kazekage.exe 3512 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 3896 smss.exe 3656 smss.exe 668 Gaara.exe 1840 smss.exe 1800 Gaara.exe 1764 csrss.exe 1544 smss.exe 1884 Gaara.exe 3548 csrss.exe 4752 smss.exe 4264 Gaara.exe 3260 csrss.exe 1044 smss.exe 1604 Gaara.exe 2312 csrss.exe 4380 csrss.exe 4892 Gaara.exe 4476 csrss.exe -
resource yara_rule behavioral2/memory/2404-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x00060000000231e9-68.dat upx behavioral2/files/0x00060000000231ee-57.dat upx behavioral2/files/0x00060000000231ec-49.dat upx behavioral2/memory/3656-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x00060000000231ec-87.dat upx behavioral2/memory/1800-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x00060000000231e9-146.dat upx behavioral2/memory/1544-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x00060000000231ed-163.dat upx behavioral2/files/0x00060000000231ed-164.dat upx behavioral2/memory/3896-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x00060000000231ee-214.dat upx behavioral2/memory/4100-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x00060000000231e9-231.dat upx behavioral2/memory/1764-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x00060000000231ec-220.dat upx behavioral2/files/0x00060000000231ee-212.dat upx behavioral2/memory/868-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x00060000000231ed-205.dat upx behavioral2/memory/668-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x00060000000231eb-199.dat upx behavioral2/memory/4264-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x00060000000231ea-193.dat upx behavioral2/files/0x00060000000231ee-176.dat upx behavioral2/memory/1192-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2404-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x00060000000231eb-155.dat upx behavioral2/files/0x00060000000231ee-135.dat upx behavioral2/files/0x00060000000231ee-95.dat upx behavioral2/memory/668-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x00060000000231ec-14.dat upx behavioral2/memory/3896-286-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 1 - 2024\\smss.exe" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-1-2024.exe" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 1 - 2024\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 1 - 2024\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 1 - 2024\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 1 - 2024\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 1 - 2024\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 1 - 2024\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-1-2024.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-1-2024.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 1 - 2024\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-1-2024.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-1-2024.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 1 - 2024\\Gaara.exe" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 1 - 2024\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 1 - 2024\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 1 - 2024\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-1-2024.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\P:\Desktop.ini Gaara.exe File opened for modification \??\V:\Desktop.ini Kazekage.exe File opened for modification \??\W:\Desktop.ini Kazekage.exe File opened for modification \??\J:\Desktop.ini 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification \??\M:\Desktop.ini 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini system32.exe File opened for modification F:\Desktop.ini Kazekage.exe File opened for modification F:\Desktop.ini 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification D:\Desktop.ini csrss.exe File opened for modification \??\Z:\Desktop.ini system32.exe File opened for modification \??\Q:\Desktop.ini 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification \??\S:\Desktop.ini 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification \??\I:\Desktop.ini Gaara.exe File opened for modification \??\R:\Desktop.ini Gaara.exe File opened for modification \??\Z:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini csrss.exe File opened for modification \??\A:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini Gaara.exe File opened for modification \??\K:\Desktop.ini csrss.exe File opened for modification F:\Desktop.ini csrss.exe File opened for modification \??\T:\Desktop.ini csrss.exe File opened for modification \??\E:\Desktop.ini system32.exe File opened for modification \??\H:\Desktop.ini Kazekage.exe File opened for modification \??\Z:\Desktop.ini Kazekage.exe File opened for modification \??\A:\Desktop.ini 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification \??\B:\Desktop.ini 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification \??\H:\Desktop.ini csrss.exe File opened for modification \??\X:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini Kazekage.exe File opened for modification \??\O:\Desktop.ini Kazekage.exe File opened for modification \??