Analysis
-
max time kernel
99s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
14-01-2024 05:28
Behavioral task
behavioral1
Sample
5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe
Resource
win7-20231215-en
windows7-x64
27 signatures
150 seconds
Behavioral task
behavioral2
Sample
5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
27 signatures
150 seconds
General
-
Target
5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe
-
Size
67KB
-
MD5
5a6773f4b0ef8fa2c936e7e10c9e4ce5
-
SHA1
d06db69a642e0dbbabd05ecf01baf34e5d5fdb7c
-
SHA256
3d8286cdbd2fa89626de935fd278ae5c0f80198c9c7ba342e4c7c203651a8ae9
-
SHA512
69f5309f8a52dec6698493fb9d900a155bc417eabfb991acabdec386de306ecbab5788f867fc732a4057d0379faa6e671be52e772e0eec9ac4d57a3ecd6b76d3
-
SSDEEP
1536:/7OE59Vyzrc8K3WgFtKhJP+tcrVOXKzaJThZfaKhQiSEKNJh:jV5998K3WQ8fjEXKgZfnhfxuh
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe -
Executes dropped EXE 30 IoCs
pid Process 2676 smss.exe 2656 smss.exe 2816 Gaara.exe 332 smss.exe 1956 Gaara.exe 1620 csrss.exe 2868 smss.exe 868 Gaara.exe 748 csrss.exe 2948 Kazekage.exe 1940 smss.exe 1148 Gaara.exe 2080 csrss.exe 1788 Kazekage.exe 932 system32.exe 2812 smss.exe 1388 Gaara.exe 1592 csrss.exe 948 Kazekage.exe 1856 system32.exe 2172 system32.exe 1168 Kazekage.exe 1664 system32.exe 2536 csrss.exe 2484 Kazekage.exe 3060 system32.exe 2168 Gaara.exe 1980 csrss.exe 1452 Kazekage.exe 1600 system32.exe -
Loads dropped DLL 61 IoCs
pid Process 1212 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe 1212 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe 2676 smss.exe 2676 smss.exe 2656 smss.exe 2676 smss.exe 2676 smss.exe 2816 Gaara.exe 2816 Gaara.exe 332 smss.exe 1956 Gaara.exe 2816 Gaara.exe 2816 Gaara.exe 1620 csrss.exe 1620 csrss.exe 2868 smss.exe 1620 csrss.exe 868 Gaara.exe 748 csrss.exe 1620 csrss.exe 1620 csrss.exe 2948 Kazekage.exe 1940 smss.exe 2948 Kazekage.exe 1148 Gaara.exe 2948 Kazekage.exe 2080 csrss.exe 2948 Kazekage.exe 2948 Kazekage.exe 2948 Kazekage.exe 2948 Kazekage.exe 932 system32.exe 2812 smss.exe 932 system32.exe 1388 Gaara.exe 932 system32.exe 1592 csrss.exe 932 system32.exe 932 system32.exe 932 system32.exe 932 system32.exe 1620 csrss.exe 1620 csrss.exe 2816 Gaara.exe 2816 Gaara.exe 2816 Gaara.exe 2816 Gaara.exe 2676 smss.exe 2536 csrss.exe 2676 smss.exe 2676 smss.exe 2676 smss.exe 2676 smss.exe 1212 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe 2168 Gaara.exe 1212 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe 1980 csrss.exe 1212 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe 1212 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe 1212 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe 1212 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe -
resource yara_rule behavioral1/memory/1212-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000015606-30.dat upx behavioral1/memory/2676-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000015dd6-63.dat upx behavioral1/files/0x0009000000015c27-59.dat upx behavioral1/memory/2676-75-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2656-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x000700000001562f-81.dat upx behavioral1/memory/2816-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000015c00-98.dat upx behavioral1/files/0x0009000000015c27-106.dat upx behavioral1/files/0x0007000000015606-121.dat upx behavioral1/files/0x0007000000015606-122.dat upx behavioral1/memory/332-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000015dd6-110.dat upx behavioral1/files/0x000a000000015c19-102.dat upx behavioral1/memory/1620-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1212-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/868-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/868-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0009000000015c27-190.dat upx behavioral1/memory/2816-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000015dd6-212.dat upx behavioral1/memory/1940-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x000a000000015c19-208.dat upx behavioral1/memory/2948-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1148-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1788-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000015dd6-243.dat upx behavioral1/memory/932-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1388-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-268-0x00000000002E0000-0x000000000030A000-memory.dmp upx behavioral1/memory/948-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1168-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1168-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/932-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-192-0x00000000002E0000-0x000000000030A000-memory.dmp upx behavioral1/memory/748-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1212-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/932-332-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-1-2024.