Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-03-2024 22:00
Behavioral task
behavioral1
Sample
b84b639b0153d1216fd29fde70acb39c.exe
Resource
win7-20240221-en
windows7-x64
27 signatures
150 seconds
Behavioral task
behavioral2
Sample
b84b639b0153d1216fd29fde70acb39c.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
27 signatures
150 seconds
General
-
Target
b84b639b0153d1216fd29fde70acb39c.exe
-
Size
301KB
-
MD5
b84b639b0153d1216fd29fde70acb39c
-
SHA1
636af0fc3cbaa18774c17266f391d0f3ee62932c
-
SHA256
fcf545b1af226807c4636112257a99660eee8a803fa9e46f6a4fa1fe989d0d27
-
SHA512
95b9e48693d4907d0dcacf44a2221039f0424408240a068482e4fab891d8c7eb78397604667b85de8cfe660d6800deb1d04498aeac55c5739d8c04919bbef4fa
-
SSDEEP
6144:1xzYzaFXi17jklhtVG84jqfhdVG84jqfho:1NEu3VG84YXVG84Yy
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" b84b639b0153d1216fd29fde70acb39c.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" b84b639b0153d1216fd29fde70acb39c.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b84b639b0153d1216fd29fde70acb39c.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" b84b639b0153d1216fd29fde70acb39c.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe b84b639b0153d1216fd29fde70acb39c.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe b84b639b0153d1216fd29fde70acb39c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" b84b639b0153d1216fd29fde70acb39c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" b84b639b0153d1216fd29fde70acb39c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" b84b639b0153d1216fd29fde70acb39c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" system32.exe -
Executes dropped EXE 30 IoCs
pid Process 2524 smss.exe 2520 smss.exe 1112 Gaara.exe 2296 smss.exe 1744 Gaara.exe 1900 csrss.exe 1132 smss.exe 1564 Gaara.exe 2892 csrss.exe 1184 Kazekage.exe 2384 smss.exe 2596 Gaara.exe 1792 csrss.exe 2352 Kazekage.exe 2140 system32.exe 1628 smss.exe 344 Gaara.exe 320 csrss.exe 1556 Kazekage.exe 1592 system32.exe 900 system32.exe 1252 Kazekage.exe 1684 system32.exe 2984 csrss.exe 880 Kazekage.exe 1372 Gaara.exe 3012 system32.exe 2128 csrss.exe 2548 Kazekage.exe 2708 system32.exe -
Loads dropped DLL 61 IoCs
pid Process 2252 b84b639b0153d1216fd29fde70acb39c.exe 2252 b84b639b0153d1216fd29fde70acb39c.exe 2524 smss.exe 2524 smss.exe 2520 smss.exe 2524 smss.exe 2524 smss.exe 1112 Gaara.exe 1112 Gaara.exe 2296 smss.exe 1744 Gaara.exe 1112 Gaara.exe 1112 Gaara.exe 1900 csrss.exe 1900 csrss.exe 1132 smss.exe 1900 csrss.exe 1564 Gaara.exe 2892 csrss.exe 1900 csrss.exe 1900 csrss.exe 1184 Kazekage.exe 2384 smss.exe 1184 Kazekage.exe 2596 Gaara.exe 1184 Kazekage.exe 1792 csrss.exe 1184 Kazekage.exe 1184 Kazekage.exe 1184 Kazekage.exe 1184 Kazekage.exe 2140 system32.exe 1628 smss.exe 2140 system32.exe 344 Gaara.exe 2140 system32.exe 320 csrss.exe 2140 system32.exe 2140 system32.exe 2140 system32.exe 2140 system32.exe 1900 csrss.exe 1900 csrss.exe 1112 Gaara.exe 1112 Gaara.exe 1112 Gaara.exe 1112 Gaara.exe 2524 smss.exe 2984 csrss.exe 2524 smss.exe 2524 smss.exe 2252 b84b639b0153d1216fd29fde70acb39c.exe 1372 Gaara.exe 2524 smss.exe 2524 smss.exe 2252 b84b639b0153d1216fd29fde70acb39c.exe 2128 csrss.exe 2252 b84b639b0153d1216fd29fde70acb39c.exe 2252 b84b639b0153d1216fd29fde70acb39c.exe 2252 b84b639b0153d1216fd29fde70acb39c.exe 2252 b84b639b0153d1216fd29fde70acb39c.exe -
resource yara_rule behavioral1/memory/2252-0-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x00070000000164b2-36.dat upx behavioral1/memory/2524-40-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0006000000016e94-64.dat upx behavioral1/files/0x0008000000016dbf-60.dat upx behavioral1/files/0x0007000000016843-56.dat upx behavioral1/files/0x000700000001661c-52.dat upx behavioral1/files/0x0007000000016572-48.dat upx behavioral1/memory/2520-81-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1112-93-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0006000000016e94-111.dat upx behavioral1/files/0x0008000000016dbf-107.dat upx behavioral1/memory/1112-125-0x00000000006D0000-0x00000000006FB000-memory.dmp upx behavioral1/memory/2296-128-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2296-129-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1744-134-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x000700000001661c-135.dat upx behavioral1/files/0x000700000001661c-141.dat upx behavioral1/files/0x000700000001661c-140.dat upx behavioral1/memory/2252-143-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1900-146-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0006000000016e94-159.dat upx behavioral1/files/0x0008000000016dbf-155.dat upx behavioral1/files/0x0007000000016843-151.dat upx