\I:\Desktop.ini system32.exe File opened for modification C:\Desktop.ini Kazekage.exe File opened for modification \??\T:\Desktop.ini 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification \??\A:\Desktop.ini smss.exe File opened for modification \??\K:\Desktop.ini smss.exe File opened for modification \??\N:\Desktop.ini Gaara.exe File opened for modification \??\V:\Desktop.ini Gaara.exe File opened for modification \??\X:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini Gaara.exe File opened for modification \??\U:\Desktop.ini Kazekage.exe File opened for modification \??\U:\Desktop.ini smss.exe File opened for modification \??\M:\Desktop.ini csrss.exe File opened for modification \??\X:\Desktop.ini system32.exe File opened for modification \??\M:\Desktop.ini Kazekage.exe File opened for modification \??\I:\Desktop.ini 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification \??\V:\Desktop.ini 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification \??\P:\Desktop.ini csrss.exe File opened for modification \??\V:\Desktop.ini csrss.exe File opened for modification \??\B:\Desktop.ini system32.exe File opened for modification \??\E:\Desktop.ini Kazekage.exe File opened for modification \??\T:\Desktop.ini smss.exe File opened for modification \??\Z:\Desktop.ini smss.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification \??\Y:\Desktop.ini csrss.exe File opened for modification C:\Desktop.ini system32.exe File opened for modification \??\N:\Desktop.ini system32.exe File opened for modification \??\P:\Desktop.ini 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification \??\J:\Desktop.ini Kazekage.exe File opened for modification \??\N:\Desktop.ini 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification \??\N:\Desktop.ini smss.exe File opened for modification \??\S:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini Gaara.exe File opened for modification \??\E:\Desktop.ini Gaara.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: Gaara.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\N: Gaara.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\I: Kazekage.exe File opened (read-only) \??\P: Kazekage.exe File opened (read-only) \??\T: Kazekage.exe File opened (read-only) \??\S: 57677274e811ac80cbc112ea2f6d4ebc.exe File opened (read-only) \??\W: Gaara.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\Q: Gaara.exe File opened (read-only) \??\M: 57677274e811ac80cbc112ea2f6d4ebc.exe File opened (read-only) \??\T: 57677274e811ac80cbc112ea2f6d4ebc.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\K: Gaara.exe File opened (read-only) \??\T: Gaara.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\Y: Kazekage.exe File opened (read-only) \??\B: 57677274e811ac80cbc112ea2f6d4ebc.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\Y: system32.exe File opened (read-only) \??\V: Kazekage.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\A: Kazekage.exe File opened (read-only) \??\O: Kazekage.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\J: system32.exe File opened (read-only) \??\O: system32.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\L: Gaara.exe File opened (read-only) \??\R: Gaara.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\A: system32.exe File opened (read-only) \??\B: system32.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\K: Kazekage.exe File opened (read-only) \??\X: Gaara.exe File opened (read-only) \??\J: Gaara.exe File opened (read-only) \??\B: Kazekage.exe File opened (read-only) \??\M: Kazekage.exe File opened (read-only) \??\G: 57677274e811ac80cbc112ea2f6d4ebc.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\H: system32.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\Y: Gaara.exe File opened (read-only) \??\Q: system32.exe File opened (read-only) \??\H: Kazekage.exe File opened (read-only) \??\U: 57677274e811ac80cbc112ea2f6d4ebc.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\K: 57677274e811ac80cbc112ea2f6d4ebc.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\H: Gaara.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\M: system32.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\X: system32.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\U: Kazekage.exe File opened (read-only) \??\U: system32.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\Y:\Autorun.inf csrss.exe File created \??\Q:\Autorun.inf 57677274e811ac80cbc112ea2f6d4ebc.exe File created \??\R:\Autorun.inf smss.exe File opened for modification \??\S:\Autorun.inf Gaara.exe File created \??\N:\Autorun.inf Kazekage.exe File created \??\S:\Autorun.inf Kazekage.exe File opened for modification C:\Autorun.inf 57677274e811ac80cbc112ea2f6d4ebc.exe File created \??\W:\Autorun.inf Gaara.exe File created \??\B:\Autorun.inf 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification \??\H:\Autorun.inf smss.exe File created \??\K:\Autorun.inf csrss.exe File created \??\M:\Autorun.inf Kazekage.exe File opened for modification \??\T:\Autorun.inf Kazekage.exe File opened for modification \??\N:\Autorun.inf system32.exe File opened for modification \??\I:\Autorun.inf smss.exe File opened for modification \??