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 1 - 2024\\smss.exe" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-1-2024.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 1 - 2024\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 1 - 2024\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 1 - 2024\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 1 - 2024\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 1 - 2024\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 1 - 2024\\Gaara.exe" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 1 - 2024\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 1 - 2024\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-1-2024.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-1-2024.exe" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 1 - 2024\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-1-2024.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 1 - 2024\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-1-2024.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 1 - 2024\\smss.exe" Gaara.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\B:\Desktop.ini 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification \??\P:\Desktop.ini 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Desktop.ini smss.exe File opened for modification \??\E:\Desktop.ini smss.exe File opened for modification \??\J:\Desktop.ini csrss.exe File opened for modification \??\O:\Desktop.ini Kazekage.exe File opened for modification \??\L:\Desktop.ini smss.exe File opened for modification \??\M:\Desktop.ini smss.exe File opened for modification \??\Q:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini smss.exe File opened for modification D:\Desktop.ini Kazekage.exe File opened for modification \??\J:\Desktop.ini 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification \??\H:\Desktop.ini smss.exe File opened for modification \??\P:\Desktop.ini csrss.exe File opened for modification \??\V:\Desktop.ini csrss.exe File opened for modification \??\O:\Desktop.ini Gaara.exe File opened for modification \??\R:\Desktop.ini Gaara.exe File opened for modification \??\M:\Desktop.ini system32.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\B:\Desktop.ini Gaara.exe File opened for modification \??\V:\Desktop.ini smss.exe File opened for modification \??\S:\Desktop.ini csrss.exe File opened for modification F:\Desktop.ini smss.exe File opened for modification \??\S:\Desktop.ini smss.exe File opened for modification \??\G:\Desktop.ini system32.exe File opened for modification \??\M:\Desktop.ini Kazekage.exe File opened for modification \??\G:\Desktop.ini smss.exe File opened for modification \??\R:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini smss.exe File opened for modification \??\Y:\Desktop.ini smss.exe File opened for modification C:\Desktop.ini Gaara.exe File opened for modification \??\V:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini Gaara.exe File opened for modification D:\Desktop.ini system32.exe File opened for modification \??\Q:\Desktop.ini Kazekage.exe File opened for modification \??\O:\Desktop.ini system32.exe File opened for modification \??\U:\Desktop.ini 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification \??\W:\Desktop.ini system32.exe File opened for modification \??\A:\Desktop.ini Gaara.exe File opened for modification \??\I:\Desktop.ini csrss.exe File opened for modification \??\M:\Desktop.ini Gaara.exe File opened for modification \??\N:\Desktop.ini Kazekage.exe File opened for modification F:\Desktop.ini system32.exe File opened for modification \??\J:\Desktop.ini smss.exe File opened for modification F:\Desktop.ini csrss.exe File opened for modification \??\A:\Desktop.ini Kazekage.exe File opened for modification \??\E:\Desktop.ini system32.exe File opened for modification \??\Y:\Desktop.ini 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification D:\Desktop.ini smss.exe File opened for modification \??\N:\Desktop.ini smss.exe File opened for modification \??\L:\Desktop.ini csrss.exe File opened for modification \??\S:\Desktop.ini system32.exe File opened for modification \??\P:\Desktop.ini Gaara.exe File opened for modification \??\H:\Desktop.ini Gaara.exe File opened for modification \??\I:\Desktop.ini Gaara.exe File opened for modification \??\N:\Desktop.ini csrss.exe File opened for modification \??\U:\Desktop.ini csrss.exe File opened for modification \??