Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06-03-2024 22:00
Behavioral task
behavioral1
Sample
b84b639b0153d1216fd29fde70acb39c.exe
Resource
win7-20240221-en
windows7-x64
27 signatures
150 seconds
Behavioral task
behavioral2
Sample
b84b639b0153d1216fd29fde70acb39c.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
27 signatures
150 seconds
General
-
Target
b84b639b0153d1216fd29fde70acb39c.exe
-
Size
301KB
-
MD5
b84b639b0153d1216fd29fde70acb39c
-
SHA1
636af0fc3cbaa18774c17266f391d0f3ee62932c
-
SHA256
fcf545b1af226807c4636112257a99660eee8a803fa9e46f6a4fa1fe989d0d27
-
SHA512
95b9e48693d4907d0dcacf44a2221039f0424408240a068482e4fab891d8c7eb78397604667b85de8cfe660d6800deb1d04498aeac55c5739d8c04919bbef4fa
-
SSDEEP
6144:1xzYzaFXi17jklhtVG84jqfhdVG84jqfho:1NEu3VG84YXVG84Yy
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" b84b639b0153d1216fd29fde70acb39c.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" b84b639b0153d1216fd29fde70acb39c.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b84b639b0153d1216fd29fde70acb39c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" b84b639b0153d1216fd29fde70acb39c.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe b84b639b0153d1216fd29fde70acb39c.exe File created C:\Windows\SysWOW64\drivers\system32.exe b84b639b0153d1216fd29fde70acb39c.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" b84b639b0153d1216fd29fde70acb39c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" b84b639b0153d1216fd29fde70acb39c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" b84b639b0153d1216fd29fde70acb39c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" smss.exe -
Executes dropped EXE 30 IoCs
pid Process 3836 smss.exe 4416 smss.exe 4888 Gaara.exe 3768 smss.exe 1940 Gaara.exe 4284 csrss.exe 4064 smss.exe 2008 Gaara.exe 404 csrss.exe 2984 Kazekage.exe 2820 smss.exe 4260 Gaara.exe 396 csrss.exe 1520 Kazekage.exe 2244 system32.exe 3456 smss.exe 3248 Gaara.exe 2216 csrss.exe 4328 Kazekage.exe 4172 system32.exe 4228 system32.exe 2476 Kazekage.exe 4952 system32.exe 3728 csrss.exe 2680 Kazekage.exe 936 system32.exe 4420 Gaara.exe 4644 csrss.exe 812 Kazekage.exe 4780 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 3836 smss.exe 4416 smss.exe 4888 Gaara.exe 3768 smss.exe 1940 Gaara.exe 4284 csrss.exe 4064 smss.exe 2008 Gaara.exe 404 csrss.exe 2820 smss.exe 4260 Gaara.exe 396 csrss.exe 3456 smss.exe 3248 Gaara.exe 2216 csrss.exe 3728 csrss.exe 4420 Gaara.exe 4644 csrss.exe -
resource yara_rule behavioral2/memory/4556-0-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x0007000000023205-17.dat upx behavioral2/files/0x0007000000023201-31.dat upx behavioral2/memory/3836-34-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x0007000000023203-45.dat upx behavioral2/files/0x0007000000023203-46.dat upx behavioral2/files/0x0007000000023204-49.dat upx behavioral2/files/0x0007000000023202-41.dat upx behavioral2/files/0x0007000000023206-57.dat upx behavioral2/files/0x0007000000023201-68.dat upx behavioral2/memory/4416-71-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4888-77-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x0007000000023202-75.dat upx behavioral2/memory/4416-80-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x0007000000023206-96.dat upx behavioral2/files/0x0007000000023205-92.dat upx behavioral2/files/0x0007000000023204-88.dat upx behavioral2/files/0x0007000000023203-84.dat upx behavioral2/memory/3768-113-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/1940-116-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4284-121-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x0007000000023204-127.dat upx behavioral2/files/0x0007000000023206-135.dat upx behavioral2/memory/4064-152-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/2008-157-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x0007000000023203-155.dat upx behavioral2/files/0x0007000000023205-162.dat upx behavioral2/memory/2984-165-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x0007000000023201-186.dat upx behavioral2/memory/3836-187-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/2820-193-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x0007000000023203-196.dat upx behavioral2/memory/4888-199-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4260-198-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/396-203-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/2244-210-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x0007000000023206-209.dat upx behavioral2/files/0x0007000000023206-208.dat upx behavioral2/files/0x0007000000023204-216.dat upx behavioral2/memory/4284-228-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x0007000000023201-227.dat upx behavioral2/memory/3456-231-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/2216-235-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3248-234-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/2216-246-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/2984-248-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4172-250-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4172-252-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4228-255-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/2476-258-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3728-261-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4952-262-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x000f000000023210-264.dat upx behavioral2/memory/2244-270-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3728-268-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/2680-272-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/936-275-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4420-278-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/812-281-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4644-282-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4780-288-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/812-285-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4780-289-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4328-247-0x0000000000400000-0x000000000042B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 6 - 3 - 2024\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 6 - 3 - 2024\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "6-3-2024.