behavioral1/memory/2524-174-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1132-178-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1132-181-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1564-185-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2892-189-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2892-192-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0008000000016dbf-199.dat upx behavioral1/files/0x0008000000016dbf-196.dat upx behavioral1/files/0x0008000000016dbf-195.dat upx behavioral1/memory/1184-203-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1112-226-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000016843-209.dat upx behavioral1/memory/2384-227-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0006000000016e94-213.dat upx behavioral1/memory/2596-233-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2596-234-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1184-238-0x00000000005C0000-0x00000000005EB000-memory.dmp upx behavioral1/memory/1792-237-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2352-241-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2140-247-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1900-260-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1628-264-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/344-267-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/320-271-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1556-274-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1184-278-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1592-281-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1592-283-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/900-288-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1252-295-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2140-296-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1684-299-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2984-303-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/880-309-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0001000000000029-354.dat upx -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 6 - 3 - 2024\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 6 - 3 - 2024\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "6-3-2024.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 6 - 3 - 2024\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 6 - 3 - 2024\\smss.exe" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 6 - 3 - 2024\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 6 - 3 - 2024\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "6-3-2024.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "6-3-2024.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 6 - 3 - 2024\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "6-3-2024.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "6-3-2024.exe" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 6 - 3 - 2024\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 6 - 3 - 2024\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 6 - 3 - 2024\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 6 - 3 - 2024\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "6-3-2024.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 6 - 3 - 2024\\Gaara.exe" b84b639b0153d1216fd29fde70acb39c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b84b639b0153d1216fd29fde70acb39c.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\Y:\Desktop.ini csrss.exe File opened for modification \??\Z:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini smss.exe File opened for modification \??\J:\Desktop.ini Gaara.exe File opened for modification \??\L:\Desktop.ini Gaara.exe File opened for modification \??\U:\Desktop.ini csrss.exe File opened for modification \??\B:\Desktop.ini smss.exe File opened for modification \??\K:\Desktop.ini smss.exe File opened for modification \??\Q:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini smss.exe File opened for modification \??\E:\Desktop.ini Gaara.exe File opened for modification \??\Y:\Desktop.ini Gaara.exe File opened for modification \??\J:\Desktop.ini b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Desktop.ini csrss.exe File opened for modification \??\B:\Desktop.ini system32.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification F:\Desktop.ini smss.exe File opened for modification \??\R:\Desktop.ini smss.exe File opened for modification \??\B:\Desktop.ini Gaara.exe File opened for modification \??\A:\Desktop.ini b84b639b0153d1216fd29fde70acb39c.exe File opened for modification \??\V:\Desktop.ini b84b639b0153d1216fd29fde70acb39c.exe File opened for modification \??\J:\Desktop.ini csrss.exe File opened for modification \??\Q:\Desktop.ini csrss.exe File opened for modification \??