Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
27/03/2024, 23:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe
Resource
win7-20231129-en
windows7-x64
26 signatures
150 seconds
Behavioral task
behavioral2
Sample
c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
26 signatures
150 seconds
General
-
Target
c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe
-
Size
54KB
-
MD5
33ae7df5fe25355ef97e68fe977480dd
-
SHA1
3fc1713750d36117b4eed3c23787723154354dec
-
SHA256
c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a
-
SHA512
659585fdc24b3e44ca5959757c1b7bf5f24b99fcc0baff95f167d94484238160241abf76c14064e7d9777a4250e4ebd00a42a5c00a3e219145c04dbf1cc45018
-
SSDEEP
1536:A7TJopblB4dqyyUiZ06pX3I6/qxiSEGNJFV:A7TQlatyYePxiFV
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File created C:\Windows\SysWOW64\drivers\system32.exe c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe -
Executes dropped EXE 30 IoCs
pid Process 2280 smss.exe 2044 smss.exe 2436 Gaara.exe 2524 smss.exe 2040 Gaara.exe 2732 csrss.exe 556 smss.exe 764 Gaara.exe 2284 csrss.exe 1736 Kazekage.exe 2344 smss.exe 1168 Gaara.exe 648 csrss.exe 572 Kazekage.exe 532 system32.exe 1400 smss.exe 980 Gaara.exe 1164 csrss.exe 1636 Kazekage.exe 2268 system32.exe 976 system32.exe 1216 Kazekage.exe 1912 system32.exe 1532 csrss.exe 1236 Kazekage.exe 2420 system32.exe 2300 Gaara.exe 2892 csrss.exe 2864 Kazekage.exe 2848 system32.exe -
Loads dropped DLL 64 IoCs
pid Process 2392 c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe 2392 c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe 2280 smss.exe 2280 smss.exe 2044 smss.exe 2280 smss.exe 2280 smss.exe 2436 Gaara.exe 2436 Gaara.exe 2436 Gaara.exe 2524 smss.exe 2436 Gaara.exe 2040 Gaara.exe 2436 Gaara.exe 2436 Gaara.exe 2732 csrss.exe 2732 csrss.exe 2732 csrss.exe 556 smss.exe 2732 csrss.exe 2732 csrss.exe 764 Gaara.exe 2732 csrss.exe 2284 csrss.exe 2732 csrss.exe 2732 csrss.exe 1736 Kazekage.exe 1736 Kazekage.exe 2344 smss.exe 1736 Kazekage.exe 1736 Kazekage.exe 1168 Gaara.exe 1736 Kazekage.exe 1736 Kazekage.exe 648 csrss.exe 1736 Kazekage.exe 1736 Kazekage.exe 1736 Kazekage.exe 1736 Kazekage.exe 532 system32.exe 532 system32.exe 1400 smss.exe 532 system32.exe 980 Gaara.exe 532 system32.exe 1164 csrss.exe 532 system32.exe 532 system32.exe 532 system32.exe 532 system32.exe 2732 csrss.exe 2732 csrss.exe 2436 Gaara.exe 2436 Gaara.exe 2436 Gaara.exe 2436 Gaara.exe 2280 smss.exe 1532 csrss.exe 2280 smss.exe 2280 smss.exe 2280 smss.exe 2280 smss.exe 2392 c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe 2300 Gaara.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "27-3-2024.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 27 - 3 - 2024\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 27 - 3 - 2024\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 27 - 3 - 2024\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 27 - 3 - 2024\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 27 - 3 - 2024\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 27 - 3 - 2024\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "27-3-2024.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 27 - 3 - 2024\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "27-3-2024.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 27 - 3 - 2024\\smss.exe" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 27 - 3 - 2024\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "27-3-2024.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 27 - 3 - 2024\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 27 - 3 - 2024\\Gaara.exe" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "27-3-2024.exe" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 27 - 3 - 2024\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "27-3-2024.exe" Gaara.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification D:\Desktop.ini smss.exe File opened for modification \??\S:\Desktop.ini c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification \??\V:\Desktop.ini csrss.exe File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini system32.exe File opened for modification \??