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 6 - 3 - 2024\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 6 - 3 - 2024\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "6-3-2024.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 6 - 3 - 2024\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 6 - 3 - 2024\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "6-3-2024.exe" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 6 - 3 - 2024\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "6-3-2024.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "6-3-2024.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 6 - 3 - 2024\\smss.exe" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "6-3-2024.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 6 - 3 - 2024\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 6 - 3 - 2024\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 6 - 3 - 2024\\Gaara.exe" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 6 - 3 - 2024\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b84b639b0153d1216fd29fde70acb39c.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\R:\Desktop.ini b84b639b0153d1216fd29fde70acb39c.exe File opened for modification \??\T:\Desktop.ini b84b639b0153d1216fd29fde70acb39c.exe File opened for modification D:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini Gaara.exe File opened for modification \??\Y:\Desktop.ini system32.exe File opened for modification \??\K:\Desktop.ini system32.exe File opened for modification \??\M:\Desktop.ini system32.exe File opened for modification \??\L:\Desktop.ini smss.exe File opened for modification \??\K:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini csrss.exe File opened for modification \??\I:\Desktop.ini Kazekage.exe File opened for modification \??\R:\Desktop.ini Kazekage.exe File opened for modification \??\Z:\Desktop.ini Kazekage.exe File opened for modification C:\Desktop.ini system32.exe File opened for modification \??\Y:\Desktop.ini b84b639b0153d1216fd29fde70acb39c.exe File opened for modification \??\Y:\Desktop.ini smss.exe File opened for modification \??\A:\Desktop.ini Gaara.exe File opened for modification \??\T:\Desktop.ini csrss.exe File opened for modification \??\V:\Desktop.ini csrss.exe File opened for modification F:\Desktop.ini smss.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\E:\Desktop.ini Gaara.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification \??\N:\Desktop.ini system32.exe File opened for modification \??\J:\Desktop.ini Kazekage.exe File opened for modification \??\R:\Desktop.ini system32.exe File opened for modification \??\A:\Desktop.ini b84b639b0153d1216fd29fde70acb39c.exe File opened for modification \??\A:\Desktop.ini smss.exe File opened for modification \??\H:\Desktop.ini smss.exe File opened for modification \??\M:\Desktop.ini csrss.exe File opened for modification \??\R:\Desktop.ini csrss.exe File opened for modification \??\S:\Desktop.ini b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini csrss.exe File opened for modification \??\Y:\Desktop.ini csrss.exe File opened for modification \??\B:\Desktop.ini smss.exe File opened for modification \??\J:\Desktop.ini smss.exe File opened for modification \??\S:\Desktop.ini Gaara.exe File opened for modification \??\A:\Desktop.ini Kazekage.exe File opened for modification \??\I:\Desktop.ini system32.exe File opened for modification \??\X:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini system32.exe File opened for modification \??\H:\Desktop.ini Gaara.exe File opened for modification \??\J:\Desktop.ini Gaara.exe File opened for modification \??\Y:\Desktop.ini Gaara.exe File opened for modification \??\H:\Desktop.ini csrss.exe File opened for modification \??\P:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini b84b639b0153d1216fd29fde70acb39c.exe File opened for modification \??\P:\Desktop.ini smss.exe File opened for modification F:\Desktop.ini csrss.exe File opened for modification \??\N:\Desktop.ini Kazekage.exe File opened for modification \??\S:\Desktop.ini Kazekage.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification \??\B:\Desktop.ini b84b639b0153d1216fd29fde70acb39c.exe File opened for modification \??\Q:\Desktop.ini b84b639b0153d1216fd29fde70acb39c.exe File opened for modification \??\V:\Desktop.ini b84b639b0153d1216fd29fde70acb39c.exe File opened for modification \??\V:\Desktop.ini smss.exe File opened for modification \??\G:\Desktop.ini Kazekage.exe File opened for modification \??\G:\Desktop.ini Gaara.exe File opened for modification \??\K:\Desktop.ini Gaara.exe File opened for modification \??\A:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini smss.exe File opened for modification \??\Z:\Desktop.ini Gaara.exe File opened for modification \??\H:\Desktop.ini Kazekage.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: smss.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\X: system32.exe File opened (read-only) \??\J: b84b639b0153d1216fd29fde70acb39c.exe File opened (read-only) \??\L: b84b639b0153d1216fd29fde70acb39c.exe File opened (read-only) \??\O: b84b639b0153d1216fd29fde70acb39c.exe File opened (read-only) \??\Y: Gaara.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\M: smss.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\H: Gaara.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\Q: Gaara.