\W:\Desktop.ini Kazekage.exe File opened for modification \??\K:\Desktop.ini system32.exe File opened for modification D:\Desktop.ini Gaara.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification \??\N:\Desktop.ini system32.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: Kazekage.exe File opened (read-only) \??\N: 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\W: Gaara.exe File opened (read-only) \??\K: Kazekage.exe File opened (read-only) \??\U: system32.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\Y: Kazekage.exe File opened (read-only) \??\H: 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened (read-only) \??\Q: 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\M: Gaara.exe File opened (read-only) \??\X: Kazekage.exe File opened (read-only) \??\T: 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\N: Gaara.exe File opened (read-only) \??\Q: Gaara.exe File opened (read-only) \??\X: Gaara.exe File opened (read-only) \??\Y: 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened (read-only) \??\T: Gaara.exe File opened (read-only) \??\G: system32.exe File opened (read-only) \??\R: system32.exe File opened (read-only) \??\U: 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\O: 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened (read-only) \??\V: 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened (read-only) \??\E: system32.exe File opened (read-only) \??\P: system32.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\V: smss.exe File opened (read-only) \??\A: csrss.exe File opened (read-only) \??\H: Gaara.exe File opened (read-only) \??\I: Kazekage.exe File opened (read-only) \??\L: system32.exe File opened (read-only) \??\R: 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\W: system32.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\R: Gaara.exe File opened (read-only) \??\H: Kazekage.exe File opened (read-only) \??\U: Kazekage.exe File opened (read-only) \??\I: system32.exe File opened (read-only) \??\E: 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\B: csrss.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\Y: system32.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\E: Kazekage.exe File opened (read-only) \??\G: 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened (read-only) \??\O: system32.exe File opened (read-only) \??\J: smss.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created D:\Autorun.inf Kazekage.exe File opened for modification F:\Autorun.inf Kazekage.exe File created \??\R:\Autorun.inf system32.exe File opened for modification \??\Q:\Autorun.inf 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification \??\P:\Autorun.inf Gaara.exe File created \??\R:\Autorun.inf csrss.exe File created \??\B:\Autorun.inf Kazekage.exe File created \??\G:\Autorun.inf 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification \??\B:\Autorun.inf Gaara.exe File created \??\S:\Autorun.inf Gaara.exe File created \??\T:\Autorun.inf Gaara.exe File created \??\Z:\Autorun.inf Gaara.exe File opened for modification C:\Autorun.inf system32.exe File created \??\E:\Autorun.inf Gaara.exe File created \??\L:\Autorun.inf Gaara.exe File created \??\Y:\Autorun.inf Gaara.exe File created \??\I:\Autorun.inf csrss.exe File created \??\O:\Autorun.inf csrss.exe File created \??\M:\Autorun.inf Kazekage.exe File opened for modification \??\Q:\Autorun.inf system32.exe File opened for modification \??\G:\Autorun.inf 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification \??\A:\Autorun.inf Gaara.exe File opened for modification \??\S:\Autorun.inf Kazekage.exe File opened for modification \??\G:\Autorun.inf smss.exe File opened for modification \??\W:\Autorun.inf csrss.exe File opened for modification \??\S:\Autorun.inf csrss.exe File created \??\Y:\Autorun.inf csrss.exe File opened for modification \??\A:\Autorun.inf Kazekage.exe File created \??\H:\Autorun.inf Kazekage.exe File created \??\G:\Autorun.inf smss.exe File created \??\A:\Autorun.inf Gaara.exe File opened for modification \??\P:\Autorun.inf csrss.exe File created \??\S:\Autorun.inf Kazekage.exe File created \??\O:\Autorun.inf system32.exe File created \??\K:\Autorun.inf Gaara.exe File opened for modification \??\N:\Autorun.inf Gaara.exe File created \??\G:\Autorun.inf Gaara.exe File opened for modification \??\K:\Autorun.inf csrss.exe File created \??\X:\Autorun.inf csrss.exe File opened for modification \??\G:\Autorun.inf Kazekage.exe File created \??\Q:\Autorun.inf Kazekage.exe File created \??\I:\Autorun.inf system32.exe File created \??\W:\Autorun.inf 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification \??\V:\Autorun.inf smss.exe File created \??