\K:\Autorun.inf csrss.exe File created \??\M:\Autorun.inf system32.exe File created D:\Autorun.inf 57677274e811ac80cbc112ea2f6d4ebc.exe File created \??\L:\Autorun.inf Kazekage.exe File opened for modification C:\Autorun.inf system32.exe File created \??\K:\Autorun.inf Gaara.exe File created \??\O:\Autorun.inf Kazekage.exe File created \??\Q:\Autorun.inf system32.exe File created \??\J:\Autorun.inf 57677274e811ac80cbc112ea2f6d4ebc.exe File created \??\N:\Autorun.inf smss.exe File created \??\E:\Autorun.inf smss.exe File opened for modification \??\A:\Autorun.inf Gaara.exe File opened for modification \??\Z:\Autorun.inf Gaara.exe File created \??\Z:\Autorun.inf Gaara.exe File opened for modification \??\S:\Autorun.inf csrss.exe File created \??\R:\Autorun.inf Kazekage.exe File created C:\Autorun.inf 57677274e811ac80cbc112ea2f6d4ebc.exe File created \??\M:\Autorun.inf 57677274e811ac80cbc112ea2f6d4ebc.exe File created \??\V:\Autorun.inf Kazekage.exe File opened for modification \??\M:\Autorun.inf system32.exe File created \??\Y:\Autorun.inf system32.exe File opened for modification \??\L:\Autorun.inf 57677274e811ac80cbc112ea2f6d4ebc.exe File created \??\M:\Autorun.inf Gaara.exe File created \??\L:\Autorun.inf smss.exe File opened for modification \??\T:\Autorun.inf smss.exe File created \??\H:\Autorun.inf csrss.exe File created \??\W:\Autorun.inf 57677274e811ac80cbc112ea2f6d4ebc.exe File created \??\Y:\Autorun.inf 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification \??\R:\Autorun.inf csrss.exe File opened for modification \??\W:\Autorun.inf Kazekage.exe File created \??\Z:\Autorun.inf 57677274e811ac80cbc112ea2f6d4ebc.exe File created \??\A:\Autorun.inf Gaara.exe File created \??\Z:\Autorun.inf system32.exe File opened for modification \??\W:\Autorun.inf Gaara.exe File created \??\G:\Autorun.inf system32.exe File created \??\H:\Autorun.inf Gaara.exe File opened for modification \??\V:\Autorun.inf system32.exe File created \??\X:\Autorun.inf system32.exe File created \??\K:\Autorun.inf 57677274e811ac80cbc112ea2f6d4ebc.exe File created \??\P:\Autorun.inf 57677274e811ac80cbc112ea2f6d4ebc.exe File created \??\X:\Autorun.inf smss.exe File opened for modification \??\W:\Autorun.inf csrss.exe File opened for modification F:\Autorun.inf Gaara.exe File opened for modification \??\I:\Autorun.inf csrss.exe File opened for modification \??\X:\Autorun.inf csrss.exe File created \??\Y:\Autorun.inf csrss.exe File created \??\K:\Autorun.inf system32.exe File created \??\H:\Autorun.inf 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification \??\I:\Autorun.inf 57677274e811ac80cbc112ea2f6d4ebc.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File created C:\Windows\SysWOW64\Desktop.ini 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\SysWOW64\ 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\14-1-2024.exe csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File created C:\Windows\SysWOW64\14-1-2024.exe 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\SysWOW64\14-1-2024.exe 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\SysWOW64\14-1-2024.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 57677274e811ac80cbc112ea2f6d4ebc.exe File created C:\Windows\SysWOW64\mscomctl.ocx 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\SysWOW64\14-1-2024.exe smss.exe File opened for modification C:\Windows\SysWOW64\14-1-2024.exe Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\14-1-2024.exe system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\msvbvm60.dll 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe Gaara.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe 57677274e811ac80cbc112ea2f6d4ebc.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe Gaara.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\system\msvbvm60.dll 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe Kazekage.exe File opened for modification C:\Windows\ smss.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe Gaara.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe csrss.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe system32.exe File opened for modification C:\Windows\ csrss.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\msvbvm60.dll 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe 57677274e811ac80cbc112ea2f6d4ebc.exe File created C:\Windows\system\msvbvm60.dll 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\msvbvm60.dll Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx 57677274e811ac80cbc112ea2f6d4ebc.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\msvbvm60.dll 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe csrss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File created C:\Windows\mscomctl.ocx 57677274e811ac80cbc112ea2f6d4ebc.exe File created C:\Windows\Fonts\The Kazekage.jpg 57677274e811ac80cbc112ea2f6d4ebc.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe smss.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe 57677274e811ac80cbc112ea2f6d4ebc.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\msvbvm60.dll 57677274e811ac80cbc112ea2f6d4ebc.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File opened for modification C:\Windows\ Kazekage.