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\B: csrss.exe File opened (read-only) \??\P: b84b639b0153d1216fd29fde70acb39c.exe File opened (read-only) \??\X: b84b639b0153d1216fd29fde70acb39c.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\V: Kazekage.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\W: csrss.exe File opened (read-only) \??\U: Kazekage.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\N: b84b639b0153d1216fd29fde70acb39c.exe File opened (read-only) \??\S: b84b639b0153d1216fd29fde70acb39c.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\A: csrss.exe File opened (read-only) \??\R: system32.exe File opened (read-only) \??\I: b84b639b0153d1216fd29fde70acb39c.exe File opened (read-only) \??\J: Gaara.exe File opened (read-only) \??\R: Gaara.exe File opened (read-only) \??\O: Kazekage.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\X: Kazekage.exe File opened (read-only) \??\M: system32.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\L: Kazekage.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\P: system32.exe File opened (read-only) \??\U: system32.exe File opened (read-only) \??\G: system32.exe File opened (read-only) \??\Z: b84b639b0153d1216fd29fde70acb39c.exe File opened (read-only) \??\P: Gaara.exe File opened (read-only) \??\P: Kazekage.exe File opened (read-only) \??\T: Kazekage.exe File opened (read-only) \??\K: system32.exe File opened (read-only) \??\V: system32.exe File opened (read-only) \??\H: b84b639b0153d1216fd29fde70acb39c.exe File opened (read-only) \??\E: Gaara.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\E: system32.exe File opened (read-only) \??\R: b84b639b0153d1216fd29fde70acb39c.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\H: system32.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\H: csrss.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\W:\Autorun.inf b84b639b0153d1216fd29fde70acb39c.exe File opened for modification D:\Autorun.inf Gaara.exe File created \??\L:\Autorun.inf csrss.exe File opened for modification D:\Autorun.inf Kazekage.exe File opened for modification \??\W:\Autorun.inf Kazekage.exe File opened for modification \??\X:\Autorun.inf csrss.exe File opened for modification \??\O:\Autorun.inf Kazekage.exe File opened for modification \??\Z:\Autorun.inf system32.exe File created \??\E:\Autorun.inf b84b639b0153d1216fd29fde70acb39c.exe File created \??\Q:\Autorun.inf b84b639b0153d1216fd29fde70acb39c.exe File created \??\G:\Autorun.inf smss.exe File opened for modification \??\L:\Autorun.inf smss.exe File opened for modification \??\W:\Autorun.inf Gaara.exe File opened for modification \??\K:\Autorun.inf csrss.exe File created \??\E:\Autorun.inf system32.exe File opened for modification \??\G:\Autorun.inf Gaara.exe File opened for modification \??\O:\Autorun.inf csrss.exe File created \??\R:\Autorun.inf csrss.exe File created \??\P:\Autorun.inf system32.exe File created \??\S:\Autorun.inf Gaara.exe File created \??\J:\Autorun.inf csrss.exe File opened for modification \??\A:\Autorun.inf Gaara.exe File opened for modification \??\L:\Autorun.inf csrss.exe File created \??\O:\Autorun.inf csrss.exe File created \??\M:\Autorun.inf Kazekage.exe File opened for modification \??\K:\Autorun.inf system32.exe File opened for modification C:\Autorun.inf csrss.exe File created \??\A:\Autorun.inf smss.exe File created \??\E:\Autorun.inf csrss.exe File opened for modification C:\Autorun.inf system32.exe File created \??\Q:\Autorun.inf system32.exe File opened for modification \??\J:\Autorun.inf b84b639b0153d1216fd29fde70acb39c.exe File opened for modification \??\B:\Autorun.inf smss.exe File opened for modification \??\I:\Autorun.inf smss.exe File opened for modification \??\O:\Autorun.inf smss.exe File opened for modification \??\K:\Autorun.inf Gaara.exe File opened for modification \??\G:\Autorun.inf system32.exe File opened for modification \??\S:\Autorun.inf Kazekage.exe File opened for modification \??\V:\Autorun.inf system32.exe File created \??\U:\Autorun.inf Gaara.exe File created \??\L:\Autorun.inf Kazekage.exe File created \??\P:\Autorun.inf Kazekage.exe File created \??\U:\Autorun.inf system32.exe File created D:\Autorun.inf b84b639b0153d1216fd29fde70acb39c.exe File created \??\R:\Autorun.inf Gaara.exe File created \??\W:\Autorun.inf Gaara.exe File created \??\K:\Autorun.inf csrss.exe File opened for modification \??\Y:\Autorun.inf csrss.exe File created \??\S:\Autorun.inf system32.exe File opened for modification \??\L:\Autorun.inf b84b639b0153d1216fd29fde70acb39c.exe File opened for modification \??\G:\Autorun.inf csrss.exe File opened for modification \??\Z:\Autorun.inf csrss.exe File created \??\A:\Autorun.inf system32.exe File created \??\N:\Autorun.inf system32.exe File opened for modification C:\Autorun.inf smss.exe File created \??\Q:\Autorun.inf Gaara.exe File opened for modification \??\P:\Autorun.inf csrss.exe File created \??\J:\Autorun.inf smss.exe File created \??\L:\Autorun.inf Gaara.exe File created \??\V:\Autorun.inf Gaara.exe File opened for modification \??\V:\Autorun.inf csrss.exe File created \??\I:\Autorun.inf Kazekage.exe File created \??\R:\Autorun.inf Kazekage.exe File created \??\E:\Autorun.inf Kazekage.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\mscomctl.ocx b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\SysWOW64\6-3-2024.exe smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\6-3-2024.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File created C:\Windows\SysWOW64\6-3-2024.exe b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\SysWOW64\6-3-2024.exe system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\ b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\6-3-2024.exe Gaara.exe File created C:\Windows\SysWOW64\Desktop.ini b84b639b0153d1216fd29fde70acb39c.exe File created C:\Windows\SysWOW64\mscomctl.ocx b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\6-3-2024.exe csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\6-3-2024.exe b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll b84b639b0153d1216fd29fde70acb39c.