\T:\Autorun.inf 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification D:\Autorun.inf Gaara.exe File opened for modification \??\L:\Autorun.inf Kazekage.exe File created \??\K:\Autorun.inf system32.exe File opened for modification \??\S:\Autorun.inf system32.exe File opened for modification F:\Autorun.inf 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File created \??\L:\Autorun.inf 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification \??\A:\Autorun.inf csrss.exe File created \??\A:\Autorun.inf Kazekage.exe File opened for modification \??\I:\Autorun.inf Gaara.exe File created \??\P:\Autorun.inf system32.exe File created \??\X:\Autorun.inf Gaara.exe File opened for modification \??\N:\Autorun.inf csrss.exe File opened for modification \??\Q:\Autorun.inf csrss.exe File opened for modification \??\V:\Autorun.inf Kazekage.exe File opened for modification C:\Autorun.inf smss.exe File opened for modification \??\S:\Autorun.inf Gaara.exe File opened for modification \??\O:\Autorun.inf csrss.exe File opened for modification \??\Z:\Autorun.inf csrss.exe File opened for modification \??\Z:\Autorun.inf 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe -
Drops file in System32 directory 38 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\14-1-2024.exe 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\SysWOW64\ 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\Desktop.ini 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File created C:\Windows\SysWOW64\14-1-2024.exe 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\SysWOW64\14-1-2024.exe Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\SysWOW64\14-1-2024.exe smss.exe File opened for modification C:\Windows\SysWOW64\14-1-2024.exe csrss.exe File opened for modification C:\Windows\SysWOW64\14-1-2024.exe system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\14-1-2024.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\ system32.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\system\msvbvm60.dll 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\msvbvm60.dll system32.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File opened for modification C:\Windows\ Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe Gaara.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe system32.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe smss.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\ 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe Gaara.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe csrss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe system32.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe system32.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\The Kazekage.jpg 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\msvbvm60.dll 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File created C:\Windows\msvbvm60.dll 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\msvbvm60.dll 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\msvbvm60.dll 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File created C:\Windows\system\msvbvm60.dll 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File created C:\Windows\mscomctl.ocx 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe Gaara.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File created C:\Windows\mscomctl.ocx smss.exe File opened for modification C:\Windows\ smss.exe File opened for modification C:\Windows\ system32.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe smss.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee system32.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop csrss.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\WallpaperStyle = "2" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Screen Saver.Marquee Gaara.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main system32.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe -
Modifies registry class 48 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe -
Runs ping.exe 1 TTPs 36 IoCs
