Analysis
-
max time kernel
91s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
14/01/2024, 05:28
Behavioral task
behavioral1
Sample
5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe
Resource
win7-20231215-en
windows7-x64
27 signatures
150 seconds
Behavioral task
behavioral2
Sample
5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
27 signatures
150 seconds
General
-
Target
5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe
-
Size
67KB
-
MD5
5a6773f4b0ef8fa2c936e7e10c9e4ce5
-
SHA1
d06db69a642e0dbbabd05ecf01baf34e5d5fdb7c
-
SHA256
3d8286cdbd2fa89626de935fd278ae5c0f80198c9c7ba342e4c7c203651a8ae9
-
SHA512
69f5309f8a52dec6698493fb9d900a155bc417eabfb991acabdec386de306ecbab5788f867fc732a4057d0379faa6e671be52e772e0eec9ac4d57a3ecd6b76d3
-
SSDEEP
1536:/7OE59Vyzrc8K3WgFtKhJP+tcrVOXKzaJThZfaKhQiSEKNJh:jV5998K3WQ8fjEXKgZfnhfxuh
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File created C:\Windows\SysWOW64\drivers\system32.exe 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe -
Executes dropped EXE 30 IoCs
pid Process 2628 smss.exe 2212 smss.exe 2120 Gaara.exe 1420 smss.exe 4704 Gaara.exe 4828 csrss.exe 2804 smss.exe 2632 Gaara.exe 4060 csrss.exe 4500 Kazekage.exe 4024 smss.exe 4440 Gaara.exe 3704 csrss.exe 3864 Kazekage.exe 4968 system32.exe 4956 smss.exe 2380 Gaara.exe 2724 csrss.exe 1596 Kazekage.exe 1684 system32.exe 2428 system32.exe 4924 Kazekage.exe 1028 system32.exe 3364 Gaara.exe 4312 csrss.exe 1936 csrss.exe 4224 Kazekage.exe 3508 Kazekage.exe 4952 system32.exe 3860 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 2628 smss.exe 2212 smss.exe 2120 Gaara.exe 1420 smss.exe 4704 Gaara.exe 4828 csrss.exe 2804 smss.exe 2632 Gaara.exe 4060 csrss.exe 4024 smss.exe 4440 Gaara.exe 3704 csrss.exe 4956 smss.exe 2380 Gaara.exe 2724 csrss.exe 3364 Gaara.exe 4312 csrss.exe 1936 csrss.exe -
resource yara_rule behavioral2/memory/4688-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x000200000001e7e1-12.dat upx behavioral2/files/0x000200000001e7df-31.dat upx behavioral2/memory/2628-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x000200000001e7e0-41.dat upx behavioral2/files/0x000200000001e7e1-45.dat upx behavioral2/files/0x000200000001e7e4-57.dat upx behavioral2/files/0x000200000001e7e3-53.dat upx behavioral2/files/0x000200000001e7e2-49.dat upx behavioral2/memory/2212-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x000200000001e7e4-95.dat upx behavioral2/memory/2212-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x000200000001e7e3-91.dat upx behavioral2/files/0x000200000001e7e2-87.dat upx behavioral2/files/0x000200000001e7e1-83.dat upx behavioral2/memory/4704-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x000200000001e7e2-129.dat upx behavioral2/files/0x000200000001e7e3-132.dat upx behavioral2/files/0x000200000001e7e4-136.dat upx behavioral2/memory/2804-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x000200000001e7e2-176.dat upx behavioral2/memory/2628-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x000200000001e7e4-219.dat upx behavioral2/memory/4968-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-301-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 1 - 2024\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 1 - 2024\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 1 - 2024\\smss.exe" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 1 - 2024\\Gaara.exe" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-1-2024.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-1-2024.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 1 - 2024\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-1-2024.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-1-2024.