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File opened for modification C:\Windows\ Gaara.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File opened for modification C:\Windows\ smss.exe File created C:\Windows\Fonts\The Kazekage.jpg b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\system\mscoree.dll b84b639b0153d1216fd29fde70acb39c.exe File created C:\Windows\msvbvm60.dll b84b639b0153d1216fd29fde70acb39c.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe Kazekage.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe system32.exe File opened for modification C:\Windows\ b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\system\msvbvm60.dll b84b639b0153d1216fd29fde70acb39c.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe smss.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe csrss.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe smss.exe File opened for modification C:\Windows\msvbvm60.dll b84b639b0153d1216fd29fde70acb39c.exe File created C:\Windows\system\msvbvm60.dll b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe csrss.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe system32.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File opened for modification C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe smss.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe system32.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe smss.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 6 - 3 - 2024\msvbvm60.dll b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File opened for modification C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe csrss.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\ Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe b84b639b0153d1216fd29fde70acb39c.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\msvbvm60.dll b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe smss.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe csrss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe system32.exe File created C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe b84b639b0153d1216fd29fde70acb39c.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee system32.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main b84b639b0153d1216fd29fde70acb39c.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" b84b639b0153d1216fd29fde70acb39c.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe -
Modifies registry class 51 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command b84b639b0153d1216fd29fde70acb39c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install b84b639b0153d1216fd29fde70acb39c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" b84b639b0153d1216fd29fde70acb39c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" b84b639b0153d1216fd29fde70acb39c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command b84b639b0153d1216fd29fde70acb39c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe -
Runs ping.exe 1 TTPs 34 IoCs
pid Process 972 ping.exe 3496 ping.exe 3860 ping.exe 3008 ping.exe 1248 ping.exe 464 ping.exe 2216 ping.exe 2068 ping.exe 1248 ping.exe 5100 ping.exe 3764 ping.exe 4440 ping.exe 2092 ping.exe 936 ping.exe 3248 ping.exe 4064 ping.exe 3804 ping.exe 4420 ping.exe 900 ping.exe 2216 ping.exe 3460 ping.exe 2868 ping.exe 4620 ping.exe 3772 ping.exe 2640 ping.exe 1988 ping.exe 400 ping.exe 2232 ping.exe 2320 ping.exe 3664 ping.exe 3288 ping.exe 4392 ping.exe 2268 ping.exe 468 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4556 b84b639b0153d1216fd29fde70acb39c.exe 4556 b84b639b0153d1216fd29fde70acb39c.exe 4556 b84b639b0153d1216fd29fde70acb39c.exe 4556 b84b639b0153d1216fd29fde70acb39c.exe 4556 b84b639b0153d1216fd29fde70acb39c.exe 4556 b84b639b0153d1216fd29fde70acb39c.exe 4556 b84b639b0153d1216fd29fde70acb39c.exe 4556 b84b639b0153d1216fd29fde70acb39c.exe 4556 b84b639b0153d1216fd29fde70acb39c.exe 4556 b84b639b0153d1216fd29fde70acb39c.exe 4556 b84b639b0153d1216fd29fde70acb39c.exe 4556 b84b639b0153d1216fd29fde70acb39c.exe 4556 b84b639b0153d1216fd29fde70acb39c.exe 4556 b84b639b0153d1216fd29fde70acb39c.exe 4556 b84b639b0153d1216fd29fde70acb39c.exe 4556 b84b639b0153d1216fd29fde70acb39c.exe 4556 b84b639b0153d1216fd29fde70acb39c.exe 4556 b84b639b0153d1216fd29fde70acb39c.exe 4556 b84b639b0153d1216fd29fde70acb39c.exe 4556 b84b639b0153d1216fd29fde70acb39c.exe 4556 b84b639b0153d1216fd29fde70acb39c.exe 4556 b84b639b0153d1216fd29fde70acb39c.exe 4556 b84b639b0153d1216fd29fde70acb39c.exe 4556 b84b639b0153d1216fd29fde70acb39c.exe 3836 smss.exe 3836 smss.exe 3836 smss.exe 3836 smss.exe 3836 smss.exe 3836 smss.exe 3836 smss.exe 3836 smss.exe 3836 smss.exe 3836 smss.exe 3836 smss.exe 3836 smss.exe 3836 smss.exe 3836 smss.exe 3836 smss.exe 3836 smss.exe 3836 smss.exe 3836 smss.exe 3836 smss.exe 3836 smss.exe 3836 smss.exe 3836 smss.exe 3836 smss.exe 3836 smss.exe 4888 Gaara.exe 4888 Gaara.exe 4888 Gaara.exe 4888 Gaara.exe 4888 Gaara.exe 4888 Gaara.exe 4888 Gaara.exe 4888 Gaara.exe 4888 Gaara.exe 4888 Gaara.exe 4888 Gaara.exe 4888 Gaara.exe 4888 Gaara.exe 4888 Gaara.exe 4888 Gaara.exe 4888 Gaara.exe -
Suspicious use of SetWindowsHookEx 30 IoCs