\S:\Desktop.ini csrss.exe File opened for modification \??\U:\Desktop.ini system32.exe File opened for modification \??\O:\Desktop.ini smss.exe File opened for modification \??\L:\Desktop.ini Kazekage.exe File opened for modification F:\Desktop.ini system32.exe File opened for modification \??\S:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini system32.exe File opened for modification \??\T:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini smss.exe File opened for modification \??\L:\Desktop.ini b84b639b0153d1216fd29fde70acb39c.exe File opened for modification \??\M:\Desktop.ini smss.exe File opened for modification F:\Desktop.ini Gaara.exe File opened for modification \??\R:\Desktop.ini Gaara.exe File opened for modification C:\Desktop.ini Kazekage.exe File opened for modification D:\Desktop.ini Kazekage.exe File opened for modification \??\U:\Desktop.ini Kazekage.exe File opened for modification \??\A:\Desktop.ini system32.exe File opened for modification \??\J:\Desktop.ini system32.exe File opened for modification D:\Desktop.ini b84b639b0153d1216fd29fde70acb39c.exe File opened for modification F:\Desktop.ini b84b639b0153d1216fd29fde70acb39c.exe File opened for modification \??\W:\Desktop.ini b84b639b0153d1216fd29fde70acb39c.exe File opened for modification \??\H:\Desktop.ini csrss.exe File opened for modification \??\I:\Desktop.ini system32.exe File opened for modification \??\A:\Desktop.ini smss.exe File opened for modification \??\S:\Desktop.ini smss.exe File opened for modification \??\H:\Desktop.ini Gaara.exe File opened for modification \??\G:\Desktop.ini Kazekage.exe File opened for modification \??\A:\Desktop.ini csrss.exe File opened for modification \??\P:\Desktop.ini system32.exe File opened for modification \??\K:\Desktop.ini Gaara.exe File opened for modification \??\Z:\Desktop.ini b84b639b0153d1216fd29fde70acb39c.exe File opened for modification \??\M:\Desktop.ini system32.exe File opened for modification \??\V:\Desktop.ini system32.exe File opened for modification \??\P:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini b84b639b0153d1216fd29fde70acb39c.exe File opened for modification \??\T:\Desktop.ini system32.exe File opened for modification \??\X:\Desktop.ini Gaara.exe File opened for modification \??\O:\Desktop.ini b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Desktop.ini b84b639b0153d1216fd29fde70acb39c.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\Y: b84b639b0153d1216fd29fde70acb39c.exe File opened (read-only) \??\P: Kazekage.exe File opened (read-only) \??\X: Kazekage.exe File opened (read-only) \??\H: system32.exe File opened (read-only) \??\R: Gaara.exe File opened (read-only) \??\X: Gaara.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\X: b84b639b0153d1216fd29fde70acb39c.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\X: system32.exe File opened (read-only) \??\M: Gaara.exe File opened (read-only) \??\A: b84b639b0153d1216fd29fde70acb39c.exe File opened (read-only) \??\H: Kazekage.exe File opened (read-only) \??\U: system32.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\N: Gaara.exe File opened (read-only) \??\A: system32.exe File opened (read-only) \??\G: b84b639b0153d1216fd29fde70acb39c.exe File opened (read-only) \??\J: b84b639b0153d1216fd29fde70acb39c.exe File opened (read-only) \??\B: csrss.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\O: system32.exe File opened (read-only) \??\K: b84b639b0153d1216fd29fde70acb39c.exe File opened (read-only) \??\L: system32.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\M: smss.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\U: b84b639b0153d1216fd29fde70acb39c.exe File opened (read-only) \??\J: Kazekage.exe File opened (read-only) \??\H: Gaara.exe File opened (read-only) \??\T: Gaara.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\J: Gaara.exe File opened (read-only) \??\K: Gaara.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\R: system32.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\M: system32.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\M: b84b639b0153d1216fd29fde70acb39c.exe File opened (read-only) \??\M: Kazekage.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\P: b84b639b0153d1216fd29fde70acb39c.exe File opened (read-only) \??\G: Kazekage.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\J: system32.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\O: b84b639b0153d1216fd29fde70acb39c.exe File opened (read-only) \??\B: Kazekage.exe File opened (read-only) \??\S: Kazekage.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\V: b84b639b0153d1216fd29fde70acb39c.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\B: system32.exe File opened (read-only) \??