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 1 - 2024\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 1 - 2024\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 1 - 2024\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 1 - 2024\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 1 - 2024\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 1 - 2024\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 1 - 2024\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-1-2024.exe" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-1-2024.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\V:\Desktop.ini Gaara.exe File opened for modification \??\L:\Desktop.ini smss.exe File opened for modification \??\A:\Desktop.ini system32.exe File opened for modification \??\G:\Desktop.ini system32.exe File opened for modification \??\Z:\Desktop.ini system32.exe File opened for modification \??\W:\Desktop.ini Kazekage.exe File opened for modification \??\W:\Desktop.ini smss.exe File opened for modification \??\I:\Desktop.ini Gaara.exe File opened for modification \??\L:\Desktop.ini 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Desktop.ini smss.exe File opened for modification D:\Desktop.ini smss.exe File opened for modification \??\N:\Desktop.ini csrss.exe File opened for modification \??\Q:\Desktop.ini csrss.exe File opened for modification C:\Desktop.ini Kazekage.exe File opened for modification \??\M:\Desktop.ini smss.exe File opened for modification \??\O:\Desktop.ini smss.exe File opened for modification \??\R:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini smss.exe File opened for modification \??\M:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini system32.exe File opened for modification \??\O:\Desktop.ini Kazekage.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\M:\Desktop.ini Kazekage.exe File opened for modification \??\K:\Desktop.ini 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification \??\M:\Desktop.ini 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification \??\Q:\Desktop.ini system32.exe File opened for modification \??\T:\Desktop.ini csrss.exe File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification \??\X:\Desktop.ini csrss.exe File opened for modification \??\U:\Desktop.ini 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification \??\Q:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini smss.exe File opened for modification \??\E:\Desktop.ini csrss.exe File opened for modification \??\R:\Desktop.ini system32.exe File opened for modification \??\U:\Desktop.ini csrss.exe File opened for modification \??\N:\Desktop.ini Gaara.exe File opened for modification \??\Y:\Desktop.ini Gaara.exe File opened for modification \??\I:\Desktop.ini system32.exe File opened for modification \??\R:\Desktop.ini csrss.exe File opened for modification \??\H:\Desktop.ini Kazekage.exe File opened for modification \??\K:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini smss.exe File opened for modification \??\S:\Desktop.ini csrss.exe File opened for modification \??\V:\Desktop.ini system32.exe File opened for modification \??\X:\Desktop.ini system32.exe File opened for modification \??\P:\Desktop.ini Gaara.exe File opened for modification \??\A:\Desktop.ini csrss.exe File opened for modification F:\Desktop.ini system32.exe File opened for modification \??\O:\Desktop.ini Gaara.exe File opened for modification \??\N:\Desktop.ini 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification \??\Z:\Desktop.ini Kazekage.exe File opened for modification \??\Y:\Desktop.ini 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification \??\Z:\Desktop.ini 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini system32.exe File opened for modification \??\E:\Desktop.ini Gaara.exe File opened for modification \??\G:\Desktop.ini Kazekage.exe File opened for modification D:\Desktop.ini csrss.exe File opened for modification \??\P:\Desktop.ini Kazekage.exe File opened for modification \??\W:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification \??\B:\Desktop.ini csrss.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: system32.exe File opened (read-only) \??