pid Process 2884 ping.exe 312 ping.exe 2728 ping.exe 2596 ping.exe 3000 ping.exe 3060 ping.exe 2152 ping.exe 1536 ping.exe 2120 ping.exe 1744 ping.exe 2564 ping.exe 884 ping.exe 2672 ping.exe 2656 ping.exe 1756 ping.exe 1176 ping.exe 2052 ping.exe 1860 ping.exe 1304 ping.exe 2424 ping.exe 1644 ping.exe 2008 ping.exe 1768 ping.exe 388 ping.exe 1848 ping.exe 2956 ping.exe 2808 ping.exe 2968 ping.exe 1472 ping.exe 2444 ping.exe 1740 ping.exe 2576 ping.exe 1664 ping.exe 812 ping.exe 2220 ping.exe 2824 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2676 smss.exe 2676 smss.exe 2676 smss.exe 2676 smss.exe 2676 smss.exe 2676 smss.exe 2676 smss.exe 2676 smss.exe 2676 smss.exe 2676 smss.exe 2676 smss.exe 2676 smss.exe 1620 csrss.exe 1620 csrss.exe 1620 csrss.exe 1620 csrss.exe 1620 csrss.exe 1620 csrss.exe 1620 csrss.exe 1620 csrss.exe 1620 csrss.exe 1620 csrss.exe 1620 csrss.exe 1620 csrss.exe 2816 Gaara.exe 2816 Gaara.exe 2816 Gaara.exe 2816 Gaara.exe 2816 Gaara.exe 2816 Gaara.exe 2816 Gaara.exe 2816 Gaara.exe 2816 Gaara.exe 2816 Gaara.exe 2816 Gaara.exe 2816 Gaara.exe 2948 Kazekage.exe 2948 Kazekage.exe 2948 Kazekage.exe 2948 Kazekage.exe 2948 Kazekage.exe 2948 Kazekage.exe 2948 Kazekage.exe 2948 Kazekage.exe 2948 Kazekage.exe 2948 Kazekage.exe 2948 Kazekage.exe 2948 Kazekage.exe 1212 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe 1212 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe 1212 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe 1212 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe 1212 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe 1212 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe 1212 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe 1212 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe 1212 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe 1212 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe 1212 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe 1212 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe 932 system32.exe 932 system32.exe 932 system32.exe 932 system32.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 1212 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe 2676 smss.exe 2656 smss.exe 2816 Gaara.exe 332 smss.exe 1956 Gaara.exe 1620 csrss.exe 2868 smss.exe 868 Gaara.exe 748 csrss.exe 2948 Kazekage.exe 1940 smss.exe 1148 Gaara.exe 2080 csrss.exe 1788 Kazekage.exe 932 system32.exe 2812 smss.exe 1388 Gaara.exe 1592 csrss.exe 948 Kazekage.exe 1856 system32.exe 2172 system32.exe 1168 Kazekage.exe 1664 system32.exe 2536 csrss.exe 2484 Kazekage.exe 3060 system32.exe 2168 Gaara.exe 1980 csrss.exe 1452 Kazekage.exe 1600 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1212 wrote to memory of 2676 1212 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe 28 PID 1212 wrote to memory of 2676 1212 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe 28 PID 1212 wrote to memory of 2676 1212 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe 28 PID 1212 wrote to memory of 2676 1212 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe 28 PID 2676 wrote to memory of 2656 2676 smss.exe 29 PID 2676 wrote to memory of 2656 2676 smss.exe 29 PID 2676 wrote to memory of 2656 2676 smss.exe 29 PID 2676 wrote to memory of 2656 2676 smss.exe 29 PID 2676 wrote to memory of 2816 2676 smss.exe 30 PID 2676 wrote to memory of 2816 2676 smss.exe 30 PID 2676 wrote to memory of 2816 2676 smss.exe 30 PID 2676 wrote to memory of 2816 2676 smss.exe 30 PID 2816 wrote to memory of 332 2816 Gaara.exe 31 PID 2816 wrote to memory of 332 2816 Gaara.exe 31 PID 2816 wrote to memory of 332 2816 Gaara.exe 31 PID 2816 wrote to memory of 332 2816 Gaara.exe 31 PID 2816 wrote to memory of 1956 2816 Gaara.exe 32 PID 2816 wrote to memory of 1956 2816 Gaara.exe 32 PID 2816 wrote to memory of 1956 2816 Gaara.exe 32 PID 2816 wrote to memory of 1956 2816 Gaara.exe 32 PID 2816 wrote to memory of 1620 2816 Gaara.exe 33 PID 2816 wrote to memory of 1620 2816 Gaara.exe 33 PID 2816 wrote to memory of 1620 2816 Gaara.exe 33 PID 2816 wrote to memory of 1620 2816 Gaara.exe 33 PID 1620 wrote to memory of 2868 1620 csrss.exe 57 PID 1620 wrote to memory of 2868 1620 csrss.exe 57 PID 1620 wrote to memory of 2868 1620 csrss.exe 57 PID 1620 wrote to memory of 2868 1620 csrss.exe 57 PID 1620 wrote to memory of 868 1620 csrss.exe 56 PID 1620 wrote to memory of 868 1620 csrss.exe 56 PID 1620 wrote to memory of 868 1620 csrss.exe 56 PID 1620 wrote to memory of 868 1620 csrss.exe 56 PID 1620 wrote to memory of 748 1620 csrss.exe 55 PID 1620 wrote to memory of 748 1620 csrss.exe 55 PID 1620 wrote to memory of 748 1620 csrss.exe 55 PID 1620 wrote to memory of 748 1620 csrss.exe 55 PID 1620 wrote to memory of 2948 1620 csrss.exe 54 PID 1620 wrote to memory of 2948 1620 csrss.exe 54 PID 1620 wrote to memory of 2948 1620 csrss.exe 54 PID 1620 wrote to memory of 2948 1620 csrss.exe 54 PID 2948 wrote to memory of 1940 2948 Kazekage.exe 34 PID 2948 wrote to memory of 1940 2948 Kazekage.exe 34 PID 2948 wrote to memory of 1940 2948 Kazekage.exe 34 PID 2948 wrote to memory of 1940 2948 Kazekage.exe 34 PID 2948 wrote to memory of 1148 2948 Kazekage.exe 35 PID 2948 wrote to memory of 1148 2948 Kazekage.exe 35 PID 2948 wrote to memory of 1148 2948 Kazekage.exe 35 PID 2948 wrote to memory of 1148 2948 Kazekage.exe 35 PID 2948 wrote to memory of 