\P: system32.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\M:\Autorun.inf b84b639b0153d1216fd29fde70acb39c.exe File opened for modification \??\E:\Autorun.inf Gaara.exe File opened for modification D:\Autorun.inf csrss.exe File created \??\K:\Autorun.inf csrss.exe File opened for modification \??\V:\Autorun.inf csrss.exe File created \??\J:\Autorun.inf system32.exe File created \??\H:\Autorun.inf smss.exe File opened for modification \??\Y:\Autorun.inf csrss.exe File created \??\J:\Autorun.inf Kazekage.exe File created \??\L:\Autorun.inf Kazekage.exe File created \??\I:\Autorun.inf system32.exe File opened for modification \??\T:\Autorun.inf Kazekage.exe File created \??\N:\Autorun.inf system32.exe File created \??\G:\Autorun.inf b84b639b0153d1216fd29fde70acb39c.exe File opened for modification \??\S:\Autorun.inf b84b639b0153d1216fd29fde70acb39c.exe File created \??\O:\Autorun.inf smss.exe File opened for modification \??\L:\Autorun.inf Gaara.exe File opened for modification \??\N:\Autorun.inf csrss.exe File opened for modification \??\L:\Autorun.inf smss.exe File opened for modification \??\A:\Autorun.inf csrss.exe File opened for modification \??\E:\Autorun.inf Kazekage.exe File opened for modification D:\Autorun.inf system32.exe File created \??\M:\Autorun.inf system32.exe File created \??\H:\Autorun.inf system32.exe File opened for modification \??\Y:\Autorun.inf system32.exe File created \??\J:\Autorun.inf b84b639b0153d1216fd29fde70acb39c.exe File opened for modification \??\U:\Autorun.inf csrss.exe File created \??\W:\Autorun.inf csrss.exe File opened for modification \??\G:\Autorun.inf Kazekage.exe File created \??\B:\Autorun.inf system32.exe File created \??\R:\Autorun.inf Gaara.exe File created \??\H:\Autorun.inf csrss.exe File opened for modification \??\M:\Autorun.inf csrss.exe File opened for modification \??\W:\Autorun.inf Kazekage.exe File created \??\Y:\Autorun.inf b84b639b0153d1216fd29fde70acb39c.exe File created \??\K:\Autorun.inf smss.exe File opened for modification \??\S:\Autorun.inf csrss.exe File opened for modification \??\P:\Autorun.inf Kazekage.exe File opened for modification \??\Q:\Autorun.inf Kazekage.exe File opened for modification \??\Q:\Autorun.inf smss.exe File created \??\A:\Autorun.inf csrss.exe File created \??\S:\Autorun.inf Kazekage.exe File created \??\X:\Autorun.inf Kazekage.exe File opened for modification \??\Q:\Autorun.inf b84b639b0153d1216fd29fde70acb39c.exe File opened for modification \??\G:\Autorun.inf Gaara.exe File opened for modification \??\R:\Autorun.inf csrss.exe File opened for modification \??\T:\Autorun.inf system32.exe File opened for modification \??\X:\Autorun.inf b84b639b0153d1216fd29fde70acb39c.exe File opened for modification \??\T:\Autorun.inf Gaara.exe File opened for modification \??\K:\Autorun.inf csrss.exe File created \??\V:\Autorun.inf csrss.exe File created \??\H:\Autorun.inf Kazekage.exe File opened for modification \??\L:\Autorun.inf csrss.exe File created \??\R:\Autorun.inf csrss.exe File opened for modification \??\X:\Autorun.inf csrss.exe File opened for modification \??\N:\Autorun.inf b84b639b0153d1216fd29fde70acb39c.exe File created \??\R:\Autorun.inf b84b639b0153d1216fd29fde70acb39c.exe File created \??\V:\Autorun.inf b84b639b0153d1216fd29fde70acb39c.exe File opened for modification D:\Autorun.inf smss.exe File opened for modification \??\G:\Autorun.inf csrss.exe File created D:\Autorun.inf b84b639b0153d1216fd29fde70acb39c.exe File opened for modification \??\K:\Autorun.inf b84b639b0153d1216fd29fde70acb39c.exe File created \??\Q:\Autorun.inf csrss.exe File opened for modification \??\X:\Autorun.inf Kazekage.exe -
Drops file in System32 directory 38 IoCs
description ioc Process File created C:\Windows\SysWOW64\6-3-2024.exe b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\SysWOW64\6-3-2024.exe system32.exe File created C:\Windows\SysWOW64\Desktop.ini b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\6-3-2024.exe csrss.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\6-3-2024.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\SysWOW64\ b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\6-3-2024.exe smss.exe File opened for modification C:\Windows\SysWOW64\6-3-2024.exe Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\6-3-2024.exe b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe system32.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe b84b639b0153d1216fd29fde70acb39c.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\msvbvm60.dll system32.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File opened for modification C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe Kazekage.exe File created C:\Windows\msvbvm60.dll b84b639b0153d1216fd29fde70acb39c.