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe smss.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 57677274e811ac80cbc112ea2f6d4ebc.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop 57677274e811ac80cbc112ea2f6d4ebc.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\WallpaperStyle = "2" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\Size = "72" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 57677274e811ac80cbc112ea2f6d4ebc.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Main smss.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Main system32.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Main 57677274e811ac80cbc112ea2f6d4ebc.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe -
Modifies registry class 51 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell 57677274e811ac80cbc112ea2f6d4ebc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install 57677274e811ac80cbc112ea2f6d4ebc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile 57677274e811ac80cbc112ea2f6d4ebc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 57677274e811ac80cbc112ea2f6d4ebc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 57677274e811ac80cbc112ea2f6d4ebc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 57677274e811ac80cbc112ea2f6d4ebc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 57677274e811ac80cbc112ea2f6d4ebc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe -
Runs ping.exe 1 TTPs 34 IoCs
pid Process 1676 ping.exe 4376 ping.exe 1832 ping.exe 2184 ping.exe 5088 ping.exe 4252 ping.exe 2228 ping.exe 5012 ping.exe 1464 ping.exe 2820 ping.exe 3672 ping.exe 2128 ping.exe 2172 ping.exe 3600 ping.exe 4736 ping.exe 1308 ping.exe 1544 ping.exe 3952 ping.exe 208 ping.exe 2152 ping.exe 2228 ping.exe 4648 ping.exe 2184 ping.exe 1356 ping.exe 3084 ping.exe 220 ping.exe 3588 ping.exe 748 ping.exe 872 ping.exe 5088 ping.exe 3004 ping.exe 3900 ping.exe 2004 ping.exe 1440 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2404 57677274e811ac80cbc112ea2f6d4ebc.exe 2404 57677274e811ac80cbc112ea2f6d4ebc.exe 2404 57677274e811ac80cbc112ea2f6d4ebc.exe 2404 57677274e811ac80cbc112ea2f6d4ebc.exe 2404 57677274e811ac80cbc112ea2f6d4ebc.exe 2404 57677274e811ac80cbc112ea2f6d4ebc.exe 2404 57677274e811ac80cbc112ea2f6d4ebc.exe 2404 57677274e811ac80cbc112ea2f6d4ebc.exe 2404 57677274e811ac80cbc112ea2f6d4ebc.exe 2404 57677274e811ac80cbc112ea2f6d4ebc.exe 2404 57677274e811ac80cbc112ea2f6d4ebc.exe 2404 57677274e811ac80cbc112ea2f6d4ebc.exe 2404 57677274e811ac80cbc112ea2f6d4ebc.exe 2404 57677274e811ac80cbc112ea2f6d4ebc.exe 2404 57677274e811ac80cbc112ea2f6d4ebc.exe 2404 57677274e811ac80cbc112ea2f6d4ebc.exe 2404 57677274e811ac80cbc112ea2f6d4ebc.exe 2404 57677274e811ac80cbc112ea2f6d4ebc.exe 2404 57677274e811ac80cbc112ea2f6d4ebc.exe 2404 57677274e811ac80cbc112ea2f6d4ebc.exe 2404 57677274e811ac80cbc112ea2f6d4ebc.exe 2404 57677274e811ac80cbc112ea2f6d4ebc.exe 2404 57677274e811ac80cbc112ea2f6d4ebc.exe 2404 57677274e811ac80cbc112ea2f6d4ebc.exe 3896 smss.exe 3896 smss.exe 3896 smss.exe 3896 smss.exe 3896 smss.exe 3896 smss.exe 3896 smss.exe 3896 smss.exe 3896 smss.exe 3896 smss.exe 3896 smss.exe 3896 smss.exe 3896 smss.exe 3896 smss.exe 3896 smss.exe 3896 smss.exe 3896 smss.exe 3896 smss.exe 3896 smss.exe 3896 smss.exe 3896 smss.exe 3896 smss.exe 3896 smss.exe 3896 smss.exe 668 Gaara.exe 668 Gaara.exe 668 Gaara.exe 668 Gaara.exe 668 Gaara.exe 668 Gaara.exe 668 Gaara.exe 668 Gaara.exe 668 Gaara.exe 668 Gaara.exe 668 Gaara.exe 668 Gaara.exe 668 Gaara.exe 668 Gaara.exe 668 Gaara.exe 668 Gaara.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 2404 57677274e811ac80cbc112ea2f6d4ebc.exe 3896 smss.exe 3656 smss.exe 668 Gaara.exe 1840 smss.exe 1800 Gaara.exe 1764 csrss.exe 1544 smss.exe 1884 Gaara.exe 3548 csrss.exe 1192 Kazekage.exe 4752 smss.exe 4264 Gaara.exe 3260 csrss.exe 868 Kazekage.exe 4100 system32.exe 1044 smss.exe 1604 Gaara.exe 2312 csrss.exe 4716 Kazekage.exe 3032 system32.exe 4868 system32.exe 4976 Kazekage.exe 4184 system32.exe 4380 csrss.exe 2624 Kazekage.exe 4268 system32.exe 4892 Gaara.exe 4476 csrss.exe 4464 Kazekage.exe 3512 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2404 wrote to memory of 3896 2404 57677274e811ac80cbc112ea2f6d4ebc.exe 65 PID 2404 wrote to memory of 3896 2404 57677274e811ac80cbc112ea2f6d4ebc.exe 65 PID 2404 wrote to memory of 3896 2404 57677274e811ac80cbc112ea2f6d4ebc.exe 65 PID 3896 wrote to memory of 3656 3896 smss.exe 35 PID 3896 wrote to memory of 3656 3896 smss.exe 35 PID 3896 wrote to memory of 3656 3896 smss.exe 35 PID 3896 wrote to memory of 668 3896 smss.exe 64 PID 3896 wrote to memory of 668 3896 smss.exe 64 PID 3896 wrote to memory of 668 3896 smss.exe 64 PID 668 wrote to memory of 1840 668 Gaara.exe 37 PID 668 wrote to memory of 1840 668 Gaara.exe 37 PID 668 wrote to memory of 1840 668 Gaara.exe 37 PID 668 wrote to memory of 1800 668 Gaara.exe 63 PID 668 wrote to memory of 1800 668 Gaara.exe 63 PID 668 wrote to memory of 1800 668 Gaara.exe 63 PID 668 wrote to memory of 1764 668 Gaara.exe 38 PID 668 wrote to memory of 1764 668 Gaara.exe 38 PID 668 wrote to memory of 1764 