pid Process 4556 b84b639b0153d1216fd29fde70acb39c.exe 3836 smss.exe 4416 smss.exe 4888 Gaara.exe 3768 smss.exe 1940 Gaara.exe 4284 csrss.exe 4064 smss.exe 2008 Gaara.exe 404 csrss.exe 2984 Kazekage.exe 2820 smss.exe 4260 Gaara.exe 396 csrss.exe 1520 Kazekage.exe 2244 system32.exe 3456 smss.exe 3248 Gaara.exe 4328 Kazekage.exe 4172 system32.exe 4228 system32.exe 2476 Kazekage.exe 4952 system32.exe 3728 csrss.exe 2680 Kazekage.exe 936 system32.exe 4420 Gaara.exe 4644 csrss.exe 812 Kazekage.exe 4780 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4556 wrote to memory of 3836 4556 b84b639b0153d1216fd29fde70acb39c.exe 89 PID 4556 wrote to memory of 3836 4556 b84b639b0153d1216fd29fde70acb39c.exe 89 PID 4556 wrote to memory of 3836 4556 b84b639b0153d1216fd29fde70acb39c.exe 89 PID 3836 wrote to memory of 4416 3836 smss.exe 90 PID 3836 wrote to memory of 4416 3836 smss.exe 90 PID 3836 wrote to memory of 4416 3836 smss.exe 90 PID 3836 wrote to memory of 4888 3836 smss.exe 92 PID 3836 wrote to memory of 4888 3836 smss.exe 92 PID 3836 wrote to memory of 4888 3836 smss.exe 92 PID 4888 wrote to memory of 3768 4888 Gaara.exe 93 PID 4888 wrote to memory of 3768 4888 Gaara.exe 93 PID 4888 wrote to memory of 3768 4888 Gaara.exe 93 PID 4888 wrote to memory of 1940 4888 Gaara.exe 95 PID 4888 wrote to memory of 1940 4888 Gaara.exe 95 PID 4888 wrote to memory of 1940 4888 Gaara.exe 95 PID 4888 wrote to memory of 4284 4888 Gaara.exe 97 PID 4888 wrote to memory of 4284 4888 Gaara.exe 97 PID 4888 wrote to memory of 4284 4888 Gaara.exe 97 PID 4284 wrote to memory of 4064 4284 csrss.exe 98 PID 4284 wrote to memory of 4064 4284 csrss.exe 98 PID 4284 wrote to memory of 4064 4284 csrss.exe 98 PID 4284 wrote to memory of 2008 4284 csrss.exe 99 PID 4284 wrote to memory of 2008 4284 csrss.exe 99 PID 4284 wrote to memory of 2008 4284 csrss.exe 99 PID 4284 wrote to memory of 404 4284 csrss.exe 100 PID 4284 wrote to memory of 404 4284 csrss.exe 100 PID 4284 wrote to memory of 404 4284 csrss.exe 100 PID 4284 wrote to memory of 2984 4284 csrss.exe 101 PID 4284 wrote to memory of 2984 4284 csrss.exe 101 PID 4284 wrote to memory of 2984 4284 csrss.exe 101 PID 2984 wrote to memory of 2820 2984 Kazekage.exe 102 PID 2984 wrote to memory of 2820 2984 Kazekage.exe 102 PID 2984 wrote to memory of 2820 2984 Kazekage.exe 102 PID 2984 wrote to memory of 4260 2984 Kazekage.exe 103 PID 2984 wrote to memory of 4260 2984 Kazekage.exe 103 PID 2984 wrote to memory of 4260 2984 Kazekage.exe 103 PID 2984 wrote to memory of 396 2984 Kazekage.exe 104 PID 2984 wrote to memory of 396 2984 Kazekage.exe 104 PID 2984 wrote to memory of 396 2984 Kazekage.exe 104 PID 2984 wrote to memory of 1520 2984 Kazekage.exe 105 PID 2984 wrote to memory of 1520 2984 Kazekage.exe 105 PID 2984 wrote to memory of 1520 2984 Kazekage.exe 105 PID 2984 wrote to memory of 2244 2984 Kazekage.exe 106 PID 2984 wrote to memory of 2244 2984 Kazekage.exe 106 PID 2984 wrote to memory of 2244 2984 Kazekage.exe 106 PID 2244 wrote to memory of 3456 2244 system32.exe 107 PID 2244 wrote to memory of 3456 2244 system32.exe 107 PID 2244 wrote to memory of 3456 2244 system32.exe 107 PID 2244 wrote to memory of 3248 2244 system32.exe 108 PID 2244 wrote to memory of 3248 2244 system32.exe 108 PID 2244 wrote to memory of 3248 2244 system32.exe 108 PID 2244 wrote to memory of 2216 2244 system32.exe 109 PID 2244 wrote to memory of 2216 2244 system32.exe 109 PID 2244 wrote to memory of 2216 2244 system32.exe 109 PID 2244 wrote to memory of 4328 2244 system32.exe 110 PID 2244 wrote to memory of 4328 2244 system32.exe 110 PID 2244 wrote to memory of 4328 2244 system32.exe 110 PID 2244 wrote to memory of 4172 2244 system32.exe 111 PID 2244 wrote to memory of 4172 2244 system32.exe 111 PID 2244 wrote to memory of 4172 2244 system32.exe 111 PID 4284 wrote to memory of 4228 4284 csrss.exe 112 PID 4284 wrote to memory of 4228 4284 csrss.exe 112 PID 4284 wrote to memory of 4228 4284 csrss.exe 112 PID 4888 wrote to memory of 2476 4888 Gaara.exe 113 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System b84b639b0153d1216fd29fde70acb39c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b84b639b0153d1216fd29fde70acb39c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b84b639b0153d1216fd29fde70acb39c.exe"C:\Users\Admin\AppData\Local\Temp\b84b639b0153d1216fd29fde70acb39c.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4556 -
C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3836 -
C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4416
-
-
C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4888 -
C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3768
-
-
C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1940
-
-
C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4284 -
C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4064
-
-
C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2008
-
-
C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:404
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2984 -
C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2820
-
-
C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4260
-
-
C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:396
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1520
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2244 -
C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3456
-
-
C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3248
-
-
C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4328
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4172
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:3860
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:3772
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:3764
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:2640
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:2868
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:3248
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:2268
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:5100
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:4064
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:2320
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:1988
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:2216