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\msvbvm60.dll b84b639b0153d1216fd29fde70acb39c.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe Gaara.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe Kazekage.exe File opened for modification C:\Windows\ smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe Gaara.exe File opened for modification C:\Windows\ b84b639b0153d1216fd29fde70acb39c.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe Gaara.exe File opened for modification C:\Windows\system\mscoree.dll b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe Kazekage.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe system32.exe File opened for modification C:\Windows\ Gaara.exe File opened for modification C:\Windows\ Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File opened for modification C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe csrss.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe csrss.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File opened for modification C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe b84b639b0153d1216fd29fde70acb39c.exe File created C:\Windows\system\msvbvm60.dll b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe smss.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File created C:\Windows\mscomctl.ocx b84b639b0153d1216fd29fde70acb39c.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe smss.exe File opened for modification C:\Windows\msvbvm60.dll b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" b84b639b0153d1216fd29fde70acb39c.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\WallpaperStyle = "2" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee csrss.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee smss.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Size = "72" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" b84b639b0153d1216fd29fde70acb39c.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main smss.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe -
Modifies registry class 48 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command b84b639b0153d1216fd29fde70acb39c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" b84b639b0153d1216fd29fde70acb39c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" b84b639b0153d1216fd29fde70acb39c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe -
Runs ping.exe 1 TTPs 36 IoCs
pid Process 540 ping.exe 2932 ping.exe 2952 ping.exe 1956 ping.exe 1096 ping.exe 700 ping.exe 1684 ping.exe 2424 ping.exe 1496 ping.exe 1576 ping.exe 2592 ping.exe 2448 ping.exe 804 ping.exe 2684 ping.exe 1560 ping.exe 2744 ping.exe 984 ping.exe 2436 ping.exe 2664 ping.exe 2548 ping.exe 2440 ping.exe 2792 ping.exe 820 ping.exe 2160 ping.exe 2792 ping.exe 992 ping.exe 1556 ping.exe 2200 ping.exe 2892 ping.exe 1180 ping.exe 2924 ping.exe 1512 ping.exe 884 ping.exe 1496 ping.exe 2168 ping.exe 2580 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1184 Kazekage.exe 1184 Kazekage.exe 1184 Kazekage.exe 1184 Kazekage.exe 1184 Kazekage.exe 1184 Kazekage.exe 1184 Kazekage.exe 1184 Kazekage.exe 1184 Kazekage.exe 1184 Kazekage.exe 1184 Kazekage.exe 1184 Kazekage.exe 1900 csrss.exe 1900 csrss.exe 1900 csrss.exe 1900 csrss.exe 1900 csrss.exe 1900 csrss.exe 1900 csrss.exe 1900 csrss.exe 1900 csrss.exe 1900 csrss.exe 1900 csrss.exe 1900 csrss.exe 2140 system32.exe 2140 system32.exe 2140 system32.exe 2140 system32.exe 2140 system32.exe 2140 system32.exe 2140 system32.exe 2140 system32.exe 2140 system32.exe 2140 system32.exe 2140 system32.exe 2140 system32.exe 2524 smss.exe 2524 smss.exe 2524 smss.exe 2524 smss.exe 2524 smss.exe 2524 smss.exe 2524 smss.exe 2524 smss.exe 2524 smss.exe 2524 smss.exe 2524 smss.exe 2524 smss.exe 1112 Gaara.exe 1112 Gaara.exe 1112 Gaara.exe 1112 Gaara.exe 1112 Gaara.exe 1112 Gaara.exe 1112 Gaara.exe 1112 Gaara.exe 1112 Gaara.exe 1112 Gaara.exe 1112 Gaara.exe 1112 Gaara.exe 1184 Kazekage.exe 1184 Kazekage.exe 1184 Kazekage.exe 1184 Kazekage.