\J:\Desktop.ini c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification \??\J:\Desktop.ini smss.exe File opened for modification \??\M:\Desktop.ini csrss.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification \??\A:\Desktop.ini system32.exe File opened for modification C:\Desktop.ini smss.exe File opened for modification \??\S:\Desktop.ini smss.exe File opened for modification \??\N:\Desktop.ini Kazekage.exe File opened for modification \??\E:\Desktop.ini system32.exe File opened for modification F:\Desktop.ini Gaara.exe File opened for modification \??\H:\Desktop.ini c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification \??\Q:\Desktop.ini c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification \??\Q:\Desktop.ini smss.exe File opened for modification \??\K:\Desktop.ini csrss.exe File opened for modification \??\U:\Desktop.ini csrss.exe File opened for modification \??\Y:\Desktop.ini system32.exe File opened for modification \??\H:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini Gaara.exe File opened for modification \??\X:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini system32.exe File opened for modification \??\X:\Desktop.ini system32.exe File opened for modification \??\A:\Desktop.ini Gaara.exe File opened for modification \??\E:\Desktop.ini Gaara.exe File opened for modification \??\T:\Desktop.ini c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification \??\R:\Desktop.ini csrss.exe File opened for modification \??\Q:\Desktop.ini Kazekage.exe File opened for modification \??\S:\Desktop.ini Kazekage.exe File opened for modification \??\O:\Desktop.ini system32.exe File opened for modification C:\Desktop.ini c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification \??\P:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini system32.exe File opened for modification \??\Y:\Desktop.ini smss.exe File opened for modification \??\I:\Desktop.ini Kazekage.exe File opened for modification \??\K:\Desktop.ini Kazekage.exe File opened for modification \??\E:\Desktop.ini smss.exe File opened for modification \??\Z:\Desktop.ini csrss.exe File opened for modification \??\B:\Desktop.ini Kazekage.exe File opened for modification D:\Desktop.ini c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification F:\Desktop.ini system32.exe File opened for modification \??\J:\Desktop.ini system32.exe File opened for modification \??\A:\Desktop.ini c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification \??\I:\Desktop.ini c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification \??\Z:\Desktop.ini smss.exe File opened for modification \??\J:\Desktop.ini Kazekage.exe File opened for modification \??\X:\Desktop.ini Kazekage.exe File opened for modification \??\M:\Desktop.ini system32.exe File opened for modification \??\V:\Desktop.ini system32.exe File opened for modification \??\M:\Desktop.ini Gaara.exe File opened for modification \??\X:\Desktop.ini Gaara.exe File opened for modification \??\Z:\Desktop.ini Gaara.exe File opened for modification \??\M:\Desktop.ini c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification \??\G:\Desktop.ini smss.exe File opened for modification \??\H:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini Kazekage.exe File opened for modification \??\L:\Desktop.ini system32.exe File opened for modification D:\Desktop.ini Gaara.exe File opened for modification \??\O:\Desktop.ini Gaara.exe File opened for modification \??\G:\Desktop.ini csrss.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: smss.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\U: Kazekage.exe File opened (read-only) \??\G: Gaara.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\Z: c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened (read-only) \??\R: system32.exe File opened (read-only) \??\L: csrss.exe File opened (read-only) \??\H: Kazekage.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\V: Kazekage.exe File opened (read-only) \??\Y: system32.exe File opened (read-only) \??