Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
89s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20/03/2024, 00:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe
Resource
win7-20240221-en
windows7-x64
26 signatures
150 seconds
Behavioral task
behavioral2
Sample
c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
26 signatures
150 seconds
General
-
Target
c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe
-
Size
221KB
-
MD5
7f22f8a8a4144288e1e5b7b36b8280bf
-
SHA1
b8e75d85249b293da7458a975a9ea00e72cab9c0
-
SHA256
c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0
-
SHA512
df33ba719d1bbbcda0ff9ad8ff27c140d44cd140f0b4c6906691d116343de8787d9a9ca38965c4513ad488b1f6643a2242a8aed2024b835dc238612709bfd7ed
-
SSDEEP
3072:P7TQlatyYePxiFVJ7TQlatyYePxiFVg7TQlatyYePxiFVJ7TQlatyYePxiFV3:zTQt8JTQt8iTQt8JTQt83
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe system32.exe -
Executes dropped EXE 30 IoCs
pid Process 4088 smss.exe 4312 smss.exe 2388 Gaara.exe 4000 smss.exe 2056 Gaara.exe 5056 csrss.exe 3128 smss.exe 896 Gaara.exe 2828 csrss.exe 2184 Kazekage.exe 2496 smss.exe 4592 Gaara.exe 4676 csrss.exe 1304 Kazekage.exe 2140 system32.exe 4440 smss.exe 4912 Gaara.exe 3496 csrss.exe 1344 Kazekage.exe 4052 system32.exe 3668 system32.exe 2308 Kazekage.exe 3140 system32.exe 3688 csrss.exe 2168 Kazekage.exe 1304 system32.exe 620 Gaara.exe 1084 csrss.exe 4496 Kazekage.exe 3100 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 4088 smss.exe 4312 smss.exe 2388 Gaara.exe 4000 smss.exe 2056 Gaara.exe 5056 csrss.exe 3128 smss.exe 896 Gaara.exe 2828 csrss.exe 2496 smss.exe 4592 Gaara.exe 4676 csrss.exe 4440 smss.exe 4912 Gaara.exe 3496 csrss.exe 3688 csrss.exe 620 Gaara.exe 1084 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 3 - 2024\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-3-2024.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 3 - 2024\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-3-2024.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-3-2024.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 3 - 2024\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 3 - 2024\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 3 - 2024\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 3 - 2024\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 3 - 2024\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 3 - 2024\\Gaara.exe" c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 3 - 2024\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 3 - 2024\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-3-2024.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-3-2024.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 3 - 2024\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 3 - 2024\\smss.exe" c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-3-2024.exe" c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\X:\Desktop.ini Gaara.exe File opened for modification \??\I:\Desktop.ini system32.exe File opened for modification \??\Z:\Desktop.ini system32.exe File opened for modification F:\Desktop.ini c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification \??\I:\Desktop.ini c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification \??\P:\Desktop.ini system32.exe File opened for modification \??\I:\Desktop.ini Kazekage.exe File opened for modification \??\G:\Desktop.ini smss.exe File opened for modification \??\Y:\Desktop.ini smss.exe File opened for modification \??\Z:\Desktop.ini smss.exe File opened for modification \??\H:\Desktop.ini system32.exe File opened for modification \??\S:\Desktop.ini system32.exe File opened for modification \??\N:\Desktop.ini smss.exe File opened for modification \??\E:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini Kazekage.exe File opened for modification \??\Q:\Desktop.ini Kazekage.exe File opened for modification \??\X:\Desktop.ini Kazekage.exe File opened for modification F:\Desktop.ini csrss.exe File opened for modification \??\Z:\Desktop.ini c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification \??\G:\Desktop.ini Gaara.exe File opened for modification \??\G:\Desktop.ini system32.exe File opened for modification \??\G:\Desktop.ini csrss.exe File opened for modification \??\N:\Desktop.ini system32.exe File opened for modification \??\P:\Desktop.ini csrss.exe File opened for modification C:\Desktop.ini c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification \??\L:\Desktop.ini c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification \??\J:\Desktop.ini Kazekage.exe File opened for modification \??\K:\Desktop.ini Kazekage.exe File opened for modification \??\B:\Desktop.ini Gaara.exe File opened for modification \??\E:\Desktop.ini Gaara.exe File opened for modification \??\X:\Desktop.ini system32.exe File opened for modification \??\W:\Desktop.ini c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification \??\S:\Desktop.ini Gaara.exe File opened for modification \??\P:\Desktop.ini smss.exe File opened for modification \??\J:\Desktop.ini c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification \??\O:\Desktop.ini c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification \??\S:\Desktop.ini csrss.exe File opened for modification \??\S:\Desktop.ini smss.exe File opened for modification \??\W:\Desktop.ini smss.exe File opened for modification \??\B:\Desktop.ini c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification D:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification \??\I:\Desktop.ini csrss.exe File opened for modification \??\R:\Desktop.ini csrss.exe File opened for modification \??\R:\Desktop.ini system32.exe File opened for modification \??\T:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini smss.exe File opened for modification \??\N:\Desktop.ini Gaara.exe File opened for modification \??\O:\Desktop.ini Gaara.exe File opened for modification C:\Desktop.ini system32.exe File opened for modification \??\J:\Desktop.ini system32.exe File opened for modification \??\V:\Desktop.ini smss.exe File opened for modification \??\A:\Desktop.ini Gaara.exe File opened for modification \??\R:\Desktop.ini Gaara.exe File opened for modification F:\Desktop.ini system32.exe File opened for modification \??\A:\Desktop.ini smss.exe File opened for modification F:\Desktop.ini smss.exe File opened for modification C:\Desktop.ini Kazekage.exe File opened for modification \??\Z:\Desktop.ini Kazekage.exe File opened for modification \??\Q:\Desktop.ini smss.exe File opened for modification \??\S:\Desktop.ini c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification \??\Y:\Desktop.ini c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: smss.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\E: Kazekage.exe File opened (read-only) \??\Z: Kazekage.exe File opened (read-only) \??\N: system32.exe File opened (read-only) \??\U: system32.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\X: Kazekage.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\J: system32.exe File opened (read-only) \??\R: system32.exe File opened (read-only) \??\A: system32.exe File opened (read-only) \??\L: system32.exe File opened (read-only) \??\O: system32.exe File opened (read-only) \??\V: system32.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\Q: c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened (read-only) \??\B: csrss.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\B: c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\S: c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened (read-only) \??\P: Kazekage.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\P: Gaara.exe File opened (read-only) \??\L: csrss.exe File opened (read-only) \??\Y: Kazekage.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\S: Kazekage.exe File opened (read-only) \??\G: Gaara.exe File opened (read-only) \??\B: Gaara.exe File opened (read-only) \??\S: Gaara.exe File opened (read-only) \??\E: system32.exe File opened (read-only) \??\P: c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened (read-only) \??\T: Gaara.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\B: Kazekage.exe File opened (read-only) \??\G: Kazekage.exe File opened (read-only) \??\E: Gaara.exe File opened (read-only) \??\N: Gaara.exe File opened (read-only) \??\Y: Gaara.exe File opened (read-only) \??\L: Kazekage.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\I: c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened (read-only) \??\W: Gaara.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\J: c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\I: system32.exe File opened (read-only) \??\H: Gaara.exe File opened (read-only) \??\J: Gaara.exe File opened (read-only) \??\L: Gaara.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\T:\Autorun.inf Gaara.exe File created \??\Y:\Autorun.inf Gaara.exe File opened for modification \??\I:\Autorun.inf csrss.exe File created \??\J:\Autorun.inf csrss.exe File created D:\Autorun.inf Kazekage.exe File created \??\P:\Autorun.inf system32.exe File opened for modification \??\U:\Autorun.inf system32.exe File created \??\U:\Autorun.inf system32.exe File created \??\Q:\Autorun.inf c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification \??\X:\Autorun.inf Gaara.exe File opened for modification \??\X:\Autorun.inf csrss.exe File created \??\I:\Autorun.inf Kazekage.exe File created \??\R:\Autorun.inf Kazekage.exe File opened for modification \??\S:\Autorun.inf system32.exe File opened for modification \??\V:\Autorun.inf smss.exe File created \??\V:\Autorun.inf smss.exe File created \??\E:\Autorun.inf system32.exe File opened for modification \??\A:\Autorun.inf c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification \??\M:\Autorun.inf smss.exe File opened for modification \??\N:\Autorun.inf c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File created \??\S:\Autorun.inf c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File created \??\T:\Autorun.inf c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification \??\K:\Autorun.inf system32.exe File opened for modification \??\A:\Autorun.inf smss.exe File created \??\W:\Autorun.inf smss.exe File created \??\Y:\Autorun.inf smss.exe File opened for modification \??\O:\Autorun.inf Gaara.exe File opened for modification \??\J:\Autorun.inf csrss.exe File opened for modification \??\M:\Autorun.inf Kazekage.exe File opened for modification \??\L:\Autorun.inf system32.exe File opened for modification \??\J:\Autorun.inf Kazekage.exe File opened for modification C:\Autorun.inf c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File created D:\Autorun.inf Gaara.exe File opened for modification \??\H:\Autorun.inf c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File created \??\V:\Autorun.inf csrss.exe File opened for modification \??\W:\Autorun.inf csrss.exe File opened for modification \??\H:\Autorun.inf system32.exe File created \??\L:\Autorun.inf smss.exe File opened for modification \??