\O: system32.exe File opened (read-only) \??\G: 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\J: system32.exe File opened (read-only) \??\S: system32.exe File opened (read-only) \??\I: Kazekage.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\J: 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened (read-only) \??\B: Gaara.exe File opened (read-only) \??\K: Kazekage.exe File opened (read-only) \??\O: Kazekage.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\V: Kazekage.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\X: 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\H: system32.exe File opened (read-only) \??\U: 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened (read-only) \??\T: Kazekage.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\P: system32.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\H: Gaara.exe File opened (read-only) \??\L: Kazekage.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\S: Kazekage.exe File opened (read-only) \??\E: 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened (read-only) \??\E: Kazekage.exe File opened (read-only) \??\L: 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened (read-only) \??\Q: 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\N: Gaara.exe File opened (read-only) \??\Z: Kazekage.exe File opened (read-only) \??\K: system32.exe File opened (read-only) \??\W: csrss.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\E: system32.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\G: system32.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\Y: Gaara.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\A: Kazekage.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\O: 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\A: csrss.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\M: 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened (read-only) \??\W: system32.exe File opened (read-only) \??\P: Gaara.exe File opened (read-only) \??\T: Gaara.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\H:\Autorun.inf smss.exe File opened for modification \??\R:\Autorun.inf Gaara.exe File opened for modification \??\M:\Autorun.inf csrss.exe File opened for modification \??\Z:\Autorun.inf csrss.exe File created \??\N:\Autorun.inf Kazekage.exe File opened for modification C:\Autorun.inf 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification \??\P:\Autorun.inf 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification \??\Q:\Autorun.inf 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification \??\P:\Autorun.inf Kazekage.exe File opened for modification \??\X:\Autorun.inf Kazekage.exe File opened for modification \??\M:\Autorun.inf smss.exe File created \??\W:\Autorun.inf 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification \??\K:\Autorun.inf Gaara.exe File created \??\Y:\Autorun.inf csrss.exe File created \??\I:\Autorun.inf Kazekage.exe File opened for modification F:\Autorun.inf smss.exe File created \??\G:\Autorun.inf csrss.exe File opened for modification \??\I:\Autorun.inf csrss.exe File opened for modification D:\Autorun.inf smss.exe File opened for modification \??\R:\Autorun.inf smss.exe File opened for modification \??\W:\Autorun.inf smss.exe File created \??\B:\Autorun.inf csrss.exe File created D:\Autorun.inf Kazekage.exe File opened for modification \??\M:\Autorun.inf 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File created \??\L:\Autorun.inf csrss.exe File opened for modification \??\Z:\Autorun.inf 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification \??\H:\Autorun.inf csrss.exe File opened for modification C:\Autorun.inf smss.exe File created \??\M:\Autorun.inf 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification \??\I:\Autorun.inf Gaara.exe File opened for modification \??\O:\Autorun.inf Gaara.exe File created \??\L:\Autorun.inf Kazekage.exe File opened for modification \??