\W: system32.exe File opened (read-only) \??\B: Gaara.exe File opened (read-only) \??\R: Gaara.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\R: c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened (read-only) \??\Y: c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\A: system32.exe File opened (read-only) \??\L: c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened (read-only) \??\N: system32.exe File opened (read-only) \??\K: Gaara.exe File opened (read-only) \??\O: Kazekage.exe File opened (read-only) \??\H: system32.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\G: system32.exe File opened (read-only) \??\L: Gaara.exe File opened (read-only) \??\E: c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened (read-only) \??\X: system32.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\H: Gaara.exe File opened (read-only) \??\T: Gaara.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\X: Kazekage.exe File opened (read-only) \??\S: system32.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\S: Kazekage.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\L: Kazekage.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\I: c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\E: Kazekage.exe File opened (read-only) \??\E: Gaara.exe File opened (read-only) \??\I: Gaara.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\I: Kazekage.exe File opened (read-only) \??\Y: Kazekage.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\A: Kazekage.exe File opened (read-only) \??\P: Kazekage.exe File opened (read-only) \??\V: system32.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\W:\Autorun.inf c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File created D:\Autorun.inf smss.exe File opened for modification \??\Y:\Autorun.inf Gaara.exe File opened for modification \??\O:\Autorun.inf system32.exe File opened for modification \??\S:\Autorun.inf c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File created \??\J:\Autorun.inf Gaara.exe File opened for modification \??\A:\Autorun.inf csrss.exe File opened for modification \??\B:\Autorun.inf csrss.exe File created \??\U:\Autorun.inf csrss.exe File created \??\I:\Autorun.inf Kazekage.exe File created \??\K:\Autorun.inf Kazekage.exe File opened for modification \??\G:\Autorun.inf smss.exe File created \??\O:\Autorun.inf smss.exe File created \??\Y:\Autorun.inf smss.exe File opened for modification \??\J:\Autorun.inf Gaara.exe File created \??\I:\Autorun.inf csrss.exe File opened for modification \??\X:\Autorun.inf system32.exe File created \??\G:\Autorun.inf smss.exe File opened for modification \??\R:\Autorun.inf Kazekage.exe File created \??\A:\Autorun.inf system32.exe File created \??\E:\Autorun.inf system32.exe File opened for modification C:\Autorun.inf csrss.exe File created \??\Y:\Autorun.inf csrss.exe File opened for modification \??\O:\Autorun.inf Gaara.exe File created \??\R:\Autorun.inf Gaara.exe File opened for modification \??\J:\Autorun.inf csrss.exe File opened for modification \??\B:\Autorun.inf c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification \??\N:\Autorun.inf smss.exe File opened for modification \??\V:\Autorun.inf smss.exe File opened for modification \??\U:\Autorun.inf csrss.exe File opened for modification C:\Autorun.inf system32.exe File created \??\Z:\Autorun.inf c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification \??\J:\Autorun.inf smss.exe File created \??\U:\Autorun.inf smss.exe File created \??\M:\Autorun.inf system32.exe File opened for modification F:\Autorun.inf c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File created \??\S:\Autorun.inf Gaara.exe File opened for modification \??\W:\Autorun.inf Gaara.exe File opened for modification \??\V:\Autorun.inf csrss.exe File created \??\Z:\Autorun.inf system32.exe File opened for modification \??\J:\Autorun.inf c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification \??\Y:\Autorun.inf c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification \??\A:\Autorun.inf smss.exe File opened for modification \??