\N:\Autorun.inf smss.exe File opened for modification \??\I:\Autorun.inf Gaara.exe File opened for modification \??\O:\Autorun.inf Kazekage.exe File created \??\P:\Autorun.inf Kazekage.exe File opened for modification \??\V:\Autorun.inf c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File created \??\M:\Autorun.inf Kazekage.exe File opened for modification \??\Q:\Autorun.inf Kazekage.exe File created \??\H:\Autorun.inf smss.exe File created \??\S:\Autorun.inf Kazekage.exe File opened for modification \??\T:\Autorun.inf system32.exe File created \??\X:\Autorun.inf system32.exe File opened for modification \??\W:\Autorun.inf c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification \??\G:\Autorun.inf Gaara.exe File created \??\W:\Autorun.inf Kazekage.exe File created \??\P:\Autorun.inf c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File created \??\G:\Autorun.inf system32.exe File opened for modification \??\A:\Autorun.inf Gaara.exe File opened for modification D:\Autorun.inf Gaara.exe File opened for modification \??\P:\Autorun.inf smss.exe File created \??\K:\Autorun.inf c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File created \??\U:\Autorun.inf c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification \??\Y:\Autorun.inf csrss.exe File created \??\K:\Autorun.inf smss.exe File created \??\J:\Autorun.inf c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File created \??\P:\Autorun.inf csrss.exe File opened for modification \??\B:\Autorun.inf Kazekage.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\20-3-2024.exe smss.exe File created C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File created C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\20-3-2024.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\20-3-2024.exe csrss.exe File opened for modification C:\Windows\SysWOW64\20-3-2024.exe system32.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File created C:\Windows\SysWOW64\20-3-2024.exe c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification C:\Windows\SysWOW64\20-3-2024.exe c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File created C:\Windows\SysWOW64\msvbvm60.dll c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification C:\Windows\SysWOW64\20-3-2024.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\ c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\WBEM\msvbvm60.dll system32.exe File created C:\Windows\Fonts\The Kazekage.jpg c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File opened for modification C:\Windows\Fonts\Admin 20 - 3 - 2024\smss.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 20 - 3 - 2024\Gaara.exe csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File created C:\Windows\Fonts\Admin 20 - 3 - 2024\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File created C:\Windows\mscomctl.ocx smss.exe File opened for modification C:\Windows\ Gaara.exe File created C:\Windows\Fonts\Admin 20 - 3 - 2024\Gaara.exe c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File created C:\Windows\WBEM\msvbvm60.dll c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File created C:\Windows\Fonts\Admin 20 - 3 - 2024\Gaara.exe system32.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File created C:\Windows\Fonts\Admin 20 - 3 - 2024\Gaara.exe smss.exe File created C:\Windows\Fonts\Admin 20 - 3 - 2024\csrss.exe smss.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File created C:\Windows\Fonts\Admin 20 - 3 - 2024\msvbvm60.dll smss.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 20 - 3 - 2024\smss.exe system32.exe File opened for modification C:\Windows\ smss.exe File opened for modification C:\Windows\mscomctl.ocx c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File created C:\Windows\Fonts\Admin 20 - 3 - 2024\csrss.exe c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 3 - 2024\csrss.exe Gaara.exe File created C:\Windows\Fonts\Admin 20 - 3 - 2024\csrss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 20 - 3 - 2024\Gaara.exe Kazekage.exe File created C:\Windows\Fonts\Admin 20 - 3 - 2024\csrss.exe Gaara.exe File created C:\Windows\Fonts\Admin 20 - 3 - 2024\smss.exe c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification C:\Windows\Fonts\Admin 20 - 3 - 2024\msvbvm60.dll c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File created C:\Windows\Fonts\Admin 20 - 3 - 2024\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File created C:\Windows\Fonts\Admin 20 - 3 - 2024\csrss.exe csrss.exe File created C:\Windows\Fonts\Admin 20 - 3 - 2024\smss.exe Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 3 - 2024\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 3 - 2024\smss.exe c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification C:\Windows\Fonts\Admin 20 - 3 - 2024\Gaara.exe c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File created C:\Windows\Fonts\Admin 20 - 3 - 2024\smss.exe Gaara.exe File created C:\Windows\Fonts\Admin 20 - 3 - 2024\Gaara.exe Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\ c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification C:\Windows\system\mscoree.dll c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File created C:\Windows\Fonts\Admin 20 - 3 - 2024\msvbvm60.dll c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File created C:\Windows\Fonts\Admin 20 - 3 - 2024\Gaara.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 3 - 2024\Gaara.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 3 - 2024\smss.exe Kazekage.exe File opened for modification C:\Windows\ system32.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 20 - 3 - 2024\smss.exe csrss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 3 - 2024\Gaara.exe Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe File opened for modification C:\Windows\system\msvbvm60.dll c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WallpaperStyle = "2" c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee\Speed = "4" c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee\Size = "72" c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main system32.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe -
Modifies registry class 51 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe -
Runs ping.exe 1 TTPs 32 IoCs
pid Process 5080 ping.exe 2776 ping.exe 660 ping.exe 3932 ping.exe 4696 ping.exe 1632 ping.exe 1872 ping.exe 4044 ping.exe 2136 ping.exe 2116 ping.exe 4412 ping.exe 1640 ping.exe 1052 ping.exe 112 ping.exe 4928 ping.exe 3324 ping.exe 1996 ping.exe 760 ping.exe 2444 ping.exe 3400 ping.exe 3020 ping.exe 3088 ping.exe 5080 ping.exe 3636 ping.exe 3576 ping.exe 2828 ping.exe 756 ping.exe 2960 ping.exe 3968 ping.exe 3064 ping.exe 3532 ping.exe 1304 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2184 Kazekage.exe 2184 Kazekage.exe 2184 Kazekage.exe 2184 Kazekage.exe 2184 Kazekage.exe 2184 Kazekage.exe 2184 Kazekage.exe 2184 Kazekage.exe 2184 Kazekage.exe 2184 Kazekage.exe 2184 Kazekage.exe 2184 Kazekage.exe 2184 Kazekage.exe 2184 Kazekage.exe 2184 Kazekage.exe 2184 Kazekage.exe 2184 Kazekage.exe 2184 Kazekage.exe 2184 Kazekage.exe 2184 Kazekage.exe 2184 Kazekage.exe 2184 Kazekage.exe 2184 Kazekage.exe 2184 Kazekage.exe 2388 Gaara.exe 2388 Gaara.exe 2388 Gaara.exe 2388 Gaara.exe 2388 Gaara.exe 2388 Gaara.exe 2388 Gaara.exe 2388 Gaara.exe 2388 Gaara.exe 2388 Gaara.exe 2388 Gaara.exe 2388 Gaara.exe 2388 Gaara.exe 2388 Gaara.exe 2388 Gaara.exe 2388 Gaara.exe 2388 Gaara.exe 2388 Gaara.exe 2388 Gaara.exe 2388 Gaara.exe 2388 Gaara.exe 2388 Gaara.exe 2388 Gaara.exe 2388 Gaara.exe 5056 csrss.exe 5056 csrss.exe 5056 csrss.exe 5056 csrss.exe 5056 csrss.exe 5056 csrss.exe 5056 csrss.exe 5056 csrss.exe 5056 csrss.exe 5056 csrss.exe 5056 csrss.exe 5056 csrss.exe 5056 csrss.exe 5056 csrss.exe 5056 csrss.exe 5056 csrss.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 1596 c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe 4088 smss.exe 4312 smss.exe 2388 Gaara.exe 4000 smss.exe 2056 Gaara.exe 5056 csrss.exe 3128 smss.exe 896 Gaara.exe 2828 csrss.exe 2184 Kazekage.exe 2496 smss.exe 4592 Gaara.exe 4676 csrss.exe 1304 Kazekage.exe 2140 system32.exe 4440 smss.exe 4912 Gaara.exe 3496 csrss.exe 1344 Kazekage.exe 4052 system32.exe 3668 system32.exe 2308 Kazekage.exe 3140 system32.exe 3688 csrss.exe 2168 Kazekage.exe 1304 system32.exe 620 Gaara.exe 1084 csrss.exe 4496 Kazekage.exe 3100 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1596 wrote to memory of 4088 1596 c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe 96 PID 1596 wrote to memory of 4088 1596 c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe 96 PID 1596 wrote to memory of 4088 1596 c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe 96 PID 4088 wrote to memory of 4312 4088 smss.exe 98 PID 4088 wrote to memory of 4312 4088 smss.exe 98 PID 4088 wrote to memory of 4312 4088 smss.exe 98 PID 4088 wrote to memory of 2388 4088 smss.exe 99 PID 4088 wrote to memory of 2388 4088 smss.exe 99 PID 4088 wrote to memory of 2388 4088 smss.exe 99 PID 2388 wrote to memory of 4000 2388 Gaara.exe 100 PID 2388 wrote to memory of 4000 2388 Gaara.exe 100 PID 2388 wrote to memory of 4000 2388 Gaara.exe 100 PID 2388 wrote to memory of 2056 2388 Gaara.exe 102 PID 2388 wrote to memory of 2056 2388 Gaara.exe 102 PID 2388 wrote to memory of 2056 2388 Gaara.exe 102 PID 2388 wrote to memory of 5056 2388 Gaara.exe 103 PID 2388 wrote to memory of 5056 2388 Gaara.exe 103 PID 2388 wrote to memory of 5056 2388 Gaara.exe 103 PID 5056 wrote to memory of 3128 5056 csrss.exe 104 PID 5056 wrote to memory of 3128 5056 csrss.exe 104 PID 5056 wrote to memory of 3128 5056 csrss.exe 104 PID 5056 wrote to memory of 896 5056 csrss.exe 120 PID 5056 wrote to memory of 896 5056 csrss.exe 120 PID 5056 wrote to memory of 896 5056 csrss.exe 120 PID 5056 wrote to memory of 2828 5056 csrss.exe 107 PID 5056 wrote to memory of 2828 5056 csrss.exe 107 PID 5056 wrote to memory of 2828 5056 csrss.exe 107 PID 5056 wrote to memory of 2184 5056 csrss.exe 108 PID 5056 wrote to memory of 2184 5056 csrss.exe 108 PID 5056 wrote to memory of 2184 5056 csrss.exe 108 PID 2184 wrote to memory of 2496 2184 Kazekage.exe 109 PID 2184 wrote to memory of 2496 2184 Kazekage.exe 109 PID 2184 wrote to memory of 2496 2184 Kazekage.exe 109 PID 2184 wrote to memory of 4592 2184 Kazekage.exe 110 PID 2184 wrote to memory of 4592 2184 Kazekage.exe 110 PID 2184 wrote to memory of 4592 2184 Kazekage.exe 110 PID 2184 wrote to memory of 4676 2184 Kazekage.exe 111 PID 2184 wrote to memory of 4676 2184 Kazekage.exe 111 PID 2184 wrote to memory of 4676 2184 Kazekage.exe 111 PID 2184 wrote to memory of 1304 2184 Kazekage.exe 126 PID 2184 wrote to memory of 1304 2184 Kazekage.exe 126 PID 2184 wrote to memory of 1304 2184 Kazekage.exe 126 PID 2184 wrote to memory of 2140 2184 Kazekage.exe 113 PID 2184 wrote to memory of 2140 2184 Kazekage.exe 113 PID 2184 wrote to memory of 2140 2184 Kazekage.exe 113 PID 2140 wrote to memory of 4440 2140 system32.exe 114 PID 2140 