\B:\Autorun.inf smss.exe File opened for modification F:\Autorun.inf Kazekage.exe File opened for modification \??\L:\Autorun.inf Kazekage.exe File created \??\R:\Autorun.inf 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification \??\R:\Autorun.inf Kazekage.exe File created \??\P:\Autorun.inf smss.exe File created \??\T:\Autorun.inf smss.exe File opened for modification \??\I:\Autorun.inf Kazekage.exe File opened for modification \??\P:\Autorun.inf smss.exe File opened for modification D:\Autorun.inf Gaara.exe File opened for modification \??\V:\Autorun.inf Gaara.exe File created \??\A:\Autorun.inf 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File created \??\K:\Autorun.inf 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File created \??\X:\Autorun.inf Gaara.exe File opened for modification \??\K:\Autorun.inf csrss.exe File opened for modification \??\T:\Autorun.inf Kazekage.exe File opened for modification \??\T:\Autorun.inf smss.exe File created \??\J:\Autorun.inf Gaara.exe File opened for modification \??\X:\Autorun.inf csrss.exe File created \??\P:\Autorun.inf Kazekage.exe File opened for modification \??\S:\Autorun.inf 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification \??\H:\Autorun.inf Gaara.exe File created \??\Q:\Autorun.inf csrss.exe File created \??\M:\Autorun.inf Kazekage.exe File created \??\T:\Autorun.inf Kazekage.exe File opened for modification \??\Q:\Autorun.inf smss.exe File created \??\Y:\Autorun.inf smss.exe File opened for modification \??\O:\Autorun.inf smss.exe File opened for modification \??\Y:\Autorun.inf smss.exe File created \??\G:\Autorun.inf Gaara.exe File created \??\O:\Autorun.inf Gaara.exe File opened for modification C:\Autorun.inf csrss.exe -
Drops file in System32 directory 35 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File created C:\Windows\SysWOW64\mscomctl.ocx 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\14-1-2024.exe Gaara.exe File created C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\14-1-2024.exe csrss.exe File opened for modification C:\Windows\SysWOW64\14-1-2024.exe system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\ 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\14-1-2024.exe 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\14-1-2024.exe Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\14-1-2024.exe 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\SysWOW64\14-1-2024.exe smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe smss.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe csrss.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\msvbvm60.dll 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File created C:\Windows\system\msvbvm60.dll 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\system\msvbvm60.dll 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File opened for modification C:\Windows\ Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe smss.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe csrss.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\msvbvm60.dll 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\msvbvm60.dll smss.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe Gaara.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe system32.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe system32.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe system32.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File opened for modification C:\Windows\ 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe Kazekage.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\system\mscoree.dll 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\msvbvm60.dll 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe Gaara.exe File opened for modification C:\Windows\ Gaara.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee smss.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\WallpaperStyle = "2" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee\Size = "72" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main smss.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe -