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 2252 b84b639b0153d1216fd29fde70acb39c.exe 2524 smss.exe 2520 smss.exe 1112 Gaara.exe 2296 smss.exe 1744 Gaara.exe 1900 csrss.exe 1132 smss.exe 1564 Gaara.exe 2892 csrss.exe 1184 Kazekage.exe 2384 smss.exe 2596 Gaara.exe 1792 csrss.exe 2352 Kazekage.exe 2140 system32.exe 1628 smss.exe 344 Gaara.exe 320 csrss.exe 1556 Kazekage.exe 1592 system32.exe 900 system32.exe 1252 Kazekage.exe 1684 system32.exe 2984 csrss.exe 880 Kazekage.exe 3012 system32.exe 1372 Gaara.exe 2128 csrss.exe 2548 Kazekage.exe 2708 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2524 2252 b84b639b0153d1216fd29fde70acb39c.exe 28 PID 2252 wrote to memory of 2524 2252 b84b639b0153d1216fd29fde70acb39c.exe 28 PID 2252 wrote to memory of 2524 2252 b84b639b0153d1216fd29fde70acb39c.exe 28 PID 2252 wrote to memory of 2524 2252 b84b639b0153d1216fd29fde70acb39c.exe 28 PID 2524 wrote to memory of 2520 2524 smss.exe 29 PID 2524 wrote to memory of 2520 2524 smss.exe 29 PID 2524 wrote to memory of 2520 2524 smss.exe 29 PID 2524 wrote to memory of 2520 2524 smss.exe 29 PID 2524 wrote to memory of 1112 2524 smss.exe 30 PID 2524 wrote to memory of 1112 2524 smss.exe 30 PID 2524 wrote to memory of 1112 2524 smss.exe 30 PID 2524 wrote to memory of 1112 2524 smss.exe 30 PID 1112 wrote to memory of 2296 1112 Gaara.exe 31 PID 1112 wrote to memory of 2296 1112 Gaara.exe 31 PID 1112 wrote to memory of 2296 1112 Gaara.exe 31 PID 1112 wrote to memory of 2296 1112 Gaara.exe 31 PID 1112 wrote to memory of 1744 1112 Gaara.exe 32 PID 1112 wrote to memory of 1744 1112 Gaara.exe 32 PID 1112 wrote to memory of 1744 1112 Gaara.exe 32 PID 1112 wrote to memory of 1744 1112 Gaara.exe 32 PID 1112 wrote to memory of 1900 1112 Gaara.exe 33 PID 1112 wrote to memory of 1900 1112 Gaara.exe 33 PID 1112 wrote to memory of 1900 1112 Gaara.exe 33 PID 1112 wrote to memory of 1900 1112 Gaara.exe 33 PID 1900 wrote to memory of 1132 1900 csrss.exe 34 PID 1900 wrote to memory of 1132 1900 csrss.exe 34 PID 1900 wrote to memory of 1132 1900 csrss.exe 34 PID 1900 wrote to memory of 1132 1900 csrss.exe 34 PID 1900 wrote to memory of 1564 1900 csrss.exe 35 PID 1900 wrote to memory of 1564 1900 csrss.exe 35 PID 1900 wrote to memory of 1564 1900 csrss.exe 35 PID 1900 wrote to memory of 1564 1900 csrss.exe 35 PID 1900 wrote to memory of 2892 1900 csrss.exe 36 PID 1900 wrote to memory of 2892 1900 csrss.exe 36 PID 1900 wrote to memory of 2892 1900 csrss.exe 36 PID 1900 wrote to memory of 2892 1900 csrss.exe 36 PID 1900 wrote to memory of 1184 1900 csrss.exe 37 PID 1900 wrote to memory of 1184 1900 csrss.exe 37 PID 1900 wrote to memory of 1184 1900 csrss.exe 37 PID 1900 wrote to memory of 1184 1900 csrss.exe 37 PID 1184 wrote to memory of 2384 1184 Kazekage.exe 38 PID 1184 wrote to memory of 2384 1184 Kazekage.exe 38 PID 1184 wrote to memory of 2384 1184 Kazekage.exe 38 PID 1184 wrote to memory of 2384 1184 Kazekage.exe 38 PID 1184 wrote to memory of 2596 1184 Kazekage.exe 39 PID 1184 wrote to memory of 2596 1184 Kazekage.exe 39 PID 1184 wrote to memory of 2596 1184 Kazekage.exe 39 PID 1184 wrote to memory of 2596 1184 Kazekage.exe 39 PID 1184 wrote to memory of 1792 1184 Kazekage.exe 40 PID 1184 wrote to memory of 1792 1184 Kazekage.exe 40 PID 1184 wrote to memory of 1792 1184 Kazekage.exe 40 PID 1184 wrote to memory of 1792 1184 Kazekage.exe 40 PID 1184 wrote to memory of 2352 1184 Kazekage.exe 41 PID 1184 wrote to memory of 2352 1184 Kazekage.exe 41 PID 1184 wrote to memory of 2352 1184 Kazekage.exe 41 PID 1184 wrote to memory of 2352 1184 Kazekage.exe 41 PID 1184 wrote to memory of 2140 1184 Kazekage.exe 42 PID 1184 wrote to memory of 2140 1184 Kazekage.exe 42 PID 1184 wrote to memory of 2140 1184 Kazekage.exe 42 PID 1184 wrote to memory of 2140 1184 Kazekage.exe 42 PID 2140 wrote to memory of 1628 2140 system32.exe 43 PID 2140 wrote to memory of 1628 2140 system32.exe 43 PID 2140 wrote to memory of 1628 2140 system32.exe 43 PID 2140 wrote to memory of 1628 2140 system32.exe 43 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System b84b639b0153d1216fd29fde70acb39c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b84b639b0153d1216fd29fde70acb39c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b84b639b0153d1216fd29fde70acb39c.exe"C:\Users\Admin\AppData\Local\Temp\b84b639b0153d1216fd29fde70acb39c.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2252 -
C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2524 -
C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2520
-
-
C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1112 -
C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2296
-
-
C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1744
-
-
C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1900 -
C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1132
-
-
C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1564
-
-
C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2892
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1184 -
C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2384
-
-
C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2596
-
-
C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1792
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2352
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2140 -
C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1628
-
-
C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:344