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4228
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:4392
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:1248
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:2232
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:3008
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:972
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:3460
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2476
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4952
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:4440
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:3496
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:936
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:1248
-
-
-
C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3728
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2680
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:936
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:2068
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:3288
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:468
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:400
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:3664
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:464
-
-
-
C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4420
-
-
C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe"C:\Windows\Fonts\Admin 6 - 3 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4644
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:812
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4780
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:4420
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:4620
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:2216
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:2092
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:3804
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:900
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
301KB
MD521c99326c4f7df6c5aff5f7f3f9c8cd3
SHA15742ade838fb0ea5733667806568ccb74b544a7a
SHA256d9bca19d20a521d7c2db9f419f0ec16d40ea2887de8483bec19904e34b355441
SHA512459ffc4694855da8554ab8380a653ef6ab6753ae15cd81b5d404cd4774263509f1a1b02844fdf1b7f671254995fc8bd2ae19e6f3665fb72a1ccfc8bf4cbf7534
-
Filesize
196KB
MD5673c3a42d8890b70b952d4ba911ab1a6
SHA14df310b0762bce9a4f98721b3a848a37d682f10b
SHA256e5bdf97faa207aa2b27bb66b9097c4822e6ef00a82740c12b8a5abb12cef75b0
SHA512385ac7c24a807c432f5c1a86ef27bcc8c842d565e45ca3b2c234e5c05ae1b041b723650d3d528c7d3e8db047f996e00e7ab037e668f7d1f470d86fbaad77bfc7
-
Filesize
301KB
MD5604221b9eb2695e57dd4de6fe486f75d
SHA1f408d0a6188e9f3e81082503060d0d67d4a15561
SHA256025c019d0dc8c17ffaf59dbddaad6d90120a8040e1bf9cbfa4bbbd12b82646bd
SHA5128f2e2bd8c8b967593d90316bfc2f19bffeb2f2b8f08b39029466af7a8b02eeadd4fc8a3569e9396c1035528f127014920e557af873a2b84697919b5a006207ba
-
Filesize
1.2MB
MD51c1851e392e51aa336a9acf0b5572858
SHA16f32d1cf49e6729d1f206c66b2066b5b7915a523
SHA256a204e56c78e5f154d3066ac365b20b2df96f2c69c1d4507d84a1145683905419
SHA512a7e4e999dde908787b95731ea6641ac0807a17c892f816fdb8d0a7012b81107ecbf336dfd72f90e21d76d4e1a2a33a0c2778611fb0e0586a5c6b57ef2a320b43
-
Filesize
258KB
MD53774e32ee15d9821586909ceee9733a0
SHA1ef5cf21418b2d415d2b49d32e0c1169fc9b4fa9b
SHA256023c574d01fe9e40349ee99bd21d1f61b0067252d0a1bc9aaa07e90d4d92c581
SHA512eb619309919d1d813dc92050b2e1333b8866304dc71133f32283cedac049a51aa527f3c25aecb2128b944e9b2e919299c7e5e4f54fea08ff88f639a488dcf2a7
-
Filesize
143KB
MD5353e9eaba452af94ff9263c37bfb44f4
SHA1af69b08eb9a149a0fbd948468e9fcc22a313adcc
SHA256a0e961a928f24472bcbf5ee012580fef0b7ac88ceffc9fc1108351b2e5d0ff40
SHA51291a9da8091d2969803703ff7923555ef88ba66295434ae99285a1ba4ebdba21034834a1a74ac8143c12397383e038de65e2ac4277f54380afce715264d9610b1
-
Filesize
255KB
MD568af28bb5380426ec0c83e21d8ab6bed
SHA1f88fdc4c8f7add538434025246c403b9b5d40f60
SHA25646b63ebbbd83441302fabff27e8c7a74aadcb00e89c959905e7e250a2b029873
SHA5123e8fc720dd111f0bda901ec47fad41356263c48d2004bcf7ec202eb0f2929b5ddd0385fe556c8730e303c4d1dd7970a57ec9f334aab6ec251e1681e573a3c524
-
Filesize
279KB
MD5486487c1544e73c9e8a50b416a0ae985
SHA129762a2efd3ebcf039b6ac4934afbb4a602304d1
SHA256a53214dfe87ad9883b081fece0651fcd2d00bf51611133c494a8f10d79527d05
SHA5122c46054cf64f2f4940d1c33809284f677f743284edab1fbcba9e5040d2276ca8ec907b335ea97bae30afebc5499a547c77f4a3c373335e521f72a7d4b56606a3
-
Filesize
301KB
MD515db3f0c4db95a5fc0030ac8f7006a7c
SHA15aa108441442186eaa64429a563ea20e92b5e428
SHA2561db8925f0df923333b39673bc15993e3c57ed1ddb2be913cc7b19c3041a15f86
SHA5129a7fb8e45596070089284babd7a142748700ec64d6889e8e7cf8be3710a9e1a10daa3edc7036a14af5bb3db6f8b132e7632532309491c8a831727d46cb77ce58
-
Filesize
1.2MB
MD58a2a1ec8889a1347527ddd02ae4188c9
SHA1a9b9aad48f4bfcd8d2140e07f6ba767ce914d453
SHA2566536c3bda43896dabba9b0939863e8a7241ab814e8a33d842828284889b4f947
SHA5123ba0b1b35c5398071859a41a57775a04e07429a16ad12aa30a7cffcba354aef5a9e3745a29f84460a04368e51b5a48e0eb83d789366895acb532dce98d837a6a
-
Filesize
494KB
MD5f651bcb8c476e42c6066c32cd55dae49
SHA14480a123d8403c2baa42508b70276ddb3e4b5b0e
SHA256bb0c6af6efe604d7bd00333652d912356515c25e46924a0b42402c6094e43227
SHA51239d53f5f29ac613c436c58d7d5a72fde2936f0d90525f4960b2a7e18c72ee9c17f20658b0266afb150887e2769d9edec5cd26db865e868120f728247cce5125b
-
Filesize
424KB
MD538d88a573dcb7ddef160cd8dd36ae3fd
SHA1cc0d4f9ea2746875eabba86294cdce96d21739f2
SHA2566797716e073af89634447a0d0b426d6502e99b2847c5b6deba97ce256b6830ff
SHA51225a51b93a52baba328c383e4d352870fa182b2dbe0359c58abb86054b83e01117b0ba87da8644fc717698fe4a96d900e721f358c3272b2f839db6ebf17ae5de6
-
Filesize
333KB
MD568850fba430ee302e23107b493db14b9
SHA177ea931b96ae015a853b75ab96ae2f454f60cebb
SHA256b639856f21cd7db3e14082dd80ef231a488027dae94dcbdd30a2d170b7b0a4b2