Modifies registry class 51 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe -
Runs ping.exe 1 TTPs 32 IoCs
pid Process 2016 ping.exe 1000 ping.exe 2596 ping.exe 2840 ping.exe 1340 ping.exe 5000 ping.exe 2936 ping.exe 3184 ping.exe 1832 ping.exe 4300 ping.exe 208 ping.exe 2436 ping.exe 4892 ping.exe 4472 ping.exe 3112 ping.exe 4696 ping.exe 216 ping.exe 2400 ping.exe 3156 ping.exe 2524 ping.exe 1492 ping.exe 3284 ping.exe 4328 ping.exe 4144 ping.exe 1488 ping.exe 4924 ping.exe 5084 ping.exe 4416 ping.exe 1716 ping.exe 2412 ping.exe 1464 ping.exe 2936 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4968 system32.exe 4968 system32.exe 4968 system32.exe 4968 system32.exe 4968 system32.exe 4968 system32.exe 4968 system32.exe 4968 system32.exe 4968 system32.exe 4968 system32.exe 4968 system32.exe 4968 system32.exe 4968 system32.exe 4968 system32.exe 4968 system32.exe 4968 system32.exe 4968 system32.exe 4968 system32.exe 4968 system32.exe 4968 system32.exe 4968 system32.exe 4968 system32.exe 4968 system32.exe 4968 system32.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4500 Kazekage.exe 4500 Kazekage.exe 4500 Kazekage.exe 4500 Kazekage.exe 4500 Kazekage.exe 4500 Kazekage.exe 2120 Gaara.exe 2120 Gaara.exe 2120 Gaara.exe 2120 Gaara.exe 2120 Gaara.exe 2120 Gaara.exe 2120 Gaara.exe 2120 Gaara.exe 4500 Kazekage.exe 4500 Kazekage.exe -
Suspicious use of SetWindowsHookEx 30 IoCs
pid Process 4688 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe 2628 smss.exe 2212 smss.exe 2120 Gaara.exe 1420 smss.exe 4704 Gaara.exe 4828 csrss.exe 2804 smss.exe 2632 Gaara.exe 4060 csrss.exe 4500 Kazekage.exe 4024 smss.exe 4440 Gaara.exe 3864 Kazekage.exe 4968 system32.exe 4956 smss.exe 2380 Gaara.exe 2724 csrss.exe 1596 Kazekage.exe 1684 system32.exe 2428 system32.exe 4924 Kazekage.exe 1028 system32.exe 3364 Gaara.exe 4312 csrss.exe 1936 csrss.exe 4224 Kazekage.exe 3508 Kazekage.exe 4952 system32.exe 3860 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4688 wrote to memory of 2628 4688 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe 90 PID 4688 wrote to memory of 2628 4688 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe 90 PID 4688 wrote to memory of 2628 4688 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe 90 PID 2628 wrote to memory of 2212 2628 smss.exe 91 PID 2628 wrote to memory of 2212 2628 smss.exe 91 PID 2628 wrote to memory of 2212 2628 smss.exe 91 PID 2628 wrote to memory of 2120 2628 smss.exe 92 PID 2628 wrote to memory of 2120 2628 smss.exe 92 PID 2628 wrote to memory of 2120 2628 smss.exe 92 PID 2120 wrote to memory of 1420 2120 Gaara.exe 93 PID 2120 wrote to memory of 1420 2120 Gaara.exe 93 PID 2120 wrote to memory of 1420 2120 Gaara.exe 93 PID 2120 wrote to memory of 4704 2120 Gaara.exe 94 PID 2120 wrote to memory of 4704 2120 Gaara.exe 94 PID 2120 wrote to memory of 4704 2120 Gaara.exe 94 PID 2120 wrote to memory of 4828 2120 Gaara.exe 95 PID 2120 wrote to memory of 4828 2120 Gaara.exe 95 PID 2120 wrote to memory of 4828 2120 Gaara.exe 95 PID 4828 wrote to memory of 2804 4828 csrss.exe 96 PID 4828 wrote to memory of 2804 4828 csrss.exe 96 PID 4828 wrote to memory of 2804 4828 csrss.exe 96 PID 4828 wrote to memory of 2632 4828 csrss.exe 98 PID 4828 wrote to memory of 2632 4828 csrss.exe 98 PID 4828 wrote to memory of 2632 4828 csrss.exe 98 PID 4828 wrote to memory of 4060 4828 csrss.exe 99 PID 4828 wrote to memory of 4060 4828 csrss.exe 99 PID 4828 wrote to memory of 4060 4828 csrss.exe 99 PID 4828 wrote to memory of 4500 4828 csrss.exe 100 PID 4828 wrote to memory of 4500 4828 csrss.exe 100 PID 4828 wrote to memory of 4500 4828 csrss.exe 100 PID 4500 wrote to memory of 4024 4500 Kazekage.exe 102 PID 4500 wrote to memory of 4024 4500 Kazekage.exe 102 PID 4500 wrote to memory of 