\Q:\Autorun.inf csrss.exe File opened for modification \??\E:\Autorun.inf c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification \??\H:\Autorun.inf Kazekage.exe File created \??\Z:\Autorun.inf smss.exe File opened for modification \??\E:\Autorun.inf Kazekage.exe File created \??\M:\Autorun.inf Kazekage.exe File opened for modification \??\X:\Autorun.inf Kazekage.exe File opened for modification \??\Q:\Autorun.inf Gaara.exe File created \??\W:\Autorun.inf Gaara.exe File created \??\G:\Autorun.inf Kazekage.exe File opened for modification \??\G:\Autorun.inf system32.exe File opened for modification \??\P:\Autorun.inf system32.exe File created \??\V:\Autorun.inf system32.exe File opened for modification C:\Autorun.inf Gaara.exe File created \??\L:\Autorun.inf csrss.exe File created \??\H:\Autorun.inf system32.exe File opened for modification \??\P:\Autorun.inf smss.exe File opened for modification \??\Z:\Autorun.inf c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification \??\T:\Autorun.inf smss.exe File created \??\T:\Autorun.inf smss.exe File opened for modification \??\V:\Autorun.inf Kazekage.exe -
Drops file in System32 directory 38 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\27-3-2024.exe system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File created C:\Windows\SysWOW64\27-3-2024.exe c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\SysWOW64\27-3-2024.exe c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\27-3-2024.exe smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File created C:\Windows\SysWOW64\Desktop.ini c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\SysWOW64\ c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\27-3-2024.exe Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\27-3-2024.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\SysWOW64\27-3-2024.exe csrss.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe system32.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe Gaara.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe Kazekage.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe system32.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File opened for modification C:\Windows\system\mscoree.dll c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File opened for modification C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File created C:\Windows\Fonts\The Kazekage.jpg c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File created C:\Windows\WBEM\msvbvm60.dll c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\msvbvm60.dll system32.exe File opened for modification C:\Windows\ c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe csrss.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\ smss.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\ csrss.exe File created C:\Windows\msvbvm60.dll c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\ system32.exe File opened for modification C:\Windows\system\msvbvm60.dll c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe smss.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe system32.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\msvbvm60.dll c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe Gaara.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe system32.exe File opened for modification C:\Windows\ Gaara.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File opened for modification C:\Windows\ Kazekage.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee smss.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Size = "72" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Speed = "4" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\WallpaperStyle = "2" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main system32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe -
Modifies registry class 48 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe -
Runs ping.exe 1 TTPs 36 IoCs