SHA5122de40ecfc6989a5b935a2898d27ea10d01ea47be2b0fe1c680525cf249962bbd76955babc04df930e7ed0ecb7d09a1f311fce45e2ff43514c272e6cac186261d
-
Filesize
327KB
MD59391bf08d5dbf488512a1fdbe3ad7ed8
SHA14d6f40238eaba3d7337c7788d68ab651fb39bfbe
SHA256b92f42020f5c49967e9e04a585982b7e35f484664cf0803c115e90e2e34bd0a2
SHA512f99ce6064169130129e5b73e511a442dd085db690c90cad59d2f17b27af96178cbabba30e8b459e8046f4e1201a22d94235cef247223f71fc23a56f0aef5c2e4
-
Filesize
237KB
MD5cfccdc8957122f4e3efc4be5cb379f66
SHA1e213bccd35eab2dd57cd5f199a54b680ed081b58
SHA2561cca4b5eaed06355651ceb6d30cb206dc99981b440532d5e68f2c6c356eeb111
SHA512b950d6701fd2f7339dfbe4682339b97cb3e7195e980e67a3e7af841e29883bf9f5e9968eb096c4f2c0efd73ae87ee93d127790f1c82c851ba4591b8713fb2db2
-
Filesize
255KB
MD5b28ffec6de925ec436774cad1b72b585
SHA1202c95681eda60b6769adbafc04ac46105d6a7c3
SHA25604b86c1a3729c8de8168b73812dbfe697880722c453042b6d5ed6db317a18f0e
SHA512e8f15c1f909fef3fee541ae76516e5b5dd8adfbb3c9da01164250d66f9e868a774d8603a175f72aa24bc556e8916a9c8cabbfbeb9d0dbe921ec437238a96a95b
-
Filesize
134KB
MD5e49441bbebffccd00a096dbaf9ddce58
SHA1d6d42dab5731a309d2e30c11fa94590814fa1953
SHA2565befe042b53bcddba92cdd761d569a6fbb688e2b083f7d37b4174211abfb5974
SHA512dc470038082d75941511c36fe683723a7d8fa1acaae50794192b7e00d38c4c0f3e7e229da58e32cd8a1088a3cc69a00888d6dcf514c0f7f0c6328338e5a19b71
-
Filesize
869KB
MD52d32a04371d1c50b82ab08baa2261a36
SHA1a146d0d61d66a51f473cd428d13b1d5e97202dc6
SHA256953738a81d89c0c72d8c3fcece4a0a203415e8fef4bfa25ad03712a3bd78a414
SHA51209ad9570baa11f170ec9d52ad61b67083bd25546f98145fb46d7f8996f5e8abfb543f3fe3aaafbea54cb5216e179359a864f9513e64cb17b8a227c42b03d38d2
-
Filesize
988KB
MD5b3c8026c604379957eba2fbc579276a6
SHA1b1c3bc4e1c285b0a60ceaec4f65c6067953d7496
SHA256bd74d8e02a2d50bb20fc84edef7825f9f6b7f7c9bbd833de2a6b93dd66bb2c7d
SHA512d35e084cb6476d3bce845fa057a7e080f8fa9c7e35432a575da5b0c1f9412ae137103e23a8cc8b7347574177f21060d57f14d6aaf5ae92d129b7f0e345fcf289
-
Filesize
87KB
MD5e87d1c5e26d20839a8b0c2f9ce3783ed
SHA116b249dc6a2a03afb42a19fb49f6de4e4fcead32
SHA2563f7cca97ce444d7b6f1a5a80d45165f38e660a85f4a1d27004b0e57adbdcc109
SHA5123c60f1c9a110e198ee958a3969707bf0c22fa024d0d2173dacf512c60e7b21e010fb63812515eb0d0ea097dcb195d4b324e4f10d244b7b7e4aa3d5afe3eeb992
-
Filesize
214KB
MD5542e536a641bb3ff4d95fedc552ddf37
SHA1064ce5bfc3aae61e938e52b3fe02a808c8fbd31d
SHA2560284fcf3469ba1cacd9bfd66f99282c717deded3eee1840c6dd7296b8e84acf4
SHA512e2ef338d758e1419c9a1173f233f37185b3b464dbcb0650f1ff3297f10485e81c4952429032e2ddeb56aba5f39a40e8fe01115a22692db9f690ae2354e244e32
-
Filesize
69KB
MD5c87145a494f0f43c2f91d4f159d9f708
SHA1d7ff99948ff60e2e96c7f2bc90af9b3d3c424e03
SHA256baec23696230d02bad08c25484fc8c87443ad98e0845f6e7dfa786ee2d9a7e98
SHA5121df510cdcd2c160589ee1d7fa3fa8f96577f5c4e9816716a5d270f45d0427240aaff4ba5a12a93bffd9f81a9d6d382932102b6cbd013edc2774b801b00728566
-
Filesize
301KB
MD5ebc1db7904cbdbe3b70bcef65e40dcd0
SHA132e7f0983491a57b60d09e92605c621ec1b5cb07
SHA2565c1f03586b58a89c748d7dab867ce44141180712c191be4711ebb7a34666f961
SHA51260365da4638f33a3754c9d42b5f8079c1279d8ac9b39f824c0b4536988a9621fb3586d71ec2c13423d38c65c7f17539b0db3f9c7d025caf8ba696e2db7458a23
-
Filesize
139KB
MD5e51159f8bf32ccbdcc73e94e0faaaf1d
SHA10c393b5a4b4a72503e38b5cb8aae6567161f9c5a
SHA25660132a7ae4aff0f549b3e43ca94c97abb27b0d73320ca10c798f2217968733bb
SHA5125879392c255b841bf2b1e08cfb46ddc308d024c8e0838518661b5d3695edc31d13ed449719990d5b7e5e1ebeea8e3adf6f811c8a80d9899a3d084efacbaf37b8
-
Filesize
1.1MB
MD5e4d8ec0ca82788b3c69b1d838dd05740
SHA10f2338afd13cd01e024e4ad731fc0f0d177301df
SHA25601eea0e1dc0236c306adbd23d7bb71071f6d90426d5fc6818181758c7a7db5e0
SHA51298d1b2e94e2a3b4704065089e7bf19cfc9d6c3afa8ef86aa4e6928a2029d68a95825c7d5e1463011554ac9c731b0fd00351c326e6c533d2d41f3fb38fbe714d7
-
Filesize
906KB
MD5368646c3134aeae61c98b1f3420f8abe
SHA10ac28adc866922ecccc3464375406094808fb9e3
SHA2560956e15f410a86dc78a1a404b2309e0a6d6837641d56ad4aabbc45db50d7f047
SHA5127f7721751ee77fa617278d87609da84199d801e94726515ee646d216ef68c74137269daac7864656903970f47a23d223738350e3448550127be0392a9a7d1f47
-
Filesize
578KB
MD52d5079424157474b35e19f928df54d59
SHA116f9898f9d81b834e64a7cc41113e1beee9f43cb
SHA2566645934c512281aecbe348588b44b5f9a184a1472dcdc37f80df8b0de481b76c
SHA51258ef30ed4f4fb8193db706958d6058ae1466e81017aa85a0b9fec96a6e337194ca0e437edc69cd2912382fc6da5498a62ebcc7d04b0ea43e934beb13b57d978a
-
Filesize
895KB
MD5a0a8616fb4698654d686b653deae63b5
SHA16ba9e4e854db1aee6f6ea57450a52f0b7c61825c
SHA256e45bef57e6457e6dca5a0e20a2d90d09aeb19abeabb32f2bfc6a3239c8140f27
SHA5127ce8a727f4c2758f06d661d02a93f04d2b11ccd843b939153e696896c79f8e2a609f694c2075d62b9bcdca263d1415f5c99bfa490942b2b0fa5ecdfe3bc70a18
-
Filesize
301KB
MD569ed09a376b65c552e4caf02fb8f48aa
SHA173d681d01a21f6a91891f0972f4c3d2aef0f49c4
SHA256f76b487d4b11b7ab3ac135120010177c1315b022f1878d6d4e8d0b44748f121d
SHA512ae20f5504ae417e13dafa4938817fb816429a0e4965bef5c3290f5b937f64d79cf822b3ff1e0e2577048afbfcdec5d07304488a9aaf42cd546b44c4fe15c9db8
-
Filesize
166KB
MD5898f7ea69689a08830858fa203468b23
SHA182734dc392f1fb80709ae23d7cde27066c748dc4
SHA2566d8607c15c78dbda585fe3cc24a3b27cc12d63d6f1e88f5e330ed930d2b7c07b
SHA512699159a0d459101317abc0baf60dd560ea2c5f82d3fae33843bc4d049ae7edc1953e0ce99e0818591acfe6808d8cd7b64a287bc2dfe01f300b5780dfecaa699c
-
Filesize
202KB
MD57e64c95b72febb7a73713368ea7f9b45
SHA1a4d99bf5137f63c363dfca7bf6ec85e16f71d8ab
SHA256693109fb5a7ea540ce3e9277989f634ea5bacbd32649cd256bd6cd2e002c1659
SHA512830002718c897b5b1dac288b50e2f4a331119cf5cd057b2bbd56bf2ba8fc8aadbbbf80c713bd2acf0163f341f946c3fdaa4bbce307b6049f517e581dcbe1859a
-
Filesize
301KB
MD5743c49b0ea3ef6210ff4fba5374868b7
SHA1400947ee1452296f7a0605f318900010de9b9f85
SHA256772b3b5d7cf415006644775885e5a59e9253aa9ab77e5b89552c5bda42f5c36e
SHA512f9c275bc1f61bf91d18759f4824b653a35039393899ad15823d6d6755114ab988a6509620c8c898627cb8015bf331cd6da65702ef9e8023319dc5d90fc1c7458