2080 2948 Kazekage.exe 36 PID 2948 wrote to memory of 2080 2948 Kazekage.exe 36 PID 2948 wrote to memory of 2080 2948 Kazekage.exe 36 PID 2948 wrote to memory of 2080 2948 Kazekage.exe 36 PID 2948 wrote to memory of 1788 2948 Kazekage.exe 38 PID 2948 wrote to memory of 1788 2948 Kazekage.exe 38 PID 2948 wrote to memory of 1788 2948 Kazekage.exe 38 PID 2948 wrote to memory of 1788 2948 Kazekage.exe 38 PID 2948 wrote to memory of 932 2948 Kazekage.exe 37 PID 2948 wrote to memory of 932 2948 Kazekage.exe 37 PID 2948 wrote to memory of 932 2948 Kazekage.exe 37 PID 2948 wrote to memory of 932 2948 Kazekage.exe 37 PID 932 wrote to memory of 2812 932 system32.exe 39 PID 932 wrote to memory of 2812 932 system32.exe 39 PID 932 wrote to memory of 2812 932 system32.exe 39 PID 932 wrote to memory of 2812 932 system32.exe 39 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe"C:\Users\Admin\AppData\Local\Temp\5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1212 -
C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2676 -
C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2656
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2816 -
C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:332
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1956
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1620 -
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2172
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2948 -
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:1664
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:388
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:2220
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:1740
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:1472
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:2008
-
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:748
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:868
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2868
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:1756
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:1768
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:2672
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:1744
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:1644
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:3060
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1664
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1168
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:312
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:2444
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:2956
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:1304
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:3000
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:2576
-
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2536
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3060
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2484
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:884
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:2884
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:1176
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:812
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:2824
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:2424
-
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2168
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1980
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1452
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1600
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:2152
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:1536
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:1848
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:2968
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:2052
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:1860
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1940
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1148
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2080
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:932 -
C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2812
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:948
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1856
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1592
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1388
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:2120
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:2808
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:2728
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:2596
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:2656