668 Gaara.exe 38 PID 1764 wrote to memory of 1544 1764 csrss.exe 62 PID 1764 wrote to memory of 1544 1764 csrss.exe 62 PID 1764 wrote to memory of 1544 1764 csrss.exe 62 PID 1764 wrote to memory of 1884 1764 csrss.exe 61 PID 1764 wrote to memory of 1884 1764 csrss.exe 61 PID 1764 wrote to memory of 1884 1764 csrss.exe 61 PID 1764 wrote to memory of 3548 1764 csrss.exe 60 PID 1764 wrote to memory of 3548 1764 csrss.exe 60 PID 1764 wrote to memory of 3548 1764 csrss.exe 60 PID 1764 wrote to memory of 1192 1764 csrss.exe 59 PID 1764 wrote to memory of 1192 1764 csrss.exe 59 PID 1764 wrote to memory of 1192 1764 csrss.exe 59 PID 1192 wrote to memory of 4752 1192 Kazekage.exe 58 PID 1192 wrote to memory of 4752 1192 Kazekage.exe 58 PID 1192 wrote to memory of 4752 1192 Kazekage.exe 58 PID 1192 wrote to memory of 4264 1192 Kazekage.exe 57 PID 1192 wrote to memory of 4264 1192 Kazekage.exe 57 PID 1192 wrote to memory of 4264 1192 Kazekage.exe 57 PID 1192 wrote to memory of 3260 1192 Kazekage.exe 39 PID 1192 wrote to memory of 3260 1192 Kazekage.exe 39 PID 1192 wrote to memory of 3260 1192 Kazekage.exe 39 PID 1192 wrote to memory of 868 1192 Kazekage.exe 40 PID 1192 wrote to memory of 868 1192 Kazekage.exe 40 PID 1192 wrote to memory of 868 1192 Kazekage.exe 40 PID 1192 wrote to memory of 4100 1192 Kazekage.exe 56 PID 1192 wrote to memory of 4100 1192 Kazekage.exe 56 PID 1192 wrote to memory of 4100 1192 Kazekage.exe 56 PID 4100 wrote to memory of 1044 4100 system32.exe 41 PID 4100 wrote to memory of 1044 4100 system32.exe 41 PID 4100 wrote to memory of 1044 4100 system32.exe 41 PID 4100 wrote to memory of 1604 4100 system32.exe 55 PID 4100 wrote to memory of 1604 4100 system32.exe 55 PID 4100 wrote to memory of 1604 4100 system32.exe 55 PID 4100 wrote to memory of 2312 4100 system32.exe 54 PID 4100 wrote to memory of 2312 4100 system32.exe 54 PID 4100 wrote to memory of 2312 4100 system32.exe 54 PID 4100 wrote to memory of 4716 4100 system32.exe 42 PID 4100 wrote to memory of 4716 4100 system32.exe 42 PID 4100 wrote to memory of 4716 4100 system32.exe 42 PID 4100 wrote to memory of 3032 4100 system32.exe 53 PID 4100 wrote to memory of 3032 4100 system32.exe 53 PID 4100 wrote to memory of 3032 4100 system32.exe 53 PID 1764 wrote to memory of 4868 1764 csrss.exe 43 PID 1764 wrote to memory of 4868 1764 csrss.exe 43 PID 1764 wrote to memory of 4868 1764 csrss.exe 43 PID 668 wrote to memory of 4976 668 Gaara.exe 52 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 57677274e811ac80cbc112ea2f6d4ebc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 57677274e811ac80cbc112ea2f6d4ebc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\57677274e811ac80cbc112ea2f6d4ebc.exe"C:\Users\Admin\AppData\Local\Temp\57677274e811ac80cbc112ea2f6d4ebc.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2404 -
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3512
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4464
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4476
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4892
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3896 -
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:4252
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:1464
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:2228
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:1676
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:3952
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:1440
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:2004
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:2128
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:2152
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:2172
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:1544
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:3004
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3656
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1840
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1764 -
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4868
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1192 -
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:2228
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:2820
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:4736
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:1308
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:3900
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:208
-
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3548
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1884
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1544
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:5088
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:3588
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:748
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:872
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3260
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:868
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1044
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4716
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4268