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
269KB
MD5ca3ece2163a7651d68de9db1656cc89f
SHA11b60399ca3f8d200c9951265572c79940540d90e
SHA25669ecb34dd72192e652646e2531d9b9e61937f4b58fcfa07e1091d094860c83ef
SHA51211b6f26d378aa9c504da91e604c8019026637f14097cb2c66551aa2dd99497de806108dabeb471e6b387cb2247c2c1e0154054028a7be53d5cbf1903772f3e6d
-
Filesize
301KB
MD5b84b639b0153d1216fd29fde70acb39c
SHA1636af0fc3cbaa18774c17266f391d0f3ee62932c
SHA256fcf545b1af226807c4636112257a99660eee8a803fa9e46f6a4fa1fe989d0d27
SHA51295b9e48693d4907d0dcacf44a2221039f0424408240a068482e4fab891d8c7eb78397604667b85de8cfe660d6800deb1d04498aeac55c5739d8c04919bbef4fa
-
Filesize
301KB
MD5ddbe8b9600d00baca00a2de67f1b874e
SHA12d67f6f44a827f88eef73653815120c8f5be53c3
SHA256e00fced673987805b8efc29b67f9993bc3d6b85180cb70ff1f68ac37c6b466c5
SHA512131505c7a46c561d04950330a9994a8cd36fda78bae9bfabb36a37491cf5968411c357c724fe24498af5ab150e25aa21347a0399f8797565a231359f3e826f48
-
Filesize
301KB
MD5e1afffd63299410cb3d7e73208eaae8a
SHA1711536c250ebf6e9d6f77fadf8b21b10fb8799a5
SHA256162fcf3d9fafda1ebc07478b701094b01b71d99f78eed108478ba7fcaef25639
SHA5125e9aa968ab58cfe6ae8779a0b2afa14574d6349937caf01cee7d94b34dc6c794019caf2c9625125ffa502aeab63cb4c0a13a6570500895d7d90d541016a67ed3
-
Filesize
301KB
MD595e197870f05d7c395e027082e02ee53
SHA10ea32f91de2f9c15a4a3b1d9d9994a93c5bd4cd3
SHA25699edbe2ad4cb3285c026446da47243b81d81bff6175ad7c833269d9c23a27ca6
SHA512197b1a0a9d8ac42b5ffe3a011ebe34eb834408918273ee21fd731f88efbd3a801a3f6aca983e8b3d662ceac2e62d3769f37bcd0845492dc6ed6226fcf6d61943
-
Filesize
96KB
MD5875c47cc27f5f38086533a7b2f8ea215
SHA1ace6878ecc4a1fe0d3aab7be2ee2531006c72fe6
SHA2560c354674fd655d6cb88e8923e8102ff82767d80b06ce976fcf2cbe89461dc34e
SHA512eb1d4aaedac7f47ca3d8aa4cddb717b53ff6d3bc91c9236a31af16fbff9726962e91022cdf048dbc404b9001ff023824920249a966c5e98ebfe1b0e0ae73779e
-
Filesize
138KB
MD5f4f7a03c188097b3b6e315df6b98e2e1
SHA154d94518371e20777c9979b6832bfe5f68bd583d
SHA256fb89d5dbb52c5df2e8c1caed986d144fb5eb5a55c5cdff3abee548d5394bcb6b
SHA512b168c129b4381ab2c484060cafba7249033d5920c0bcad5403cd58aabe9a1baf21de9340784dc096f1616083b22a6075ad8d6d4ae17859ef1837ddd6d1f6d33f
-
Filesize
290KB
MD527085a1642b30f4e028422aed7248c5e
SHA12cfe0a0ae0a141a442692365bc970aa17b13850a
SHA2569e41253fec50c885a6b76da2ba11cf6da58079538bed00804974b146f80c8df0
SHA512bde44845f1544dcf38a373a98bf6a228c16d0ae800b8a35a54d098fa8984c0496fd8211b26f416c051e6d41f99188b154285eba5aa7138e5074f0e909e75527f
-
Filesize
301KB
MD55fd6b9f1557686623c6eb3bd1f521848
SHA16585b6f65ce1eb562557c8ff301b67a0803a59bf
SHA2561280611bbd0292f8f0f7273ce3a77c084e58fb2cc1ff76533632e99279efef7f
SHA512f80a826efc7e95aeccca6dd12866c05e5622f11909a5f42fcc4f57bde90bf2d1aa0ed731128afcfa8fc95a196b45b26b1c65aa3d1e8240b919d3690e809b91de
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
900KB
MD5d68947d95cf84d2366cbce04f2a4be2d
SHA16e790586fd364cb2d6e109fef747bc37a58cad76
SHA25613112f42e0fa5d8988bf0a2d83446a1c2a6c7a420b67970f1e6a9d39e9899792
SHA512d386f6ce2d801664436f2cb711f23ceac0c31d51bc6b2f47ae4d1c232707dedb70abefc877d4de7130e2982f8a4741c7799cc7605ae50714ec1e2c3ab5766a15
-
Filesize
542KB
MD534ff5958a330a9e235f5d1ebd2443624
SHA16a912868244c4603e6a23f0f93def9e2b8f61979
SHA256f9f735973f7199de1eedfe4b9fca0abb07c197d850d70093888af0981551fea1
SHA512e214853c9e2229c9af415998220b77f874c260765ebb91b9789d2fcbfb7e51581aa9ea9ecd2a07a4505cac4d7fd24b12eee1985fb5d2c867d525eefcc180e8f6
-
Filesize
958KB
MD5bcfd2ae887b21a1ad947e961ccf7dff1
SHA14955ae66611c5b55e6050f4948518c565211edd1
SHA2561476da05fbd2134e3547f7edd253440e526d4c7a25fa1b9b50908417f31a1128
SHA51269551d0022abe80f246880d70f83077f9cc85ce4836a430b95fb5e686c6f70c8d4224df844633a781ed2b336435cc0795f946561de879c0046d0605d15944b62
-
Filesize
704KB
MD503fa42e70c14f66657562ed3803900ea
SHA1ee0054a19c61ec62cb8b009cdf0c0ef22b104164
SHA256a00432520c5efe93ee0d57a08b3c58ef2f724790875f652b3d3df43c7816c183
SHA512d7b1249ca54fc535a286075521bc988e87b85e8f33167e6ed9efca442c6826ace692486d241bdcb4635ff8333ae11979506c56b184c0c312063f3ec2b318fc2f
-
Filesize
299KB
MD53b207bc74b043df97a325587bccd8430
SHA16c83af22a9d5b4921b8750b8e170dc35ac1eb1aa
SHA2564d8d018645c5da8be684148a6d198e748c2f300646b78c633ad666c32d87659d
SHA5125ce04cfaccc79b8571a010d2a59d7ca80e3feab5181c98826f3d6a962aed9d59aea6ba4a1d15561ea9aa3b3a76c413bf744ca6d23454f3c178beea8149b655f1
-
Filesize
815KB
MD5ac322abf84d49bd8725714231e430ac5
SHA170ecb1872cf553c1b64287531edd0c3405cce345
SHA25643afe44ba5e436c6b27775e82e8b425558bd5a6b2a75bd10f81e46dc26ed98d6
SHA512705fb5d9f8a8303284462cee87a4ed81be8446b4b7cd74cd4a8406026361dcdf49d2506bac258b5ed2485106eb3fd53a186a2ef20ffdc9de7d42181c2060afb1
-
Filesize
517KB
MD5c6cde7efd51ba8f9219fc3a2a9cae4db
SHA1d5769d426515158f6df1c7387668db15d84cb846
SHA2561ab5cac132645e04580aa57f678116be93962562e8b0b10efcbe7444026b7957
SHA512c4de43750a502f5ca1dad3b408314e8b868b6d06068ecc8b94b8e6dd0179e003a42ddc4207588fc88775283def82affb7f4560c3e48ae1248627d88ffcd80260
-
Filesize
879KB
MD5fe8c6e259f1ecf4ce4d8fe4ffa9311d2
SHA10559eb47cb421c8d3013b78e06c8f93e0d3c4467
SHA256237ed8ef71442d7fb84f0fb97addfd613559c9c6b3ee3ceeaafae26eb827be06
SHA5120ec976839c42d90c8fd1cdc9376d274593629cf86d370ba2e0174173fffdc34a4e613a1319fb7eca11e4c09ec389fb6c613943dba6707fdf0d46f4c26f8953a9
-
Filesize
932KB
MD5daf4c2378faa768ac643cbe2eaedf45d
SHA19f8fea1c14f1ef8eaa4870db0dd005b80755447a
SHA256bb8fd824942df56130f1953dfebf3f6e59c8f34bea624e5fe410146a67a6ba97
SHA5122c0b79252c91d0498ef3c92125057b87ba9178293a0198882852213f837db75d5be16cefdad7d1bba8d1f679e1260278118cf1b035ecc31d1f99947c330250a7
-
Filesize
333KB
MD5c8fd1a665c0520e559fc6c52032d1ee7
SHA1696814e68159e889db590a5b1d1a971824598eeb
SHA256347ae4f289806e87ca0e6eb909f9f54fc0d5d685a7fc81f2741c64d47126953e
SHA512923fd8f606cf525124d8f7e0981c88f865e2824147ab709bea9de26ef52b44997a802cf066f2643ce9939f8fe52780710bf8c142d5d258d1fda70f1e18f7e3ec