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:2564
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1788
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5e4abc43f28884dcccae052d98d51fbba
SHA1f0d181402dbf5bc22590bd1195ce2d00a22cb166
SHA256629307ed882b78d29fc582b725a3737acf790f2ca80b10329969cad2c5d875c1
SHA512f8dc32f585255893ccd90b5419ee322d3f89a68a58a4331536df499c580d6fb5f1c98a06d6776271c52c1d718efe65d12e5bfa78930cb3e2b8fd68952b8688dc
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
67KB
MD55a6773f4b0ef8fa2c936e7e10c9e4ce5
SHA1d06db69a642e0dbbabd05ecf01baf34e5d5fdb7c
SHA2563d8286cdbd2fa89626de935fd278ae5c0f80198c9c7ba342e4c7c203651a8ae9
SHA51269f5309f8a52dec6698493fb9d900a155bc417eabfb991acabdec386de306ecbab5788f867fc732a4057d0379faa6e671be52e772e0eec9ac4d57a3ecd6b76d3
-
Filesize
67KB
MD5979092ce6561d40cc9e6b5152b1ee3b8
SHA1715afbc5bf13636c4573e09df271936c66e96cd8
SHA2569824da2e2140ee3209a03e4c1a2df687ed156db0cfa414f4f7c3b825289f532c
SHA512ce01b1c9492018c9f46c85c65ed0713520da6f902aa19db6c37504c82f293c2917a4985aede360606edafc6f0a57de9e941f13e7f4eff3ed7da01bf7f70ecd87
-
Filesize
41KB
MD55eaf437fdbf34ebc917eaade948c193f
SHA1394a9d104b3d1e51b9195042e38201e1e5accf58
SHA256d1bfb40d7b21c1282f69f81ab492d5465237f5aa6cb1a0b0c0e782b64681a232
SHA512f16f2cfc0d441b9e8ed11ee92d43f8f85664e1d3fd13bf2f2206a77c28995ccb77c6b04e422f5c4764b68318d70dd23124a69c0d2e179ed4bd8bd102d2548933
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
67KB
MD5e13fe139e18f914991170d81f0c36fa9
SHA1c00a130cfb0733a02d1647f27d3e055dc0e70ed1
SHA25643e11ce48f47a199ccb986f85bd807322b17b6d92aeee688d0ed9eb1c7505d97
SHA51248f812148ea4f62e218cf12d05d15423c34093cb99735b14d34e0f35c2d17095397331e9b89f91311e62c5c5f4ce3bc3acc0c39b15f93d389d961afa71dc3a07
-
Filesize
67KB
MD5f99aa1d04cc2378dd3000f42da6610ca
SHA16f20ceda655f58815827097975c8b274430e8970
SHA256f9b9ea6e8c3a1a4cbcef657778173599fb7851afad101b574af1a69de4952eee
SHA51201df3a1cd76a793391d33db4c53784023f49a38f96ad102f162628d2f7f8019030a84c3aa539d255ed8d2c97ac698146261549da726b50184f798eb23750bf6d
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
65KB
MD5f0ceb04b5a936ad162a78a91aeab8ccb
SHA1613eb0f03e088871f13ce75ce22859bd2ef11f3a
SHA2565361614ebb7d7a1d55488cdb757b2a27fb75564b24718a435808eaafb79e2aeb
SHA512268e7eb1140a50c7991e29aab1dd2868942db1e96edfc0c30c1c917259238ee4d956bc892373ac2594a83df6a132509b634db1e84b02e98fc58f26193bea8636
-
Filesize
67KB
MD5066ae8306956306f6a84939fd03a63b2
SHA1140ff71a173a91d3616045afb6aa8b04cd609525
SHA256452f9947dd16949528f99bb5ecf2ed871629f64034ec6cbb889eb7218cd0cf28
SHA512861b750200988c90a524b21ca0501af56b52990a47b9318311140c538a86c9f281ca3f58f5bf96562c03c609a9cf9ebcc312bfef27f60c848978487a68b9e108
-
Filesize
67KB
MD5446f95a360ffedf526e72911c8e2a9be
SHA17d81e3eafaf46df52610577cb8653024c1f210b4
SHA2569aebb7a926f29516f8300f839ba3511449cead8d49be64ce88d5481b2a80a293
SHA512a80cd9a7b8901b3c2a3c77d043c7399ea6a89b1c5e746806105fa9daf64e272ada58922ca15f592f428191746d817422cf1ea7736bb278e17a3e8cf22b646c9b
-
Filesize
67KB
MD5bd39587f0299210da874bfac421b9d23
SHA11020ccf3a1bfe46faaf86e5c141164320be63a2c
SHA256b73e64d64fc51c6966c55aadc8e7aea3076b5d01e6746193b13841acf80c33e3
SHA51251c5db0646b58e2d3aa4a87de0d846cf696fca638765b3bd378ea017bbf569b4f007502aef3f13f723d5628007e53654a49bc5f6801bf6537688736e90a173ce
-
Filesize
4KB
MD5a1a05d838bfcfbb640e21f78f2a672c0
SHA17349046150afd1c78e707c70569db8162b45efe3
SHA25674ecb9ed99393814973d7db5256ebf1dcd4d1c337f749bd836d80bbce85f41ee
SHA512ba89fa257fad6225cbc1b6f2d1838ef7f34804777d8f11b60138c5c6cc2d8a5cf7e0fc71f3802599c3a869cab14af7c8a68a538181597c0c27f83d97de04d139
-
Filesize
67KB
MD52078081fcfde35cadf1ecbbf2eecf4b1
SHA19425afd2a292f33777a0b531dda18987a481301c
SHA25699dc96110bd4a69b1e46c1efbc61a4ac62ffc34dd19935882396f20daa02d36f
SHA512c07f310a83cac92d5be4dff5c43a47737d8f430fe775f3003d740a1bc7206a59485e8a6400cc51c6f2106396891c31883126a1f13a0f80d2fe7ca8ad67ab2aef
-
Filesize
846KB
MD5420dc36651636c92dde4e1dc7dc6eb86
SHA1d07d314a488fc1aa54651eebe3585d67bdad4187
SHA256684bc00f8f6f3537ebb180d660784b43f8c61ae3eaa8b7f57fd7eb4138a6ebd1
SHA51284991cf5b8eb6b3177c0bfbb0c2adf62c1138c16ecb60b2746f4fa93f85eeb5ff6a82362c79e412df486bd22fdf801025aab99e407ee6e40bde2c007b71774ac
-
Filesize
166KB
MD54955618f63e08bbecf0d70231f8bb8cc
SHA113d2873af51200e402fb135a2a8286ecad61fc6d
SHA25634f93ca89b5a86d3e3fcd870dc39bcfb7c54126b3ed707f2e257ebadf4e77736
SHA512b1dcde0ff9e918876acad6455e77765bb9b1e46b79caf4b343a9a5b29a68c7312be0af901e30282bff4a4263645708a463831eaf0cead810fb1938b71612fe1d
-
Filesize
1.2MB
MD50235d82903ab3ab8a308cb16fcc36c1f
SHA172f5a39ca214f0a266e4e1936ae371414ba57bea
SHA25611da827ffbc4b761ae94373a6db021671941e011556266f8413ad0711b99dccd