-
-
C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:320
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1556
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1592
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:2436
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:1512
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:804
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:1496
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:2440
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:2792
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:1496
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:984
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:2792
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:2892
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:2924
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:2580
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:900
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:820
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:1096
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:2424
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:2664
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:1560
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:2592
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1252
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1684
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:2932
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:2952
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:1684
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:884
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:1180
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:2168
-
-
-
C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2984
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:880
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3012
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:1956
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:540
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:2160
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:700
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:2684
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:2548
-
-
-
C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1372
-
-
C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2128
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2548
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2708
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:2448
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:2744
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:1576
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:2200
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:992
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:1556
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
301KB
MD584543a573948538bea3828b0240690a1
SHA12aad206b702643e8fe78635849be15192fac2462
SHA2566159524308890ae902a88457c3d5f13df2cf86a437ecdadbddc0649dd9b5d639
SHA5121bd398b5043b027adde4adb5e7ce4846e28dbe1bed1c73c0089b0af5584992f81ed837af1f6052fdf9113d08e89c618107134bd660b80504b0485f6247e1acfe
-
Filesize
128KB
MD5706c2a0516db0af2b2dd12fdca9e34d5
SHA190b61c5e76d261a3c72a9bf31ca7f16b65fe1aca
SHA256a0adcb727d425c0b28e0efdcbfcbd5e299b7e75a06d2ba496dfa760126d4c97e
SHA5128c84b2bb4adc658c15f046dc9e922e5e52bacf933fbb0ad780ea9b7cb63e0b15998a420d13ef219a772485fc88dad787ce81dc45540f55d0ac429087f5f7b6dc
-
Filesize
64KB
MD5d31f31884db841d7323d5495ddc0133f
SHA1e81309a6876d956648a6f37e5d54f167f897be41
SHA256020437384e8aa377efa59df965b6f91ac89845c133a36f2099f47700df9784f4
SHA512d242a5988ddc2afcedcd22b55505362a5c43893c7841ec085115803406adebc7e09543039ef0203e7b3aef266a9e1c7ca4c1232ccf8ec43c2f4558a77843752b
-
Filesize
301KB
MD5da599e5c1e09812852cd070b38f5e30b
SHA17f10708b649ccb89521c49e22ff29119348c6cd7
SHA2567b0fb06376693a45c76a8f7925df751dd63babfb84bdb0c1b38a7e72d596e02e
SHA512655d52aec4915f553d55c20158e9e295504f9903e6665bffec64cba1581678f1b79b69b8747eeadc2c58595dc6f0379e5fc7b51a4a4b099e39f5828c4e76f7f2
-
Filesize
301KB
MD5298e1bbbebb8cfeb6b825d2efc75ca33
SHA1add3cc5462a6e63901d06e2b0537f9a182b45f3e
SHA2565da0f8671ae6d59705faa574d4d2b0a31d6d58f2f09638de68de35fa62a1e363
SHA512ab39d79e986e1edb366548fe3a911a010138dec4ae35d7127ed4afa867ec3693c856fcaa021925bc90a46e793af6cc0cadf3e8b3b5b46ab3c50ac8e5bd4770af
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
301KB
MD569ed09a376b65c552e4caf02fb8f48aa
SHA173d681d01a21f6a91891f0972f4c3d2aef0f49c4
SHA256f76b487d4b11b7ab3ac135120010177c1315b022f1878d6d4e8d0b44748f121d