4024 4500 Kazekage.exe 102 PID 4500 wrote to memory of 4440 4500 Kazekage.exe 103 PID 4500 wrote to memory of 4440 4500 Kazekage.exe 103 PID 4500 wrote to memory of 4440 4500 Kazekage.exe 103 PID 4500 wrote to memory of 3704 4500 Kazekage.exe 104 PID 4500 wrote to memory of 3704 4500 Kazekage.exe 104 PID 4500 wrote to memory of 3704 4500 Kazekage.exe 104 PID 4500 wrote to memory of 3864 4500 Kazekage.exe 105 PID 4500 wrote to memory of 3864 4500 Kazekage.exe 105 PID 4500 wrote to memory of 3864 4500 Kazekage.exe 105 PID 4500 wrote to memory of 4968 4500 Kazekage.exe 108 PID 4500 wrote to memory of 4968 4500 Kazekage.exe 108 PID 4500 wrote to memory of 4968 4500 Kazekage.exe 108 PID 4968 wrote to memory of 4956 4968 system32.exe 109 PID 4968 wrote to memory of 4956 4968 system32.exe 109 PID 4968 wrote to memory of 4956 4968 system32.exe 109 PID 4968 wrote to memory of 2380 4968 system32.exe 110 PID 4968 wrote to memory of 2380 4968 system32.exe 110 PID 4968 wrote to memory of 2380 4968 system32.exe 110 PID 4968 wrote to memory of 2724 4968 system32.exe 112 PID 4968 wrote to memory of 2724 4968 system32.exe 112 PID 4968 wrote to memory of 2724 4968 system32.exe 112 PID 4968 wrote to memory of 1596 4968 system32.exe 113 PID 4968 wrote to memory of 1596 4968 system32.exe 113 PID 4968 wrote to memory of 1596 4968 system32.exe 113 PID 4968 wrote to memory of 1684 4968 system32.exe 115 PID 4968 wrote to memory of 1684 4968 system32.exe 115 PID 4968 wrote to memory of 1684 4968 system32.exe 115 PID 4828 wrote to memory of 2428 4828 csrss.exe 116 PID 4828 wrote to memory of 2428 4828 csrss.exe 116 PID 4828 wrote to memory of 2428 4828 csrss.exe 116 PID 2120 wrote to memory of 4924 2120 Gaara.exe 117 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe"C:\Users\Admin\AppData\Local\Temp\5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4688 -
C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2628 -
C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2212
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2120 -
C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1420
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4704
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4828 -
C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2804
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2632
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4060
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4500 -
C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4024
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4440
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3704
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3864
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4968 -
C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4956
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2380
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2724
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1596
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1684
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:5000
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:216
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:2936
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:4472
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:2936
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:1488
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:2524
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:2436
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2428
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:5084
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:4696
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:1464
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:4300
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:208
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:3184