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2624
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4380
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4184
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4976
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3032
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2312
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1604
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4100 -
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:5088
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:3672
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:1356
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:3600
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:2184
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:4376
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4264
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4752
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1800
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:668 -
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:1832
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:2184
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:5012
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:4648
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:3084
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:220
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
150KB
MD5af6477e71f79eaba4ac3603ac5de821a
SHA10896f3083b56082eff97acbd5ea1dc99307fe0a2
SHA256119a47f0ed12608d0b03d2107d43f5c12736d700799e17acbb7d98db0aaffbbb
SHA5121fa47d30b090db6de4785a647381b7f3c314eb5b2602ff8189b7b335b10ea2ea579c577da31c16dfb090af5dd03a61138d9b2fbd6fd36cd07cb7eb7d133b88f6
-
Filesize
917KB
MD50d985bd62ffff5ab205655fa1928149e
SHA1f05012335716f5925e9d0876f0961774c4510b59
SHA25664e9fb41770ffe91f3c77d9e975c85854e94b0af73c220168d46462408b697fe
SHA512ad513ef6a3681ee45a2fbfc512c157bc0f6847be734bc353d32fdb916ffa1028cd6ba8b6ea6a02f2ded7b023cbbf90a6b21f7d46be8320695250426a28c0a6b7
-
Filesize
150KB
MD5d725a6a24567751a821fdb88c683b935
SHA1fe482ed24af67cf84565d854e9911d6533e996b7
SHA256351848348b3f94cc8299c80b6055101dacaaba113dfbba0c1e32b93b6d67855b
SHA512b893b9c19c6f896d3d5c65d5ef91f12922328f2fa007b7e0f2eaae7b7f6154d3368743a2412180c5e4976b80d8bb071faede9b51d490279d9981a2f827687b37
-
Filesize
106KB
MD5463324f9a8f264576e10a704273d4b5e
SHA13934be921cf40dc687a9019eef991063aac6e05d
SHA2560da14a06f9705d589a71b795708704fa4008cffa2e3def0e39219a6b0a7542f4
SHA5125d8f741f2d745f4e2141516b52de79c8d9ae32ff52a5c82469d26a78da88c95e7dba3829a9451e905d41a2f6acf251350cf0662aa08e75951b2a558db2c5a20e
-
Filesize
81KB
MD5b6cdce52303a44150394fbef1e6e9527
SHA11610e61d3253ff5a17a0addf8a07e329847d3624
SHA2563ca12ae8d2aa2d31c490eae204b1155a906e15c2207c94b8f63fe6d253e72aaf
SHA512b56892d4a573c94218b847c0a9f70343d60e249f5f3f5a84e793c8bf4a1f843ac3519fc1b8e5203bdfac2fc728f38330446f08b4c273fba07a993e77a4ab010b
-
Filesize
570KB
MD56feb3dc78dbce10788d9e3e2b6f6dd7e
SHA1f20777e404a6736d4fa0d28e2943984829178bd3
SHA2568b3f8ddd588559cf33bf98cfd58090492d51af262307069f7ac49e33729874a3
SHA512e536898928a1d0422d8523e99bf9d0425c0af3bee3a7ce79c041ee672bf75ba8754039011e97d00158ae966def0cf51108dc1e839c7a9446bdce411f078c193d
-
Filesize
42KB
MD5f945123b0197199735a409d34c9c6493
SHA1c1ef72672b18cee23a0fa38de38809e5a9d85d48
SHA2566f5db8656eeb3bdf16b3accbeb79a3a2a842d1759c864315dee0e7d4934e068b
SHA5128c4c84a38045d59c2b58b25f30f1dd685629083a7602e46aadba7aaa1a817f3e82363315ab62899180c4141c8fd1c7bcac1c5728ff7dd5ed34a38ac3df255d82
-
Filesize
47KB
MD5b0ffaf267dae35f3572c866236a65427
SHA13e6f32ffcae90fb6f5671d99b15ca914bc35906c
SHA2569870b87af839b0bc94b63147692624687c1fbd196d8cab027a5e533eae7f40fa
SHA512b290989442c84cd5679b8889c837b928b169da7419418fd555466b2f8a25045fc813060297e92bbf5c57eb1e02f13f77b4d9df778423f7bb297a94573b9a7b14
-
Filesize
190KB
MD59652bc0779be8ea5793e5d690432a085
SHA1a1a3a90dc5576a12806d5ad1022fcb0f1e595dad
SHA256925b4d20abc6fd7caa61f4f85c84a9c9c53e85c56bbca3734fbcf55c2093e99f
SHA5128c665c9071e55807d9a3d2d4866908e96356232bc7b22202e217cd70aeabb56dadfb3546ac0e571bc5f8061e819b2a3637fa57c0ab125e6902b12f4cd5f6433e
-
Filesize
164KB
MD5d04144a0a615c37b7fec7437a49608f2
SHA1e9f380c20097c1e0fdc77baa7d6e823072674bf3
SHA2569eebf53f0b11dfbaa285ffd086766fab8c9533a9fb93f53a7422caf742948a07
SHA51265b4ec6a15b4a7573db36dbf6d902d1f351ee389377ddc3fabbbaa00c68faf508bd37844ddae16263b13c956d99916b2b906333d971eee91d72f1f5c3eab71bd
-
Filesize
243KB
MD50cf9a429329e7eb623ef99ec89713644
SHA1e80cfce730dfc0d5e0e3d4ea55c5491ec0d872eb
SHA2562c68e955e659b342ff5614270e5c0d575fc42b4bb8fd918efbe35a81ac5f047e
SHA512e5eb44e676ba42e1612e3e0df5c8f82d92147d9241852e1d4b524f311e0a78685fd5b71e275ee45657ee9fafacf3e70c650a0b4ea55db3783c1a3c7234bfdd9a
-
Filesize
184KB
MD53e9e9e5abdb350415cdb1f4ec36d0518
SHA1c0518267bd11ccee3d893db815e421ce8aefcb3c
SHA2569cfcb17c7885aa1dd03999e4d5bc8126cc146bbac90e77724d73898efb9cc821
SHA512c2d4dd177f36f58c8bb163f14e694614c03696c956ac22ba4d19ce4bdda161a39b958ca330898d82190d28d49eb551f40be5eb31a526ce0916f86e0751537aa1
-
Filesize
195KB
MD52a4f94207df32a0106f01cc4928f7bb2