wrote to memory of 4440 2140 system32.exe 114 PID 2140 wrote to memory of 4440 2140 system32.exe 114 PID 2140 wrote to memory of 4912 2140 system32.exe 115 PID 2140 wrote to memory of 4912 2140 system32.exe 115 PID 2140 wrote to memory of 4912 2140 system32.exe 115 PID 2140 wrote to memory of 3496 2140 system32.exe 116 PID 2140 wrote to memory of 3496 2140 system32.exe 116 PID 2140 wrote to memory of 3496 2140 system32.exe 116 PID 2140 wrote to memory of 1344 2140 system32.exe 117 PID 2140 wrote to memory of 1344 2140 system32.exe 117 PID 2140 wrote to memory of 1344 2140 system32.exe 117 PID 2140 wrote to memory of 4052 2140 system32.exe 118 PID 2140 wrote to memory of 4052 2140 system32.exe 118 PID 2140 wrote to memory of 4052 2140 system32.exe 118 PID 5056 wrote to memory of 3668 5056 csrss.exe 121 PID 5056 wrote to memory of 3668 5056 csrss.exe 121 PID 5056 wrote to memory of 3668 5056 csrss.exe 121 PID 2388 wrote to memory of 2308 2388 Gaara.exe 122 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe"C:\Users\Admin\AppData\Local\Temp\c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1596 -
C:\Windows\Fonts\Admin 20 - 3 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 3 - 2024\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4088 -
C:\Windows\Fonts\Admin 20 - 3 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 3 - 2024\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4312
-
-
C:\Windows\Fonts\Admin 20 - 3 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 3 - 2024\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2388 -
C:\Windows\Fonts\Admin 20 - 3 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 3 - 2024\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4000
-
-
C:\Windows\Fonts\Admin 20 - 3 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 3 - 2024\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2056
-
-
C:\Windows\Fonts\Admin 20 - 3 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 3 - 2024\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5056 -
C:\Windows\Fonts\Admin 20 - 3 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 3 - 2024\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3128
-
-
C:\Windows\Fonts\Admin 20 - 3 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 3 - 2024\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:896
-
-
C:\Windows\Fonts\Admin 20 - 3 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 3 - 2024\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2828
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2184 -
C:\Windows\Fonts\Admin 20 - 3 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 3 - 2024\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2496
-
-
C:\Windows\Fonts\Admin 20 - 3 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 3 - 2024\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4592
-
-
C:\Windows\Fonts\Admin 20 - 3 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 3 - 2024\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4676
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1304
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2140 -
C:\Windows\Fonts\Admin 20 - 3 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 3 - 2024\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4440
-
-
C:\Windows\Fonts\Admin 20 - 3 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 3 - 2024\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4912
-
-
C:\Windows\Fonts\Admin 20 - 3 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 3 - 2024\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3496
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1344
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4052
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:3088
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:2444
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:3064
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:3324
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:1632
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:5080
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:660
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:2116
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3668
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:2960
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:756
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:4696
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:1640
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:4928
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:2136
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2308
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3140
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:1304
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:3636
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:112
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:3020
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:3968
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:1872
-
-
-
C:\Windows\Fonts\Admin 20 - 3 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 3 - 2024\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3688
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2168
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1304
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:3532
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:1996
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:3576