pid Process 1368 ping.exe 2800 ping.exe 1992 ping.exe 1916 ping.exe 1500 ping.exe 1684 ping.exe 2620 ping.exe 1552 ping.exe 888 ping.exe 2404 ping.exe 1664 ping.exe 112 ping.exe 1084 ping.exe 1972 ping.exe 2604 ping.exe 1980 ping.exe 2284 ping.exe 1488 ping.exe 2172 ping.exe 2156 ping.exe 1536 ping.exe 2464 ping.exe 1652 ping.exe 1508 ping.exe 1992 ping.exe 2500 ping.exe 108 ping.exe 1136 ping.exe 2960 ping.exe 884 ping.exe 1648 ping.exe 2296 ping.exe 2108 ping.exe 1052 ping.exe 2168 ping.exe 2304 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2280 smss.exe 2392 c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe 2280 smss.exe 2280 smss.exe 2392 c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe 2280 smss.exe 2392 c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe 2280 smss.exe 2280 smss.exe 2392 c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe 2392 c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe 2280 smss.exe 2392 c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe 2280 smss.exe 2392 c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe 2280 smss.exe 2392 c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe 2280 smss.exe 2392 c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe 2280 smss.exe 2392 c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe 2280 smss.exe 2392 c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe 2392 c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe 2732 csrss.exe 2732 csrss.exe 2732 csrss.exe 2732 csrss.exe 2732 csrss.exe 2732 csrss.exe 2732 csrss.exe 2732 csrss.exe 2732 csrss.exe 2732 csrss.exe 2732 csrss.exe 2732 csrss.exe 1736 Kazekage.exe 1736 Kazekage.exe 1736 Kazekage.exe 1736 Kazekage.exe 1736 Kazekage.exe 1736 Kazekage.exe 1736 Kazekage.exe 1736 Kazekage.exe 1736 Kazekage.exe 1736 Kazekage.exe 1736 Kazekage.exe 1736 Kazekage.exe 532 system32.exe 532 system32.exe 532 system32.exe 532 system32.exe 532 system32.exe 532 system32.exe 532 system32.exe 532 system32.exe 532 system32.exe 532 system32.exe 532 system32.exe 532 system32.exe 2280 smss.exe 2280 smss.exe 2280 smss.exe 2280 smss.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 2392 c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe 2280 smss.exe 2044 smss.exe 2436 Gaara.exe 2524 smss.exe 2040 Gaara.exe 2732 csrss.exe 556 smss.exe 764 Gaara.exe 2284 csrss.exe 1736 Kazekage.exe 2344 smss.exe 1168 Gaara.exe 648 csrss.exe 572 Kazekage.exe 532 system32.exe 1400 smss.exe 980 Gaara.exe 1164 csrss.exe 1636 Kazekage.exe 2268 system32.exe 976 system32.exe 1216 Kazekage.exe 1912 system32.exe 1532 csrss.exe 1236 Kazekage.exe 2420 system32.exe 2300 Gaara.exe 2892 csrss.exe 2864 Kazekage.exe 2848 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2392 wrote to memory of 2280 2392 c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe 28 PID 2392 wrote to memory of 2280 2392 c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe 28 PID 2392 wrote to memory of 2280 2392 c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe 28 PID 2392 wrote to memory of 2280 2392 c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe 28 PID 2280 wrote to memory of 2044 2280 smss.exe 29 PID 2280 wrote to memory of 2044 2280 smss.exe 29 PID 2280 wrote to memory of 2044 2280 smss.exe 29 PID 2280 wrote to memory of 2044 2280 smss.exe 29 PID 2280 wrote to memory of 2436 2280 smss.exe 30 PID 2280 wrote to memory of 2436 2280 smss.exe 30 PID 2280 wrote to memory of 2436 2280 smss.exe 30 PID 2280 wrote to memory of 2436 2280 smss.exe 30 PID 2436 wrote to memory of 2524 2436 Gaara.exe 31 PID 2436 wrote to memory of 2524 2436 Gaara.exe 31 PID 2436 wrote to memory of 2524 2436 Gaara.exe 31 PID 2436 wrote to memory of 2524 2436 Gaara.exe 31 PID 2436 wrote to memory of 2040 2436 Gaara.exe 32 PID 2436 wrote to memory of 2040 2436 Gaara.exe 32 PID 2436 wrote to memory of 2040 2436 Gaara.exe 32 PID 2436 wrote to memory of 2040 2436 Gaara.exe 32 PID 2436 wrote to memory of 2732 2436 Gaara.exe 33 PID 2436 wrote to memory of 2732 2436 Gaara.exe 33 PID 2436 wrote to memory of 2732 2436 Gaara.exe 33 PID 2436 wrote to memory of 2732 2436 Gaara.exe 33 PID 2732 wrote to memory of 556 2732 csrss.exe 34 PID 2732 wrote to memory of 556 2732 csrss.exe 34 PID 2732 wrote to memory of 556 