SHA512ae20f5504ae417e13dafa4938817fb816429a0e4965bef5c3290f5b937f64d79cf822b3ff1e0e2577048afbfcdec5d07304488a9aaf42cd546b44c4fe15c9db8
-
Filesize
301KB
MD526f8440b852aef97095e567b43a5716a
SHA1c13f38d60a9818809f4f1acc1309f114ecc5736b
SHA2562685842d263da6a0e9d92684d4bb187ccb6366f630f2e1edf51c021b14ef5271
SHA512b92c613227fe5d42506b375ca3b96d6d0acc3dc491a9fae2feaa4af2b1c8b9b901e04a92fd387572a6e0595770149b1e150bd8edf2b733cbe2281d533e1ec6d8
-
Filesize
301KB
MD5a99c4d66df5ea1ad057b33964d29ec6d
SHA1e2facf39ddc1bd6a1c377cb8b063a9c12d6ad672
SHA256ac53f31deba8eacfce408917a1865e301550566a39d5e15514349ec7d91ef239
SHA51253f1ede092f177e5e3397e780046b8c6f3b6c2492b011ec097d59a3625496591ad7691f2fb9c2b899e46dfd3cbd7476ced292076dae07ed77cc1a69cb7b3850b
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
301KB
MD57300c58d69ba7e897b781fba46652fa4
SHA1b8755b18a1ecc13c980c852011e3ed862079f05d
SHA256de23b7089fac35be7da527300838b5cf2d90a62ca003d48484509b935591a44b
SHA512be7a92a1f47b8e31468dae9de643f9cbcd40396ca0b839ba6b7a90866f1e5c57f341f74816b924322ca45f390e64bdb6bda4e853b549076cd497bb48ea323051
-
Filesize
301KB
MD5ddbe8b9600d00baca00a2de67f1b874e
SHA12d67f6f44a827f88eef73653815120c8f5be53c3
SHA256e00fced673987805b8efc29b67f9993bc3d6b85180cb70ff1f68ac37c6b466c5
SHA512131505c7a46c561d04950330a9994a8cd36fda78bae9bfabb36a37491cf5968411c357c724fe24498af5ab150e25aa21347a0399f8797565a231359f3e826f48
-
Filesize
192KB
MD5f160f7e9d1f1d39994d4424babf407d8
SHA1c6e748ca5dd670afda51294330e4da584985c718
SHA256a230cc39e778e430730a9409b80632443b4065d07315a870bb69ea5c2ef6cf8d
SHA5124ca292d7cde34fd4913f56659748fe0ed21677f1ee4016460f0da50161bac071f13321683c7f0e3581566fd7f2bd4d74a11b49e8a3fae567a5ab264b7412573a
-
Filesize
128KB
MD5fd4612e7ab6ded60a821cd26c39027af
SHA143c3448844bfc18c1e10c65edc3da978d278d24d
SHA256ab8bca625b6de0ad020fa161b206b1bb4ebb9dee7ca453581df045f6567245df
SHA512183173eba38f7b30cb6ee4e23e2ca70bf2372a743af7b58251e2d72ddcf82ebd987b5708b30b14d246d67bab3ade66b943caba222c0d57848ee22ffcd5e53f19
-
Filesize
301KB
MD51c0b8f7d8dd0c217e992430edcef6fb8
SHA179c93f3dd8396464239f046d98b70799149cabd9
SHA256079d82f31d06054ef905e837bce969e5ae8f25ad9b18e772e25f8bfcfbc4b5d2
SHA512f8357214cac36d30e5b9698ef3fab5a3ecd50bfba4fc109c72f822f1ac367cb241818ee73983b741f55c2db59954a221b66321089bbf589f2727e7b9aecd2067
-
Filesize
301KB
MD5dd0b97c1c62a640adb1e05d42574a665
SHA1cddd1f515c4c3b544483d7e6321fb283260acf3f
SHA256fd2353cc42fffed1c5c8ca004e6638d30c351aaba40cf22eb4fbe99e2f4546cf
SHA51248306c504d95832016796a7487e57b7d513b646350f6bff93f0343d083d6e3c4fc14c44b4bae29f870db0d1f6ad6e8e1093f731cd29857f9c431e5634b2e3191
-
Filesize
301KB
MD595e197870f05d7c395e027082e02ee53
SHA10ea32f91de2f9c15a4a3b1d9d9994a93c5bd4cd3
SHA25699edbe2ad4cb3285c026446da47243b81d81bff6175ad7c833269d9c23a27ca6
SHA512197b1a0a9d8ac42b5ffe3a011ebe34eb834408918273ee21fd731f88efbd3a801a3f6aca983e8b3d662ceac2e62d3769f37bcd0845492dc6ed6226fcf6d61943
-
Filesize
301KB
MD578dc773328f66d1f1e489f8b45bd16c4
SHA1fd32ad134b9fb7caf8259f12574df2a87335b66a
SHA256b55b6250cfa88b267c6110c096579a73796db41e7175e9276088320e2784618b
SHA512fcc718d4976d1eb6e4d34a50b4739e1b846c23bc13f8f46f667463cef639c05d6d51373d9bcd70c76e16e499ba3000bb166b5441674a018af6c52a070aa80e44
-
Filesize
301KB
MD574e253ee0292989c824f2b427cf73664
SHA1872c4c20e2cfe8ce5ab4c12c3b6ff10b7cb5173c
SHA256e8b22116c5e57eabc95273a481dd4cb57a7231503dd9b69776e4c43d313d9312
SHA512ad6ea7f4bb433236de6827ff0429a2295f9e354b063c4c3029dbcf74c0270f2bba216429c7333464cb1b6b1db3da121eeae36ca2d4db5a2575c2e96863521c1b
-
Filesize
378KB
MD58c9154076e706a43c468f86b76ed0ea6
SHA10e8eb334cc8f8dd41d9dde2ac691b2d87a1f284f
SHA2565d91c3ccebf243eb9af0c91d900cb4b241422e54a206c6d0da8897872db6f33d
SHA51260cf9174b1d5908d2a5409a26b6a5a34539d748b1d52c8cacf0696b516e9fea7172740345cf39bb7f512f3bd11ece29cc5d72083f6b3e6605c1f840d0367c0cf
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
301KB
MD5b84b639b0153d1216fd29fde70acb39c
SHA1636af0fc3cbaa18774c17266f391d0f3ee62932c
SHA256fcf545b1af226807c4636112257a99660eee8a803fa9e46f6a4fa1fe989d0d27
SHA51295b9e48693d4907d0dcacf44a2221039f0424408240a068482e4fab891d8c7eb78397604667b85de8cfe660d6800deb1d04498aeac55c5739d8c04919bbef4fa
-
Filesize
301KB
MD5830f8ba2ae70df0138a02093caca4a3b
SHA13b5222c8c1951dbbfa4df1515d7241daf3f62f9e
SHA2561aafd335df45b7b7fb7d11147669bc7304afad2a0065c60ef6ed088ab42bed3d
SHA5121cf28fdac97cda1acd67bd35ed94e5944132af493492528a3d40a16fee625a2f1cf15779fd8de2430b299f756ae5dd7622d11da06b76c8a695f610d9dffad4e4
-
Filesize
256KB
MD52b94b493bc0cb9f7d6a9a91a26dd0338
SHA19226654a0d09b866002db9037b8bf146719e2e81
SHA25622e1c8dddcc80cb4f8e53235e0b89acb5c1d71e8cf3321e9f63bfc3d29deba02
SHA5124bb19a1598a36b1c4d0a5b82a40c1adc497cba3ba1b5c2e9f2f4d95dfb6421219b0340a497050de8bdb6d00c5844a7c5f98b2d7e23669c5535aa7a30c86e61af