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:4412
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:2776
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:4044
-
-
-
C:\Windows\Fonts\Admin 20 - 3 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 3 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:620
-
-
C:\Windows\Fonts\Admin 20 - 3 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 3 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1084
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4496
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3100
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:2828
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:760
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:3932
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:1052
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:5080
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:3400
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:896
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4412 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:81⤵PID:4660
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
221KB
MD5a4ee76572166e971bfe2fb5e1e783aac
SHA1b5cab741fd5a483ca6c347154eae3e03a53e6f42
SHA2563e5b4c8fc529f51ec3ea68e3ae84af57e33e10488ccfed36ad576d7df22f23dc
SHA512bf57e68d2c330d6a80d56ae191e7dcce72e553d7ee675f790db4f69b4752ff6d39577a3ba16bd4562662dffbeb018bc4e1feb90c85c855ed13c62a927cb9385b
-
Filesize
221KB
MD50ee4b8767251f94e3ac6e2749823fdca
SHA158d7f1b57564b49a82e2854c0e4f85fb7242fbdb
SHA256ce86879cc180de49512a199719a5b567065683342b7a199cabe23fc8b065e5f9
SHA51287edb4c80a47bf9e3a8ac25f4c192bffd51fec8acddd47e10901da0e17d4049ddd6d8a4e58ba0b264cd1b5ba4069356b5ceb02249ccc08399469a33372588c6d
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
110KB
MD5987e571a34ae33ba90a019ae45ef79e6
SHA1cd16f79d7fc974866c856f7a8f816de132915aae
SHA256a651db17805216b708651fff1a666332bcdade02ec0f066020b0196021760be8
SHA5120c7373bfd1ff0e2339eb9d2f42314765fad1d91751af7e15f7ea75ecdbd8796a11af3bf4142615842780d53d566009c5978116c553f3f10f7080eef8c1cc6406
-
Filesize
105KB
MD5d06af87f5a9d51267bdc56528cfd08e9
SHA1494917df5d538bae1ff16564274fc02bf614b3cf
SHA2566054ccdf57dd38b2a4aafa5fbf0c8bbc3f175f0e4ecad7ade02789544e939bcf
SHA5129a69e47a6cbf9df5ad659534a0cfeaf732811dd3fa21f06fcfb077c98a5f7b0c8a05e9cc553a4233da5c442965c12dc3152cd515dc9239ae0e863b5ca980cd24
-
Filesize
221KB
MD53ea126240018a2adef3af20aca43f476
SHA1c9dd1da0b6d15d336d5c2e1a256ea6cbde272ae8
SHA256e336409008ebc5794cca0365bb06ec403e6107be4bf9a22ef0ae233d337d3f08
SHA5124d5a27d929dc769881cdc3b141cf66536679387c6c842188de0c1454c3d1b96d8ca5204eb354e50c46770dcdc51c5617f03d754cb657bd8df178d9e0227d8cee
-
Filesize
211KB
MD5b90c7d7d80d9688ceea915e09958ca03
SHA1e8a97a8ff16700fd931656a79a9c42a4576ed0c1
SHA2568a0a12f3067c5d7105b0eecdc9e99c4a7d1a346d7a35c7a0854c982a9fd3552f
SHA512d97b0650ab8ff53f1b86b4ffbe24e8b5dac158431652aa320403c19561f6a94a35dbf0438e58abf9c075310675342a5a3ea4bff340eeb230c2dabb756b7a56de
-
Filesize
149KB
MD55ceb5ec210aa21df2d07f04cfbd5c46f
SHA122b96d7ea01eabea4ec9fb70be907b9d4d67bb9e
SHA2564c4fccb4ebf1be8e5a32d07c1726ee99a0341d6fc07e787ebe88f350ac8626a0
SHA512aeb69445a813ff3b065f1a2c3a907d3ee2e584d7305ce6f2887075be73bc497d529401bba450b05ed99070d15a2560b4792c0b024fc3d1de4be802aae35ce0c5
-
Filesize
1.3MB
MD5fbd49952726ff673b6c0ac2e4a22b284
SHA15106b8dd6eb7a087aae234741226fa4d84138d65
SHA2561f2a8ff48067cd750564ef1d9de0fe61ea91aa90979f5e6d483becc9d3e448ac
SHA512102a72508ad97164c4dd12b4837739e1dba34e1cb0347db1ab2a0daeedccf559b2ecaf0759f233cfa188da031b7b0afbbd554f7684c849444312eb1c89f297aa
-
Filesize
221KB
MD51ca58a9cbea7e4823eb356d225378cf8
SHA10f68c2144a9794e36fe4b5e35fe8211742d7d3c2
SHA25670ddd11ff9effade4fe2ca6e63f8206a3d396100e58cd5680410193ebc114167
SHA512c051022f24153cda94699c3c15377ffdce958b777052bd7d8e3dbb60a4fb66362292746a4ed2f432e7d4baefea5290e01a3ea3874a7c7161d5741c96a706cc1f
-
Filesize
221KB
MD509eeed5b10ee5fa24b5095c2dd1a9f00
SHA18bcd9caed3844801ea9234394a9989d4870b2b7f
SHA256c8fb0c71fc6f055d3c17629f43e15dde620017964de9f1aa06844f46cacd70ea
SHA512367716de96d38441870153bd20ea35fae45896ca5f4c7df53d211f519f76ea8f22672ee234a3f5f7af21e62560b6ca7c102c6d02a2fa8d08eba4278af8b7b984
-
Filesize
91KB
MD5a0e63f01eac914e6adbb6aeaef005abb
SHA1dd9b9890be81dcd38a3dde0fbd34011ec45abb38
SHA256258a1c429feafa1e2da8e930404d609a2c0aa36f89f6bad055b71a0ac1ea3a78
SHA512326477abdfc0a831a5e3748bc87ff85a2e32c69c3ebf3886b78f911b06f9f3ec728c273f62eb535cc88dc5505e88144e4051cbba02c0353afc14c00a5e8e31b9
-
Filesize
691KB
MD5cb93de8daa2d3eb99b0b9a6f29e09fe4
SHA17702f222cb456d90b2de769db6f10fd0c04db7a6
SHA256533bac08b3d7a8a5e08fa53f65256debc97cd0a3f6badf54fd87f42198db8568
SHA512c190a7aec838eb70c6a13f4420226e3b8e446bf6cc55bcd35db704be9e98e12a17a313afd0891a0a857e760297644ecc827698b4d771b92ada012285432cd4e0
-
Filesize
401KB
MD5c1c9844d2b964e7f8a61fbe17d5e6bb8
SHA1f3d2d8c904c533f6b08f86bab1adc10d5728b0a3
SHA2568eeb91ba2985c7733ebac176b2f442398a91f64fd99c62811b849c91d1033787
SHA5123324da324229add8e1f3ae01d063684a3b4348165ef7a9580013109b0a1e5dbf396d92ee93cb51cb0ca222a0dd0ef7ee2b08fc56cfc70b23548b683e3a8346c8
-
Filesize
399KB
MD55e5571fcda1a5c845a66b62c62ab3e18
SHA1d77111599e4d1f5d45ac9794497a1b1d7a391f01
SHA256c1bf9c11e6d88a283ea53085440c5908b30ac338d70bd616f54e1292209b4b44
SHA512f46b610cd6166b8d484bccb615c22e78c958ce28ab25f9c4b99a53090db60e6e87c65a26fb262727073e462451c37f51abaa63bcb7362ee8b0799b84611f1535
-
Filesize
126KB
MD5ca1956dfaefe9529c27ef39ad76e0276