2732 csrss.exe 34 PID 2732 wrote to memory of 556 2732 csrss.exe 34 PID 2732 wrote to memory of 764 2732 csrss.exe 35 PID 2732 wrote to memory of 764 2732 csrss.exe 35 PID 2732 wrote to memory of 764 2732 csrss.exe 35 PID 2732 wrote to memory of 764 2732 csrss.exe 35 PID 2732 wrote to memory of 2284 2732 csrss.exe 36 PID 2732 wrote to memory of 2284 2732 csrss.exe 36 PID 2732 wrote to memory of 2284 2732 csrss.exe 36 PID 2732 wrote to memory of 2284 2732 csrss.exe 36 PID 2732 wrote to memory of 1736 2732 csrss.exe 37 PID 2732 wrote to memory of 1736 2732 csrss.exe 37 PID 2732 wrote to memory of 1736 2732 csrss.exe 37 PID 2732 wrote to memory of 1736 2732 csrss.exe 37 PID 1736 wrote to memory of 2344 1736 Kazekage.exe 38 PID 1736 wrote to memory of 2344 1736 Kazekage.exe 38 PID 1736 wrote to memory of 2344 1736 Kazekage.exe 38 PID 1736 wrote to memory of 2344 1736 Kazekage.exe 38 PID 1736 wrote to memory of 1168 1736 Kazekage.exe 39 PID 1736 wrote to memory of 1168 1736 Kazekage.exe 39 PID 1736 wrote to memory of 1168 1736 Kazekage.exe 39 PID 1736 wrote to memory of 1168 1736 Kazekage.exe 39 PID 1736 wrote to memory of 648 1736 Kazekage.exe 40 PID 1736 wrote to memory of 648 1736 Kazekage.exe 40 PID 1736 wrote to memory of 648 1736 Kazekage.exe 40 PID 1736 wrote to memory of 648 1736 Kazekage.exe 40 PID 1736 wrote to memory of 572 1736 Kazekage.exe 41 PID 1736 wrote to memory of 572 1736 Kazekage.exe 41 PID 1736 wrote to memory of 572 1736 Kazekage.exe 41 PID 1736 wrote to memory of 572 1736 Kazekage.exe 41 PID 1736 wrote to memory of 532 1736 Kazekage.exe 42 PID 1736 wrote to memory of 532 1736 Kazekage.exe 42 PID 1736 wrote to memory of 532 1736 Kazekage.exe 42 PID 1736 wrote to memory of 532 1736 Kazekage.exe 42 PID 532 wrote to memory of 1400 532 system32.exe 43 PID 532 wrote to memory of 1400 532 system32.exe 43 PID 532 wrote to memory of 1400 532 system32.exe 43 PID 532 wrote to memory of 1400 532 system32.exe 43 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe"C:\Users\Admin\AppData\Local\Temp\c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2392 -
C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2280 -
C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2044
-
-
C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2436 -
C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2524
-
-
C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2040
-
-
C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2732 -
C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:556
-
-
C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:764
-
-
C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2284
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1736 -
C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2344
-
-
C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1168
-
-
C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:648
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:572
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:532 -
C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1400
-
-
C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:980
-
-
C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1164
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1636
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2268
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:2168
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:2304
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:2296
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:2172
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:1980
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:1664
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:1052
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:1916
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:1136
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:1684
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:2604
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:1084
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:976