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4924
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1028
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:4892
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:3112
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:1716
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:2412
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:1832
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:3156
-
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4312
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3508
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3860
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:4924
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:2016
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:1000
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:2596
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:1492
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:3284
-
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3364
-
-
C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1936
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4224
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4952
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:2840
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:1340
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:4416
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:2400
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:4328
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:4144
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:1000
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD58d3ab2c37a45175fdaf93fd1848a57a5
SHA146f5c9554e81adaa7f24f6c1475b44c4c581163a
SHA256fe6e13728628ccd5174a8bd59de288974922c8ee177628ecc8318a4353c532ee
SHA512373911844e0a46350b33a44f5b0510aa0f9ef2c80ac88d23b3a8fb1c67531f9568c8921ce93b5d0296fb00969579495aa8c6aeb10a9669de3cc114279f168aa7
-
Filesize
67KB
MD55a6773f4b0ef8fa2c936e7e10c9e4ce5
SHA1d06db69a642e0dbbabd05ecf01baf34e5d5fdb7c
SHA2563d8286cdbd2fa89626de935fd278ae5c0f80198c9c7ba342e4c7c203651a8ae9
SHA51269f5309f8a52dec6698493fb9d900a155bc417eabfb991acabdec386de306ecbab5788f867fc732a4057d0379faa6e671be52e772e0eec9ac4d57a3ecd6b76d3
-
Filesize
67KB
MD54af9cbd56a7e6100e953ac598248c01b
SHA18d114358fcaddd58eab37a1cc3075ab35d7309d3
SHA2565a7191218d35c00f5570b4173aa34658a9145c58676249898108bb4d800021e4
SHA512b9957f3b93763e5f9e22d23f72c82dc9778e2b1a3da44ff457e982aad79bffc22117404bb56a74e1e1eff95be1fb4306e7e80c125616f67e114dc88271974bd9
-
Filesize
67KB
MD58b0d93f82deccdd702988f8c5c98ae4a
SHA1a4e48594b0ebb9b14abb05936763fa9f20100306
SHA256aefa8b730a3c3208ee1f95baa5467b202a7d07584d0167132afb24d655f900cd
SHA51286f9fe864610c6cbb0e27880c9ece64875b089c175e170a071947e57894ef6e866345227691e57e17c6c71c6cb484478baf27f173412433f8556381363276853
-
Filesize
384KB
MD5a60291afb7ddd301868ec391e5c6a785
SHA1e7a3d20c5eb799f17a7d258da3176204703fd65c
SHA256cd49f3e4bcb625cfcb3f3e3ee022dfc659ddee60645b0e74c5630ed0a293ea53
SHA5123f8df98b279d47fe0d79850131482d802d3fd205f175dc753fd4e8e995f669b9f9d9ee4f3a73fabc0c1836af02a0b5792dc9682ba6a6d19f5e866c225de530f0
-
Filesize
512KB
MD588f65630193f8cfa564d25d54746b65d
SHA197b57d1b82325751e9ca48272a09eb52b92a577e
SHA2569ff93b6faac3ec1f6d363a6a0027fc716539d7b0bd887a1d0cd48aee440cd471
SHA512ff1761deb69c95dbac1d69b66a6998f6aa3f9a2448f58a3df8b631490ec637f60e82155f72486420982f47240f6c3e9b9e9701177ef89b4917fc718b043e5df3
-
Filesize
67KB
MD5c0d9f6c3e061fc32763ee0b7a36ace61
SHA1aefb82aad6f6e855f53bc55cb3e70fbf2efd5522
SHA2563a1d61a7ab6da2f3a129fa9dc6b3fcd6c51177c31f1774f854fe5837820eb134
SHA512bc66354d2494cd8ec78401db79f316b82e54e3f96be2db7402e680c20f400c9337864eed26eb6fb5a054e969e8834afaafae16b6445088f9eb9e1010c31c5f37
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
67KB
MD58bfd3e7197ed03dc801ee79a88a3c7b6
SHA14fede5a82755d2b5f4edb58a6fc3c4f0a793a8bd