SHA1598b500cfaf016c84607e24783b7e79f94e5809d
SHA2565cc447915f724152d694625c2a97cbdb805d737544edf8cb0ffdd3798e9e9718
SHA5128d2dfd0301f85ecab0dc7b59c1d96eaeb47c3bfda73525f2562bc0b5c17a2dbb7f01dcdb5da4f967d3f0703b422153adb01e7e2f30648335732a6a58485c9138
-
Filesize
146KB
MD5b2c950ec2efaf5620bbd0e1ffb0ab3c0
SHA11794b0e229973571994e4013ee09452762eb836d
SHA25634310a71c1b146b93953be157b583bdc99bab5d75e882ba14c36695962ac712e
SHA51298acc6367a3771b36c858c94f27803e2b5c6820b2385525bc1f6d6b8e96940a3abee3a3c94c3dd965ba89e4ec49568a19a89ebad98c0170e578577d561924d5c
-
Filesize
201KB
MD5126d7b8b1ca25a171b0b65241ca789f7
SHA1c0282b71b33b66f4a4dda4159b17b2f405b91bb9
SHA256e362524327de3706e18d41b25b982fb01f4bebc0304a36379ea8f5024f588146
SHA512d7f25b26a821bb29df5cc43b7e3776975fa0a26808fa37858ca7e99cd0a6ad5a52864f2bcd8cf9b949dbde1c332c017c05e6c4e84579a9658ba213f510ea2983
-
Filesize
119KB
MD5785233dc85eab5fc8edf0a17d4dc819d
SHA1f9979bcba1af22f5f2d49c73100b3be9814ca809
SHA2561ac17885a814cc10db83ba47b7352a165332f180905194077789caf39d792480
SHA512b37e06adc779a3a3ee4195e80de89499a02ea6f371fd87b34ed03a8c71b42a2ab86aa4fb8530c8780f5889faa486bbc7c6564a4d6a7d7d119984f71da085124a
-
Filesize
92KB
MD528c16efdbede7335209dcc04cfd2bc88
SHA12a88439d7a4ae8b964b2329ac6e035d7961d7bfc
SHA256e38ddd9ab1a9a1405bf3428392aaee0e5fddc656468025262e963f8732e18b85
SHA51201d58332d0505b8baf7cd25e405bb29758617c3ee07241ba52ca24b0010e0bb7cc06f51a15507f929e98393907f19f8bc335b60b14870495dd0a130a8fb9a75c
-
Filesize
38KB
MD5d9dd3d128366d0cf0e738d9bcee6b1fe
SHA13dfceddecedba298d66e254f88694d228f4f0bb6
SHA256739710a6ba5cadaed4b121829b9aec505a02001662541d5ac74cb989d4bc6012
SHA512394cbf30cf03f49fe67f539304d6f121ede51ce27c3071c3de45719aed8669863994143c15a48dfc2f0ab8f2898324b136ae2d8f732e903bd70d1c10dfd5ddb1
-
Filesize
150KB
MD58613133bbbff1bb07020799b53f70305
SHA173da386a2d601b21a82f57eb7315e3933b18a2fb
SHA2563155ffe69614e6b4d32153d7de6001685ad849245a8118afeb9362fcefed4b11
SHA5120fd04a06218a1325c3d6ebc0cb6a09b328129b24ed3bbdbed22596d7068efb675d2adb1f5ea614b358bf87d8d34603959e67a605f25e2a9f13fe6559d438548d
-
Filesize
234KB
MD56790ef320630c8ddced5259d1d0c2edd
SHA1443b2bc63765899355d6bf28ac6658f964b5511b
SHA2563d75c8c0cfe850348d6950a722f7ff1b869c54cd0901765a1f1b8efc4f0ea2b8
SHA5121a66835c63143a4b92472c9845a8d17c0dc6beafe1bfb43afb3cad0e25776e65f896c252a44aafa21e77769f9afd6b1f6d1123219900937c7867417464df93ee
-
Filesize
183KB
MD5f62877d87d3895b2fa429486a42b358b
SHA1efe69b21005b74f560a39d1832035898500e9dfd
SHA256de83298a78b39df8b78c9e95c93e6ca7f61c5870e25c19888084501084a3a857
SHA5126a18d8d5c82fc8588c12d689170786997f6424d192eb713fca4f32391a2d8480ce4ad1f053e99df8fd3be747c84933c2cb105ffc85ba6ce43fd6a32af21e27f6
-
Filesize
809KB
MD53649058f72f0d1907c0c114643d77e97
SHA129caa81379dde0bc1e93cea147c57a104cc03740
SHA25627fbb5c344859e0a6b56da1e9c38bbc7f118f8141f41b615ea5302d7530f9531
SHA5120a13f4ac7c7d0236a5b0ff9eee47457ade148107821028e1e92f87c94bf666d50bb142b39d542325137897a925d3b564abe89a832c2bb1e686cc1161931dcc57
-
Filesize
150KB
MD557677274e811ac80cbc112ea2f6d4ebc
SHA1a01bf46d2b91144f2c2250501fe21d35b81a90cc
SHA2566f249f6626140d445b7764ea4a06e87a66fb83f1388e9e505338d686778aff47
SHA512f94c39f683ff6f674767461c1343f245fcc2ead7584837b0b3182afa02399209157dc53a677eaa9dc64181247a3dda65359019aa095de6f4df84a0af74c77647
-
Filesize
122KB
MD5184e0e275b82aec491102620ed2364fc
SHA1e13be8c750690e0b3fb12ebec41bbcf1be92b0db
SHA2560ad0151bb70c742deaea45b201ea624dea80b9fe00ba1cd69061c5b01db1bec8
SHA5122a9bb2bb811307e621127be589dc96317d7c304e7d9dacac8c68eee1efba4f51bf9c64ed42bc958fdee6f022d091f19072f78400835fac38a4166c9d76006182
-
Filesize
134KB
MD5aa89f6afca6d8225422f74119609be92
SHA144c95c94bfa279c36180f48d85da9b6befa7fbac
SHA256a3022ec4985ea936fde908597405fbaf0fb0d311efb3ce28b9b4f6d0f34c6bf7
SHA512bda089d28d5d287da436123d29cc510281f8d142bbabb4865e957f0e9d0114bd01adcbfc922d0ae4511d4134eec081aede93bd8bdfbac901158a84e6033a9878
-
Filesize
92KB
MD58f469d962caa23212ee234b0c91cda12
SHA1b1cabba1693101b7e6b8c67699f46eb72b5bcf2f
SHA25627b8bbc8a0c0990800d95e915164bc8190a5575ed1b090a12c6deaaae452a748
SHA51261fa7e537a522b9a708e5a783ce3beb4ed0ffd8fcfd80217dd33f5a79c36f882f83c3282c318e8b3993632cd95cc73d9988be5873a2820c3b98eef9620ba20d1
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
76KB
MD5129170eb6351289a0bcae5cf8143524d
SHA161c02723f1407e1a74b24fdd1b99e9a37eee0aec
SHA256b41a224530eb02fd4152325fafaf431843518b3eb942f35ef09b72bf0635b2aa
SHA51245607403f434876b35fd8fdaa098bc1dddb95a53e799afc063fb7280fe50a282c4f12befebe2eaace2b184d4391588614b921d395aa8b19aab8f30736f6a535a
-
Filesize
69KB
MD58ea1875d9a79363df18cda0da6945c41
SHA1138df9ac54e4fcc581410c95328c51a035013115
SHA25614cd0542532a27ba2fc6773b2dcae6716a7434279d70873ed8aba3d9201ab7b4
SHA512e0ca1f07f3b3b364246e0922975fceff1f556fa4752d1b8d1e992c54b827d744f98496b9f86b87a308a8c3f88f8beb00fba8152b4db0957a785c3554d1b3a210
-
Filesize
88KB
MD58657526c58df2027a407d1a78490b5ad
SHA1ef27d12bc79f49abd186c21b8fadc85d6ea83d7d
SHA25687d6e95f1310ba33b066156fd32eea51a8d8ab264acf7b5e84708d37e98daff4
SHA512c1f6aa48a052939cff371b6fb47f086761bdac0a88ad2721dd152e27a9856b5f4999ed1c589e2cef91f2b99c041e4c1f5656f1d6a4150ce7e9d5c3e438babc56
-