SHA1b9ec942482f61df2217184dfe356f0e7cbbd4b0e
SHA2560293d40914221b1d3309120ad63984c691cf52b94f5384e03b85d8517d683658
SHA512b561543d13b7352809040d5a028a9462cfc963aab0c1231e12bffb012a09f87c3fe3bcde870cc2627da8c2782835445e8d0ef230f9de201f710909e8fc6545cc
-
Filesize
527KB
MD56d49f35299e72d006cc1601ff618158e
SHA19dfcbe58e36eebfede0f01d5d50d210a26d6cc7b
SHA2563badebed0c004a90a14315f5416fbab9f0707ff1b821d9adf5f471ae808eeab5
SHA51206cc9b365b99a98b0500519f670f1327e7c7d0dd5ce1b354ccf2d25da93842d0ae3aac9001a07688253d97c3c048c153d40eabfeae81e0ece09c3364bfbe2f2b
-
Filesize
327KB
MD5adfb061109035783e760838ddd4a0375
SHA1da8b9b5e7593afc754ce80139286a351d8fdb6d5
SHA256ca3841a2ad9e41e46e3db02a45b990611a6c127b3b9f0a6e546936ca7059c468
SHA512fdd7d74d2aeef5e47e29b22a306dd89afdd5ea60d502d6a2b3b3039be4d09a4354dba3cbdc7e7bce4066f139d69e868f473235537181c134149b34dbefe46a4c
-
Filesize
57KB
MD5ec45e07f2948f1183e594fd76394b4ec
SHA17523ca7003d6cc31998398464f8168f6ce1e6eed
SHA256d22cbaeeeea4a872ee8e0f2feafd183c6758dea920a87a542bd98be69359587c
SHA51229950dbbba367f7202a327afa3a7ec77ad4daf4ec8b71f7bb7f4e4f9dcf1966a883f0f519a3c62610d6f0e121e13a2801f77ff3baff433bdef467b912f05a505
-
Filesize
871KB
MD59a9527a0e678bfd1b180f5a57ff3c787
SHA1941bb50e046b31412b3c3d19a774630a53bfd2d1
SHA25659e2ebeabb43b6ec26139c7748480381714477e8ccb891f599dbbc28fe78e509
SHA512f3c74af863dc1718766a4468f28941da7a940fa9b1830f81d1b9377554b464041faee423aa10ac4d204a22f8959a9a967ee1c92b30cb9feddce8ccaff7690a72
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
611KB
MD57c8623c1ee9016d7f87ab0c7875c9788
SHA16be96c736280ca9cc0d4b53278be3e22d7695e4f
SHA256e34f70b1e1513df12acebf75791b62cfb62a40d1016c90ae6e6cdd7a6bc4f9f2
SHA5124852df465263eb5bfd8a46d44a5b7ff5d9303bb20a84af1f0ff730032e7f25e7b6fda8773e12264ec87fe5ae2035a445ccfdafb9d24b9a39857817f8b596979c
-
Filesize
241KB
MD5c5ee8bdf0346e4b305594068d4d7f6c9
SHA1353fc7ca40ef3523917458dad3f18ce71bdcf2ee
SHA25677ab4cbb911e2bbfc66cb4af7678467ba5bbbed71dbd722f9cc5004d8a0924f4
SHA5124e6f2befe061c1e63bea3307ded10aea07b51167fdb2740de254ead3a3b226f642b6656d31562b5f754092a4ad660a3e1f4b3a121fcb96a8391ad40f4c2cdbdf
-
Filesize
75KB
MD580104a02cf3327409ed58b44fd38291f
SHA194ed3b368cbca1ee3dd73934e21ac0d351e54e80
SHA2562eff8bed2e242075d24fcffa01a21cc4fff677d3a607804c376523b477c25249
SHA512dd81e76472e6d97b68c4a7baafa86006bc53a8c14e8abcb21810aedd15c165fec4d591a6d0518ba4981f0e36fb3870f7971af81de29655c69b4f3748e6c07255
-
Filesize
221KB
MD5dd7ade6d84c04ed0c9a7543af24ba55e
SHA137f7928ba704cb92ba57751323d596269911f9ef
SHA256b4db4726d466bbb819e325ff7d21b4a5ab8254323bbedfcb373cdae15e2ea0a4
SHA5122e750d22a16b8a8a30edf1c657b3565c2cc412b21d89ce9aa47e801b77f43add0843afe85ee6b1ea61bce5bccb0e1c81a8822b3c55b657abcec1e3b61bf5c034
-
Filesize
235KB
MD5da5ce3daefbba8f00877a87846e19a53
SHA1f149ca66b4a676eee75b1c37297848dcd9a3a2a0
SHA2565bd7facdec05911ea22bcc71424757d6e42dec798d7a070500671b959067d1cc
SHA512deb2a6db9505c8c9e961acc7afe6f5d4b159deb6f2bfdf2a805cccfb14c962953f547c2043661f954fdb4ac4adb05c25fb0cebd3c2d6027e2ef1df06485d0c5b
-
Filesize
834KB
MD5a12053be1daa502a292414a2bd3360d5
SHA1972f27d96400413466ada93f34cf52b995b9724d
SHA256cedf4494f65f7ff4e215062ca6395240d017c968f5c8fa3ba3f6591f4b5e2f8c
SHA512e6b1179ff427c7bf551731b549d15c12cdf3eeb6ac839e0331f2b7078cc8a83c424cf1325ae40072eca5c5ea6798f20d7f6c2fe14d85f3aedd8ae41e3a6ac980
-
Filesize
145KB
MD538f2fb56b4270bb35b632a40909896b4
SHA1b6553d00b3f0d5443b753e19992a3c524b8ea248
SHA256ee9ed9884eaf32adfe953e21defa4a1df682a1cdf8936b3d093f33264f146a8c
SHA5129fb6df2c4b031b100fac05b08322e78d7229fc7960c1012018d7666033b180e87dbcf751c346ab36048d8a97d3fce1d7a87fd5e4812d14b353bb9081d6a5ce88
-
Filesize
221KB
MD5fd6e865b173e2f320b0214b1e86c4d13
SHA1817ff5d82a40ed1057e3104a8fdc40450f76e963
SHA25613c4a47aed289d13c81c67c44696b00a3a069d7d3a7618befb5f3449672d1045
SHA5122e8a4bc42d840ef02a4beb3c3d5192623bc48a98c807c37528c6f5c68d13061e64818a91aacfdd8e11810ae13a97d1e4064e1b96318041dda78701eb6809ed4b
-
Filesize
221KB
MD57f22f8a8a4144288e1e5b7b36b8280bf
SHA1b8e75d85249b293da7458a975a9ea00e72cab9c0
SHA256c067e20b1d79ba731d617b01e4859dd4f7b973e0d1ee3b2a09967fbefcedb1e0
SHA512df33ba719d1bbbcda0ff9ad8ff27c140d44cd140f0b4c6906691d116343de8787d9a9ca38965c4513ad488b1f6643a2242a8aed2024b835dc238612709bfd7ed
-
Filesize
221KB
MD503d165de77cbecaa0349d981ad3af4aa
SHA16c4ddce676528b9618c126d42ec940503d8ae443
SHA25612ac82c992af61037e72bac23476042ed1ea52ffb54d2fffa00b7d0e095b067c
SHA512366be98de2aa04a125de28dc7687801b076604111024d4959c16a0c7988e60188f0a917acdd59ad094ee6fb22428742ede4b7132881d7ce34a28678cb7e5542c
-
Filesize
221KB
MD50560a41b6f1484ebfb6e5b288a2c53f7
SHA19a6591f318913dca3e27c1a974a955b166c28a82
SHA2560eafafec6e1809bb46dd51216e42d4bac9b511fb4b08633641cc6fb05365b494
SHA51219be302785bb0f738980d4497d755aa76e9f7efa5da338d7040cba05e156af9936b3368b8da450736eebd250469deb81a6d50966a988451b990fecda030b73d0
-
Filesize
112KB
MD5a9dc56341c61554d5af2fb51d2ec6553
SHA175e702fcabb7d617ae7ca4cda1fbb0856a4a8a23
SHA256a7aa31c7cbd0d1baed8e1ba718ec5689e8272ca4e48ae1a8f16b754e858244cb
SHA512725f9390a900ecc9e7c7632cb94c9a96b2a590cb074db47eb8390e7ecf36b157dfd14a6ed89195b8d79b8c733f44c6d28ba6e202f3b945dca2f32686522cdda9
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
214KB
MD579489992eb066101982c31eed3b95b94
SHA18746afee030bc089720cc711cbf3f74e97ffba73
SHA2565edd7bb8797e088790fda8ccd6efbf3ecdf05dfcb1ca6279fa07c6579df8e399
SHA512003ceeffe614553b965fc45f2fef0d27e7510850be269b0345ffe1a2adc2b7af9a2ab1477ff3d07f2382c3ec0e72c2a1fa88a5f1b4ad04d1f00270f8a0b8e8bd
-