SHA2563390695649c7685d2ea2dd922b818d266bf3da4856a3e99173772d1646ac5b6d
SHA512097178696bda79446b0b80d565ef1998e91789a252eeae97771d8e2ee3591eab071a27377d4ab8114545c3b58bf2a301475ad55bb029f10f4edcb7be6b593ce4
-
Filesize
67KB
MD502ba7ac919752599819dd56bd870a97a
SHA18af5d3c6ca6185c816235350bb9626663ea8c341
SHA25649e570b85ce376c0df86f0ed976fb83b259be7ce9401c618cd1b1543bb833b05
SHA51260342b948e4cd7d2436ed10af1741287eb8d4cf5a664c7cccc85796575537530607fdca61e4f7bc86db99e446d1f08d5b1d12746e47e77ff3eabf8099573b9ea
-
Filesize
67KB
MD5ca44bd19c0867878be54fef12b7e163d
SHA14d93076e2cb0eb89841e721df167f75b58b2ebb9
SHA256850989dc43b03ec558772839446c85e96871f295ecf7151613a4e31abe233a70
SHA51258af40a6e3abc58f217adc211a303b7a689980de74b00479894a15f4c4c20d7f0f1a347a56c985284e90742315bbca9e8a25c211317bea16d5e678c04ba93f78
-
Filesize
67KB
MD57a4c30b9afe07b45697740e006a3b21e
SHA1e8b38136028755faf33eb999bd0f6509fdc5c1dd
SHA256a77499573da1cb28252836e6074ce10a0775f76ce60d741757b34f086255e265
SHA5120305d895f43a9a4b4d0ae12f95942c124f7c68d2d46f4ebfb943512333d44b44bb6ac555b0043d9ba0e10601155b94b951f5aa1f9cd5d56e2c91c223b7ec5f9f
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
67KB
MD5f1ba794701fc9aa52a9a4de73bb5ea32
SHA1325c899a4a9e28e1b200507df6baa9409ac1907c
SHA256cf0379a50488625c7e4775a5b8c2feefbf76439b29d606a6784a8f3e5e19520b
SHA512f39e12b1b06a480bf6c97645b9198ad07a47cff1d65ff295603e269eaca0ae5cf69b3fe47355274cbf8b99c44464ed62b5fbd7ac391274dbae346f85b1ee8e30
-
Filesize
67KB
MD53b9d5ee45e7d8e71b48669de4d0cd89e
SHA19ee07a44d5f37533a1db78ca88cb49563a600a8a
SHA256208269341dcfd2dcf33345536d587bad55e8e5500ce91f07c00a9f6e674fb7e9
SHA51282182b0c00ee1fd670993dcfbbe52da2df0973aa9711bab31f898bf968f57fb3aa066d451f232e29d8d49e9b30ea3d5c88aed6d59c0613a3842527fc97af07c3
-
Filesize
67KB
MD5631dccc9b4072b8a18f6df30876cf42f
SHA1aa40f9efe82e4f47dd20c2a1e7860f627da2a1b3
SHA256f45a46dc7acc584ef6668e67afc3209a7686240234b7e0f66c4d0bb7e23c94e7
SHA5124a0e868abd08bfc63529858dce6a6ada7ff3beeeec3762c6c99fed0503cae809209825bc26961cbb9e50015796065435de25272b9fd1c3b0b99a9a6af9a58249
-
Filesize
67KB
MD50a2b970fc267750c9f26d7d538eb2fa1
SHA13360ff2e5f95a515e999bb64a2825ed439fcdba5
SHA256bff27318b1e5ea0de783a536a395d5ccc9849dbaa43f9b2bbd3f2ca1ebad3878
SHA51204a06031e236cb5bc9a686d34d3b863f92b00ab8b0248096dffe2cbf7010b558cbddc336e35893f4d43bf8299a6d01279d0d71535f4acf2a58a7d8e2220eac93
-
Filesize
67KB
MD51374b74bc7ca5f25912316c66e880e77
SHA1797d75623370fa9da9aaae72ed9f670f3c3171d5
SHA256cfe0203794e4616248ed19a7b170e483519baa995cb100e180b52a78b22e6992
SHA512311ec2095da18240189dc4a518668956d0625db290fdabb199afb28a906019fd45171be81d524bc2e3b8de9c56ae34d3c8d0dd8adcc8e3a2b393da910784e29e
-
Filesize
67KB
MD51f5311506f25f463dd6f70a2d2ec975b
SHA19ff205159527aca3c7f443f91dd74b725f4ba6d7
SHA256342f523c76e29e827b4d8597c38a3f46d1886cc33cd123baa7a5169ce54d19df
SHA512ea9cf7e73f792e5ceabd711acb369b04784b575c029fb82da424eee481648c3d02dced432bb5e530ed23e2648f2d207c9782b8297ed47017bfd81dae5695df2d
-
Filesize
67KB
MD5f2af699a5623cdbed52d6269133a4fc9
SHA16ae848ce45447a29f99872ae8b3bb184a7bb4cfc
SHA25618dab84b4dda4e86e06efda805ca1d9ee00299e7da85d3360ee850cc00c082e0
SHA512daf797f68abd48e27092d25c253dcce8ce366278564f08cd7677cab35735035d336c826b9f5df9946edd72fccb93e052798329cdc8d1bc1f3b8e7a408554d3f7
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
67KB
MD5b4826a9bc2a5043c437db574265505fe
SHA1d0804d8c3924d13a00bde708063fe10235c33258
SHA2566533b2899241d2435b6be29efebae1b09ff7d7a3690feb82737918b6c1f3fc97
SHA5120407c1b1cbec6843229414239a0224f34f10a6267a3bb0faead65bbb70cb2ad4b0a353744e63a1cf1c2ab81768e2ad0774a28e5c15f8e229315215c924b6f48d
-
Filesize
67KB
MD5093dca6a25864e4a20686ff366109cf1
SHA1382dddc9290571d123674370467665d45d8a4a38
SHA2561176d07a107aa5583d08407afaf3b3f81343467fc5a9b0ae575174e5127f0cee
SHA5121e524af5213c8b808d07a9675e1b2e1ae594ad0a383d07a01f8f433fc751e7759109d28b3ad91ae7654e17de5be6eb5979417deb4d1a6d8a43239e279cd4af9b
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