Filesize
150KB
MD559442940efcda87d0ae0fdcdf62ced5f
SHA186e9e49f0cad52eea2d0402b5c1ff60030a384d8
SHA256994cd32f2c6ecf4cbb4ea286c3f66b2f943e94d3c1c2e3d8635539dedd12f783
SHA512dce2b0dd99e52c760e9017061a40dc995884b34bc3fe695a540031384c9ffd72fcf21caef8333ccc8279bf23373b6ea5832c37c39deece9012d3e90a19463a8a
-
Filesize
150KB
MD5ca47b3cdc0cd0b9bf2e1c3e19a49d8bb
SHA1f9f2ef51daaf1c15c312a45ff5f76c1e289a2f23
SHA256972a248a31c7d7677e3beed4fc6ad0068bb9e01404e605049ddfce0a96df411f
SHA5120aa94d3a4d023461750b0a29014f5ef4f6b4c909cb4f091917d16015aeaa7a307e5daf207f38b71666ed8c817fd47a6867f95a63cb318382adc2ed2fb33f93f1
-
Filesize
118KB
MD5f474f62f3ac81c24d629a49b2897f136
SHA19575623189e7243348768b7baa7f8e60ab56a965
SHA256d0a9b0623cb623424c492cbaeb9b08ec1d596da4af678185c69b6cb1e1070fc1
SHA512cff2435280fd6c773f846ce9f16b803e5b715a53a9353b9b20eba3c11149a50b7e50694164d179f272ca216644def5a113b041b40f140f9e0ed48f945083f6a5
-
Filesize
35KB
MD579f14cc4ac4f00b211467dcf1b96d01b
SHA124abef3bca05e5ef56c25a3fbd808ad2b7e9d1fc
SHA25695f9092e40978487dd5e4e189f05e5b8dbabeb68fdc36ea6caf80134aab0fe40
SHA512c42061afb27bfea933b601c6e727d9ae64559c01fa395166f30e480905a8d0545c0f44a0bfd20b07d0550462f40b0c9a9e6fde1f63f31135d6d73e89b1888a59
-
Filesize
150KB
MD5cbcb4765e823dd534f7f564bb977b17a
SHA1e65246589bfdfc9aa2eebb4d6c4f8b314147645e
SHA256e3c7a0e76d9954c95d077ebbb500868323743e76024d496e9e8be856658102b0
SHA512cef16881e562060db5fd24852ec9449ef572c2560d49d673d3bb302572e5ff15d34ac63024f888eeb039a6bb34ff5dd43705cd23b8704d088152732c43d14c44
-
Filesize
150KB
MD57b320722c9c056d1a0401b72a5e404fc
SHA12eb1d0c1c1f27be844336788ba07dd67a8702d20
SHA256839a54af3ad7316d23d1397aee1135cb1dae9052c6743ee7d07499ea54d2af3e
SHA5121cb612a33bb5464f407ebc50b7970a633bb7b4a0819a81bfe29ae277b3f5fc8af88ec094d3b591188a0c3e30502c4863af0616dab0952cff9a7c5c5c77dde068
-
Filesize
106KB
MD5c4b513f1064af25eaf8e43c42a428492
SHA162271be0ba5c2c3cd227416463de5ddc34665c09
SHA256ef8b5953961d70f763f73cb9990dfb1818eacc74d9ade79f644a9f47bfe87f96
SHA5125f8a913cbd2e8d18d258ecb6f8ad02dbd16935568e5aeb3d7f75551acf742cbb6a88e5445f5c9f7245647149a0899b6f42d151927be36e0a25f2c6115eecc2a5
-
Filesize
25KB
MD59ef0a4179da4254b1ce9bb4f88437a29
SHA182c134684666b63a511870a211e3071c22597379
SHA2560257a590be55f359bb8cf1d39bf3d7386145b67367e378452d93d30caee909c5
SHA51265ef20e4c38408fbc729a3ac9b74ca2a3a695c6cda5178492920302349ff26e1308f4aec37119332577e0522fe41d63800839c3674ea9f3619e00b070d7239ec
-
Filesize
161KB
MD559446f58510bd46300f2e4853b325404
SHA1035824c6a8b1889a39c25f6f6af03a3d672689a5
SHA256657b85481d2b62507bd73fec8dc9317403841a0bfa398e42836a218a47c12c9e
SHA51286b10d6f186794a9d17148a6d86f8aa24ab372830419042635327e6d2b3d806f96bd734021048b10d70de7aa63790f327979a3e9437c8ae314c1a11310aab05a
-
Filesize
155KB
MD546c7b4a73d37aa2a409a1e64c6101a6f
SHA1b0e8215aafb60af1cb249a778cf0d701403bade5
SHA2568aa15183277058aeb1e2e7332d7484519841e98eefb55ec49467871699df1cbe
SHA5120e1f191b64efe165ea61c64b5b25ceb45d6e93a807300963540dd728449b3c5eacf4a8aa90e6f0ddf540ed6208874b965affac4d22ef15c11b6d7ccfd2a0c26e
-
Filesize
175KB
MD5a574880ed509f3078455a1eb83270e58
SHA1619be88a824d7dcfb0c1784a45a702f8c2bbbdef
SHA25672c0239c138025c79f16848cbf7cd8f7d3b2d420b51b23ffada23fa3ec9e3968
SHA5127ecd9e7b120de049e2160b1a0f931c0f0644f2089016c03ed1ad2449d6d595d650e04a189c227497e2580d3c0ebafa6ec6233df105c2789f818f4e170ea300ea
-
Filesize
535KB
MD5144e6bafe2fc2abb63d4ac687015fd47
SHA1c0436880b2e0b324c1b21371ccfe444ced898495
SHA25675cc55845aa972da6850e46249db951b8b3d29cb9fe00367a3a921a94f0aa072
SHA5122dc0fd02e7c4ea2fc313b600a26a40a73c4028f68a3a30583aedbbb6e5882057901cad20a7619d0c89952777a5193af4b8ea1f2df0c05d9ba1cfcc05827e3a17
-
Filesize
116KB
MD5f6c24725cafd0f4304396cb52bc7a5ac
SHA117df075fc0f9d81f8e56a7e89408cd0c4ec1318a
SHA2566a3421641c20c39161901eb59ac73d1e67fea99f00e7003d4ed254fe00dd0400
SHA51295d0b9962c01306a043271a7ac83c80bd6f95f4cf4d0ef67561698ce35825fa56570d75d082058f82981724140e3d1765ee3b96de3e3b13eb72a25b5cdaeac8b
-
Filesize
47KB
MD51a68c72b4f6d568ca0840c61c6e01a0f
SHA191240a495032f907a534463d10b32b4e7887f16a
SHA2562f01b451e2798b43f5ac4ba9741fe300139cbab7d92138081d6573d747156206
SHA512de115adaba8bad117b4dd5c813825137b9eaed8c2d7afa04d3748d36d5f98ff6302cfa9d0f75dad6b7aff2896b42c119d5d031c746b8e08d4c2c27dc666fc65c
-
Filesize
249KB
MD50967fdebbe6ed08bae95a650c82fdc03
SHA195cc585cc26226eea46bec274df06b4792d28605
SHA256d719fd96e1639131afd509cc1c91ac68b78040d2074e541bf7979ea701c6d3b7
SHA512eaf1c108f485d4ce6e5f03fe4bec89b787cd83be1a483f31899274b6d78a85e8ae44dc664fd97ea3bc08a1ca39dfe223fe0521ae182af52d69eda25ea18a93e4
-
Filesize
181KB
MD5a1bab677633a7a22a9f69ca60470779d
SHA1137a278f079f201aa1cd0221f9c6d6e43f8c323b
SHA256dbec1b2d6cdd361fbc21aa24f9328c1688caca708ec810f2e208b012729dd774
SHA512b1359e28a0ab0e1203421b1539529ab5f60c03623b71adb4b23bf2fb8e248dbbe4d8dbe9ebd825ca70de5df31bcfe7aed84c29695d8dbc0314256c63e86011ef
-
Filesize
150KB
MD55a27e0fe43fe8fc11981378e1a32346f
SHA1f85010a267802ba355e0cb2c5f4a45df7556c56e
SHA25616a7aec0f33b9ab82ef16613498721ad85f383fd274d8fd9bbb4e600a84bff46
SHA512f82f37240b234b8350494f367eb6fca3c0e9db315cb6dc8e371d816a9479ff19e19a84b16d3584b3ceae9c1f0b11b553347afa4c1afe9c2f90ddf17098733c12