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:108
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:1992
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:888
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:2960
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:1648
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:1972
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1216
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1912
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:2284
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:1552
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:1992
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:884
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:2404
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:1536
-
-
-
C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1532
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1236
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2420
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:2620
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:1652
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:112
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:1488
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:2800
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:2108
-
-
-
C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2300
-
-
C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2892
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2864
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2848
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:2464
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:2500
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:1500
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:1508
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:2156
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:1368
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD52cc6c8259fa669ebf1c25a9713eef1f4
SHA1eca28c01e2426c3cb88d746a9f6b0b3dbafe4a7e
SHA256467214eb861a078e28b808c74fae6a41c7e91cdd0a90c01f991c93301beb1c81
SHA51294956eea0b60de30bc0cb557a5039fd58b214a6b314296125f1c838e66179f51a3cc5d31a23ad5dc51fa5c6d4331d00eb78acd71708ca6491614a8a396592ba9
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
54KB
MD500414f2f993cbb2fd0dd6b3d2594b78f
SHA128022cebb4bcca831767e6e0d4f11d6d2b9bf1c0
SHA256ad271f4a8dd54b08bc44a2c9beb9e2745c227c9f3495ae666c3e2516fb401f4d
SHA51215c2e6633b35f929e25cefc524db47e2c9d1a6f6c2f280397b712df399a06d08cdd5cd975c5eb557d4041dbceb5faf36873c69567fa12d8c40082191333df581
-
Filesize
54KB
MD5b3c95bda441be4f8bd5f4683597d7ab1
SHA13275db951b2b3b5c084e48c5db436a6cd0651572
SHA2564b78a47cb22c60fd733a6ab0c0c5d67545ee472c90d52a9c62b0966e2f89e4b8
SHA5126cae43cfcff2cdfffece61232a9612efc868b1391ed7a2a23faf1bfc4473a7bdc6f1ea2f0ccd4847e66a5041430c9bb1a371efcbff7d537042247a0614a2d331
-
Filesize
54KB
MD533ae7df5fe25355ef97e68fe977480dd
SHA13fc1713750d36117b4eed3c23787723154354dec
SHA256c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a
SHA512659585fdc24b3e44ca5959757c1b7bf5f24b99fcc0baff95f167d94484238160241abf76c14064e7d9777a4250e4ebd00a42a5c00a3e219145c04dbf1cc45018
-
Filesize
128KB
MD502770ec1a321e19ddd06cdb29d69ffe3
SHA1d51b0b4d5de7a3c64dd320cfddd06614a2ab7af2
SHA25672424cc8831eccd132639f5a2b6541c9bb2d638baf4397186a984bc353b7b579
SHA512d816faa1abdee5c0879a4240b30abd156962a5dabb6d072bfcb84aae1d69d8c50ad8f8519db1db9a6fbdeee8a10c643f110800aed1c84957573501bcae178d4f
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
54KB
MD5af6d0b435af55361d08e52ad5948ce2c
SHA12dd4b3aac320a2e0c0647bbad26a503241c19ff6
SHA2569e504a2a52880eb0c8efb7b025ed5db63e3a8820c1a388d0594d04bafe35b040
SHA512b11638093534a61e66fb3f58fc6adccb2f095c19a512fdb2c107551e22dc30a4670fcfa4032e2dcbefd109a3080278209fc5878c00f701c6dac04798438e6125
-
Filesize
54KB
MD5e1320e182e072417d1604c2f1b66fafd
SHA10066138596c82e30acdafcaa434de95cf583ca78
SHA2562b2b5b0f517f45b3b8023d76923c978bf79302959e055e72ab97c0cc041f5557