SHA512131f18e0af48970230b2f9e52806d65342983c9994ea5a989c0df0d7431c32535acb6bdf7ffa23aa3faa2671b2322046d9fac1e6f48fcd207abfdfb235e7c937
-
Filesize
1.1MB
MD54e213ce2d6dcb762e21896e02de7da63
SHA17681a039e83c979800eeb9780494179569c5afa4
SHA2560a3ca4cb3379c7ae7f3408e443835496604bd9cea609884856cc4820e7219cb1
SHA5129d359e72a80068a56b83ac6c8f4cb74f0433a97dc141985c66598c1f901f6de4f88a80f2825232c96e4b8008b3095b12649bbc6965ac46c4cec60af07863812a
-
Filesize
172KB
MD5c8834d5443dd975dfcd7ec55b9a9fbb6
SHA1fd4c75c0a1999c64448afd24992b8e718b2b8e64
SHA2569b8dfe4c486101ba73afef5db74cb076243794d264078eca6693dffef02be74e
SHA512304ca47c6170dbd9fe9ecb3fe2da4384c313f8ea458e1350893739726f14a75f593d3db32755f167bc160c2968d825831c7ce65b34a3986a8ddf878087517df4
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
1.3MB
MD5675f8cfa45241161553b2c4bfb0eef19
SHA10a6a5e97d7f02daf6717ea0f547190807193b14b
SHA256a0cfdd7de6d33ff6938fdb6d71dae8e8bf4c4eee779cdad8fe4223357e1be8b3
SHA512cb8eb5603c5e327fffb0a1209c1ae3eaddf06e0275eb7067a1ec2ed5ac61591ccc028198ba17551146221f77a0a1ac26c2d7350c3ba1bea38d8ade6de30fa68d
-
Filesize
67KB
MD5cbcb901c68b906a8e80f47085eca55b6
SHA10f9467593b3faabb87a2ce9288a24ff257172601
SHA25694f170f7db74234f06859a9d0611750069078c66d90bc073a240b243ba0ea5c6
SHA512ab4c88b51fd2a0789d2c27879b25fcce181b590b749203e381fc2fc245a64d3807037e271c71e6ffc85ca638749fabbb57d13fdf25e5bf279df7a4ca774f2ccb
-
Filesize
778KB
MD53d26ddd12fab346c3206a2d69dcee745
SHA1810c4edcd2f79ef0cf407e67fcf558c660453f91
SHA25687d52936b925a67a75c04fb0b152dc89385079337c98a8a1af9f83b8deb8e6d1
SHA51217cb3b243539e6d7d1485f14d19315c9cf3fc61cb5ab04065428ca8a9d03ff76c8bef06f3c4c192759f75e582f2e5dc628532f57a46512ce11b7ed269438b215
-
Filesize
1.1MB
MD5f532b423bcbcf70aece761959e6431fa
SHA178255063ef48c05f8d05fbb9063167ac27fc4471
SHA256dfd0b5bd638e5c986289e31c21f94b74bbbe08d4229370f31fdee18fb71ff74c
SHA5122641e9c09ab5b6e23f779b55035f15e7cce83af9d03edcf9a9f2803b7943b088d1d716f3a20ba980e89691ab738237de67aa6135c27f13e3b0cc1996282630f7
-
Filesize
772KB
MD59c04fa356e9dc731d34d0ab86e5a951f
SHA144291a2c43ce430e24d058c0d29cd71d6e4dc03e
SHA2567d405de175f948f7a3190d5b6901d4ebb0becd1902557bb2c3bc83295e29f996
SHA5123e3d2fbeac6beff80ec6f37320681f3181a29b5a001c5b411259bbe286c0e21a403a7119274ab913a0c4634e70b091eef1d632b7d9ee5964ff54cfcab5501cc4
-
Filesize
306KB
MD51ae8d220dde6f2fbb6bf9cbf3b3ecf08
SHA1d7ef6fdf60f99335fe8f6be3551d7c4a5b352d54
SHA256416832ed76cf91c95d7b90fc38165c4c68b8683b6624683caa184e7a470c198b
SHA512d454bc4c4beefb42cbe941283930c13fafc8189545e322021adadd0074c8c9a057a55d378c7eb1414fab85e56528f615c6817df4b4c7486e1d78ed6efed30aaf
-
Filesize
228KB
MD507223da6aca94041c34daedacfd67ad5
SHA1a2c958a846d8bf05a977da9a91d3f689c5827a45
SHA256f8af8e69a5317f84c36fdacc696ee2026bd5c5cc6ad62be174af3846269d7c66
SHA512da3bb2cfe0aa4003f392da42c1da593e7e54dde83e2a74ea71294d2e8e292413d2153dc25a21b71ca5f05f9c2d54e00e89b345f848a86bc3f7fb704590366fae
-
Filesize
119KB
MD553ca984ad5139304ad1a85bcbd3b2fd0
SHA10405713e35dc4e53e5d8cb1213aa5fe78e29e8d5
SHA256092aebc5a6569194ad7e6e98c8698bccd56dbad543d402a245cdf6ece40cae9b
SHA51275fa75b636e2fd7851badbc6641cdc33941a95b556c04752fe79e0057dcd92c5c2fb2d70b057554aa3609a74c273ea0218fafa5de39f16d53b28e1a55b85dc75
-
Filesize
1.1MB
MD58b26d290d9ee2693db2ed8f0993efcfc
SHA1266cccff67c3c16af0dbc1668caa5d1e2c9607e2
SHA25691c1a4ec9118abf97f6d85a58de2aaeca84dd6d5d5fdfd112a7947987e6b207b
SHA5120395c552fd917abb1de698dcf2d50c5c98e2c1b23ad17af1503078fa8191d479fef2600a78228d3e18e6448ce0aa3b9dc07168714f3054720fd59f625f9ed9fd
-
Filesize
680KB
MD511b7494dc66b4b28123b61ced970f067
SHA118c56d3d4d5753b1200144d1e6d47a861af8bbe3
SHA2562dcd2fd6aca33c0c790e518d6ecc45a8a9536397c263bc29a4bc3891eb33abc0
SHA5122a51ddb0bfc0bd72f4c68e159da41ff59300d13a8827ce31f7534e4c0c0691f7cc33fe16a2bceb33be805845e29a7b2a7a5f0a03b4e8b4b40d46e8b638e784b0
-
Filesize
36KB
MD5b736d4f74b7c16e7924dd5d4be3b0b70
SHA1c749f9cbd54dfe988954f3c754e2dfaa0ebac38e
SHA256079ba6c61511ec261f0ab7215475cfd07ebe3e88e63eec46541cd42e92f69055
SHA5122b349376e88d7b5c0f8042ef35ae62e6750f33306f5d08dc65441dc2c9cc4c7ceaa466faedbf002774eed2d83681c7f995767582bed6b09df647859e8c1e1dfc
-
Filesize
67KB
MD59dd5fe44edb208be72ba04ee3a1d3b1e
SHA126b05843338626d903da1a66e41b5ae839a1c038
SHA256a32d2b7002cdc48e9f3725167f5e23c3db90033eccc2e6e9fca0e31b8a2e43e3
SHA512b2683088474fb1c7f98bbed307d120c0bad7a6853646af901047247687c7e897fa0767d4f1949d7308713f0115b9dae08be72c66891a5d6aacd30e7bc3422367
-
Filesize
67KB
MD521988e7d5ea1e6e8107602cafa161cb5
SHA1479c2c949f1341de57e3555b472305bef40e198c
SHA25613b7a9543d0b732984e9992481c0c6ea45223e8ef0c1b4ca70cd184f5ac917b0
SHA512b0c86761dd9c90ae2d38feb89de3746a906d8704e076244113a8a70786ef23e7eb773d31390199b8f736c34ea1100bb78ececbead7e642a57361842046c01a19