Filesize
221KB
MD53585ceff47d050843ebb80dcc62abd5c
SHA1a3f1985a8a1ee8d68e371d67ea24966889585d44
SHA25657750d23c23dbe59a1ebcaf6a1b734da0ee153a030b743d80f46f86bb63daa43
SHA512158dc1beb380487243dbbb7e1a07f041ace32440d17668eb418a3097a9966c540066daf427fbb324503ca4c617344923291283234c49bc699d2de2f214a14ce2
-
Filesize
221KB
MD54d9208dd27444e5190d07cf2a9bc11c6
SHA1c1022030238890c23bd0e58323da131d3eef3008
SHA2566f95308a0494938b320ff9a68e2686da64f44f7d9e9cb9a17e2bb5e0bc7336e4
SHA512d32b3922398b4870bf57859f81bdbb92d72a3625ba5a4420792dc4e3ff7cd3e0a055e0f395a736c17a7eb38fff81f8c57afdf05a717c48539f847dac19d4bf4c
-
Filesize
162KB
MD56484394d62e2e6c3ad278f69a397380a
SHA1a410d60f7137c9400c82064a8c0cd7c9896a0b37
SHA256e18a8b0c4da52c7315ca7b22aaefc3c1dd74b7325f4c0e7035d9ba12a85d563f
SHA512e8a1a176029c410ff1d7f894b328c1e3b982dfda897c00b6a43697d55a85d1b8fc716bfa779ed96e7ce66ca7170214336776075c755e6f22553e0e3fbd3d9027
-
Filesize
221KB
MD598ec6e71dd011fa5e52a9f09a1fbfcf5
SHA166443d57e930c5cdf4948eb4b746c00d749ac26c
SHA256b8bbe598f94beb4e072238b708d9bc3f691a1dd46c8cf53ef405153e27342183
SHA512758f9727d02635001b0ee4adcb1954f61c68c1e7d1417f85bf3dc487cf90fd55174a24d83838ba7d4dd97fa145f1af7c644a5420d33787e9f1ca719841634283
-
Filesize
221KB
MD5854c63bd099140fe6ebd5f1141dca147
SHA1188b33e72d67769f39c82de58d5e8f6e6ce6182c
SHA256193af60b3387c0e7ad7f61dcab535d65eaa1ddd899ec5a4664762f47ef3d63bb
SHA5123fcf22afd70b22eba9f281c616cccfcb894a6f42e4c18b6d4afa43cece75bd134115f2e93224beb5d5cd533c8447be2d14030672cf8ef27fc7dbb5ba90929abd
-
Filesize
221KB
MD50348f05d44f8f93832d0dcf9bb435adf
SHA19413a586e438d6e50c2d90b587a18c040cc0afdf
SHA256cfd39c07e94d8f929125222c28fedd8542a99a1b239f306c0c6d58f8b9320ce2
SHA512ba493e7cda8d126166c780247cffc30b329e0882bb45b6a8008c41246f38b22977d40a4875537b47a4238426e38cf2f78b0bdacf901300e1b27645ccf73f80ec
-
Filesize
50KB
MD5f07fdd648802804e80013781fb241251
SHA1c58abce53fdf97e80263aa688348971c43da1e56
SHA256a85693fbf072277d3cf39c8095b6c5754c278ccfe7cce19fbad8862f54cbb1be
SHA5120ce020464bcc5b6e7b05ecce3c0830f572623380e7870d10d5e80ab3e1121463064293c25884a3059c017f8a9cf2e13879837da912540ccb921c25a513761fc5
-
Filesize
991KB
MD5ad2415d4983d0c560202cec518b2b948
SHA1d79bc4cb3df16ebd25e6705e445e6054a2fe67fe
SHA25622b66a9b5fbe831a1f61350254b5814e9580fe87bb75a2c7529e0720520c434e
SHA51233bddb94a813a98d2f02abb64b691d76220de7a14b5d2d752ddeed8dbed0662fc6637beeeaf7f6dde9b6e6e4a4090b2830dface31558ade2a9286037c746abbb
-
Filesize
73KB
MD5d44728cca7b5dace53fd8c9ed9895ef7
SHA1505fb4a43806ace1c74fd789d26595d511a08661
SHA2568611a9d734d55a7a3bea155646604c9c43530022b3e58a1e224815f5826f4bb3
SHA51267548ff690003e015fcca3d7708fb08f428d45af0a24a255dfa799eec5436309a93f4777ab99ca77e46266e26ce2d53f66daaf8c6075a4b552fab97bbe452883
-
Filesize
202KB
MD51d70bc265a3958ae47c402362a8118f3
SHA196c05857a5d65ea5236892e47160cdff477cea3a
SHA25618232bda989dc8d6e167ba2affc9f145d753b8682e0241c62e25e54b64cee37e
SHA51255cb31b950c9fd2afc616d54539b3fc08dedb962eacbeba611643920371b99ff85d19867dc9f9d18e3a8ba590f6dcb892b519ad51ed94173e716dd65247b0d86
-
Filesize
544KB
MD5c4a5c6cfb1ec52ed4f6dae9477fddfae
SHA198ddad07e8c93e9c29499d7d8d3411109a0a1d5c
SHA25699bf807aa8c43b688ddf094aac62d7de12cdca6386267bf678d3dc8328f89456
SHA5128a8ec0f4ca217c7b6cee860af6cf5ab773560273d23a51c1e7eed4e192a76cfe10319e645227f954bb07db589350becfae829ea521a4e30829716d771ea760c1
-
Filesize
428KB
MD509f05329344edbf157583df1d8b71817
SHA1da3ca9d6ccd3f3f9954e6868c66b81e906c247de
SHA256330571e079dabcdba347692e3addf582ff3a0816af331a26ce720098e03012e2
SHA5129c848ceae20bf8ab1df95b278b192842a1352d384ea479afa75e25b177c65c6034984518940f6cf01f93cf7af060f3c9ee70fb6e55e6ca6321db94e1159f7bbb
-
Filesize
630KB
MD5e7fbd502deda237b3b72f9b8343d011c
SHA146a8a6ab3262d406b3e1339dd2e74507eac8e1c4
SHA256ad0aa441439bab96e04b5be40e1cd8a871519881e38bbc58f1bf7ff906b455d0
SHA512b080ef96aa6b9ef607f8c15c577f63edb58e99b029b1b0e65b23159d4b4370cfa3afa9a99ce09184ad04a09994a867a1b7cc22abf38ec17aef3561bbd476f6ac
-
Filesize
92KB
MD54c17dad7597fa6316a70c206c76a305c
SHA1f8573651e763e5de7f1190479fa7447bfbdbd938
SHA256dee5086463f76eff16fb8a9d17e1539c3d9169574c81dd5d52fa69799ccfd136
SHA512f4134d3da760c78c2d62c956b9f3cdc4dfe12202cdf746f6f9d5f8912b0b677eda3c117455aaecda6f21cb4c731c18172e7a5b13ca5777cb651344085740df5e
-
Filesize
331KB
MD5c6254c489c081d056a68262ca2532cb8
SHA185a32b002e7998bcf5ad3390630f898dd6672769
SHA2560132817954cca1a0582ba9a7d164305aacb26de7f05ddf671fc22543efefaf0b
SHA5121876101b7211a7302a591b281f13e5e6c76580d2a86c127ffd150905de13e01da2f1cb132168fd5d1b7e42b46f2d2c88c8bfec1ac35b415be9617a23420c2801
-
Filesize
363KB
MD5272fda4cb2bb4ef76b03995e0390e379
SHA15cea53281bcd34ad326ff35cc1c377e9eb20bfc7
SHA25607cbd572cd80a5d60c48d568fe588057565cdf9da902dc3368341bd09f6a6ed0
SHA512bc3cbbdf963a4f8e63ce4f720769506153cf11ac67833c3df890c59422e05b97c55c36202d6441676c8a2dd84adf82bfaebb1d0d37a757295f4743a383df54e4
-
Filesize
585KB
MD550924e683d8fad49b9d4df46d1e16dfd
SHA11511c0a79c13b000d532e942fe107ed5728255c8
SHA25601e2b97136207228aba632db8d38556025782ebf570d9d58b06f1f0e75c589e5
SHA512ef9b956e5f6af017c5a0ee2d50b4191c7f2d8db5888380aeac2e35f80e168f268ccde8aaa7379fa1d3d8d180053744456ce21177e05d96292495d19d3bcd1d8b
-
Filesize
562KB
MD5b03c4af674e4cfcd79f58fa9738c4519
SHA18105c14087400db0280b20f0cb0f6e8722adefe4
SHA25608e0d529a2774fba3f5f9d02f695f4fb26e6761e523e13863eb15a110d1b9001
SHA512e210107d867935c2d193e7040098a6d5e1bc619df049b60ae111bd9e01b1e7ad4bc980cddea9ff2d404a74cbfb794436a14eb80443db4f772ea519c7d1223a4d
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