SHA5125181b65637afb611fbfd933e3e2c8f0b1873152c7bc07e95ca28d02c22fe41b726f517e64b0e69ef106b04d3d788b046a035880332fc0558b8320d4c3246828d
-
Filesize
54KB
MD54fd8fb3387da7b04d5c494c005205e93
SHA1054661154c458077dee9cfeb9cb72a0cf2d8ac1e
SHA2562e16eefaa6568e6ebcc4a22d0d5b36b53db6d2d0c34397c01199d7d4fd496df7
SHA512e967ed963d44c3f0ee184c663f165aa29cfa0c5b187a87add649c6b6a9287c0d8c6ead4e60cd16be1304367aacd7023b567a879ebf925ea58216f98652b3ae9d
-
Filesize
54KB
MD5dcaa09e6ae1e39085ff56778bf8d25cb
SHA11e5ef210c028ef57c80e1d01a562939c3af8cc27
SHA2562c666f9580dbea0619841c70cc840bb859f0812f421e0d1d3c164347948dd866
SHA5128ac07bcd6c06f8ba6aa00bffe6c829ef41058a955b9a7b4d018b075d5bde78e77fc2bd54f611b37bc97475c5956b23973d8cfa674389f07435289a9c3c04ee81
-
Filesize
54KB
MD5aa79176caf7160dd345054dd32647b85
SHA13cbb69693d454ad51b5fd2489c6be6ff517d57f5
SHA2565bfc3a9abaa7f73f3f6a5e7242b26cb16fbd750e4ad6b17d5cfec91ea59e71f8
SHA512dd395fd2574fe4c4e520a535036f1a1ab98d3372fa8d0b7c2322f016f78067062dbd6fd8301ecc18d6df95f8f75b625a6ad62e25065cfccd386a132521061ab4
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
54KB
MD5d219628f9f0798f6ec66d3f2faa0956e
SHA1b79288ea4f47e939fd912d9abd864178eb45b1e4
SHA25656e036431f2b53795ec3ad969d0f31716574cf5c360271c1283295704866601b
SHA51221e0b5ffb0ee3063c7d775518f1d1aedd617d5c85a955c9c194980ca9e9ca81246eebb68b16bd8f891fdd856828a826dc19c30dfa3d1cae14ba8dc700a78e9b3
-
Filesize
54KB
MD5770aa2992fb21db8627e2a906253ae38
SHA1cc22b3bae6be4ddf18c6c495d386823fc476a312
SHA256ec959a0ebbbba1eced22d586e6b16bbbb3ac5621287aec74b491a4bbf26b6c78
SHA5128b6365485ecf426a9f7bfcd9833dd4440a13196839d0dfa9736d02613de90ba09c696d1bbb0d101dcf195791a4ad900dabeec51053f01976a7a421347fd910dd
-
Filesize
54KB
MD5f2500543681108c52bcf77eb9eace892
SHA1e5b3215b8c9eb0309ef84a7ece0b3f2a03ba3166
SHA256fdc2413710c4ce4d9e0695ac9ff4bbd2507bc428d3f714e447a259b90f15cdc5
SHA512ffd0aba332ebcac772ca25b14c5326330597abadb724c9fb9da96b26297c8aa2d86f28b279a41913bd081443af646440475ecbb3c3b007e1b6602fd796110295
-
Filesize
54KB
MD56e1aab20f535e5f9ee51fd0d2610d940
SHA19abd268c96eedf00b6138bf41d4b0c2777d8df24
SHA256ff99be4c7da5a72c15c48f3ca573b8ce20ec589c08cb16b4a66b0b9bf91586eb
SHA512be4f4453eeb1e01d189b3c8269c636b3383433d61a4a965c500eefd7af3fb81c3b98eed1f56f18c9e468878177c18311c5004ac6d5c9b0e070fca7133032c47a
-
Filesize
54KB
MD51a0b35155a98cf583d7cda54fc667724
SHA1467ce07408ff43d5374210a5788b4063ce169310
SHA256b3c6566f0d43dae8bae0b30a4483421a264ce4e9eb3ec490cd6c4f18a6c46ad7
SHA512c746d9010f357cfaf9da5bbf73bad558c11b1dbb258fe32b92c94bdd0c287898ac92dc5d1e58d7405d88dc735201162d86c127980568939fb38e8920cac960b4
-
Filesize
54KB
MD599e12d93e45501ac3353e5d3080c0415
SHA1348738226b85bab40d27399263b2750b812774a8
SHA256d85c37857c2f5312734edd5a5d8f876e1b0e70e82618077695aa93ee0017be1e
SHA5123561a131966e1cbe7bf245143d761d3edb8fcd1c956bac6ae75afeba9de27714a892de6503ab89f9d6a2b9669fa9660751dd9238ee0aee24a57fd2e92c350841
-
Filesize
54KB
MD51f300faf191be147fcfd3cda10f7bb84
SHA1f86f7d6f2e35fbcd6d8cb2b0e3bafe4081eee0d0
SHA25667c78b23d16bb2a4999d6f57fd9f2245a59abf79cf84fd46247b4aa52fa77756
SHA5129957676b68a8b9e16f4823cb88257a7cacc4b9f3133d6df818e2881544f1051720b5840404c2b3b25ff3e678124500f407e143403bf2635b06060fc1308f0d3f
-
Filesize
54KB
MD51a1dbab61926a5b1d2cfffd64071046c
SHA12356834048e12cfcc1b0c9e2ad299af66f32d1f7
SHA256bb3d37e69a4a975e0e3db3ad1407a1809c77322aa4361baa47b8ac1124476886
SHA512e28248bad8b908eefd7aa51fe2feb669cd7df47feb54d5c4e01b738d3c6a047bb1a09d7eadf927059a7bb4e81f17d75f6704a4f0ada28505939b59c7ca496f57
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
54KB
MD59b7625c35e506cae644ffa3acd9d6372
SHA186b2e06dd0ee0aa36b5fe5cc8070a210cac5c2d6
SHA2565f27f337ccbf6d99c5026aab77886ed989e599d6c93d4105eeb1c17afccc44ce
SHA512db13bb7233d516b9161a2b3252642b2bae658333f4f4bed6f5f65a3fa944933fb18e5c1923e6936a34193773fba4be74c4b01fc6bb0aa688510cb9b4cce653b6
-
Filesize
54KB
MD5df5b0fb30c070bff1eee3323044d7975
SHA1c322a5c285c1ab224cb87d208741fc9585b83db5
SHA256ec6a0ce61e76f66cbf19a449d6f4b7f9516aa7790f0dd60653b9f4e0c2581cc7
SHA512f9500ad950a14a86e709e12034563d957bec72d7ce233237a087bd693c767120df471dff9f7736594a91d105a9cccf133f03ef3fc4b69d40b32818b58fb9750e
