Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2024, 23:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe
Resource
win7-20231129-en
windows7-x64
26 signatures
150 seconds
Behavioral task
behavioral2
Sample
c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
26 signatures
150 seconds
General
-
Target
c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe
-
Size
54KB
-
MD5
33ae7df5fe25355ef97e68fe977480dd
-
SHA1
3fc1713750d36117b4eed3c23787723154354dec
-
SHA256
c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a
-
SHA512
659585fdc24b3e44ca5959757c1b7bf5f24b99fcc0baff95f167d94484238160241abf76c14064e7d9777a4250e4ebd00a42a5c00a3e219145c04dbf1cc45018
-
SSDEEP
1536:A7TJopblB4dqyyUiZ06pX3I6/qxiSEGNJFV:A7TQlatyYePxiFV
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\system32.exe c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe -
Executes dropped EXE 30 IoCs
pid Process 4088 smss.exe 2128 smss.exe 3008 Gaara.exe 544 smss.exe 1188 Gaara.exe 4892 csrss.exe 540 smss.exe 528 Gaara.exe 4552 csrss.exe 3476 Kazekage.exe 4440 smss.exe 4216 Gaara.exe 4756 csrss.exe 2164 Kazekage.exe 2852 system32.exe 5092 smss.exe 2436 Gaara.exe 1668 csrss.exe 4000 Kazekage.exe 4336 system32.exe 2564 system32.exe 4880 Kazekage.exe 5100 system32.exe 4272 csrss.exe 2848 Kazekage.exe 2888 system32.exe 2904 Gaara.exe 3532 csrss.exe 4864 Kazekage.exe 228 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 4088 smss.exe 2128 smss.exe 3008 Gaara.exe 544 smss.exe 1188 Gaara.exe 4892 csrss.exe 540 smss.exe 528 Gaara.exe 4552 csrss.exe 4440 smss.exe 4216 Gaara.exe 4756 csrss.exe 5092 smss.exe 2436 Gaara.exe 1668 csrss.exe 4272 csrss.exe 2904 Gaara.exe 3532 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 27 - 3 - 2024\\smss.exe" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 27 - 3 - 2024\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "27-3-2024.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "27-3-2024.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 27 - 3 - 2024\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "27-3-2024.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 27 - 3 - 2024\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "27-3-2024.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "27-3-2024.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 27 - 3 - 2024\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 27 - 3 - 2024\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 27 - 3 - 2024\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 27 - 3 - 2024\\Gaara.exe" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 27 - 3 - 2024\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 27 - 3 - 2024\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 27 - 3 - 2024\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 27 - 3 - 2024\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "27-3-2024.exe" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\M:\Desktop.ini smss.exe File opened for modification \??\R:\Desktop.ini smss.exe File opened for modification \??\I:\Desktop.ini Kazekage.exe File opened for modification \??\B:\Desktop.ini c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Desktop.ini Gaara.exe File opened for modification \??\R:\Desktop.ini Gaara.exe File opened for modification F:\Desktop.ini Kazekage.exe File opened for modification \??\R:\Desktop.ini system32.exe File opened for modification \??\V:\Desktop.ini c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification \??\O:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini smss.exe File opened for modification \??\K:\Desktop.ini csrss.exe File opened for modification \??\Q:\Desktop.ini Kazekage.exe File opened for modification \??\S:\Desktop.ini Kazekage.exe File opened for modification \??\Q:\Desktop.ini c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Desktop.ini smss.exe File opened for modification \??\H:\Desktop.ini Kazekage.exe File opened for modification \??\Y:\Desktop.ini system32.exe File opened for modification \??\Y:\Desktop.ini c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification \??\B:\Desktop.ini smss.exe File opened for modification F:\Desktop.ini Gaara.exe File opened for modification D:\Desktop.ini csrss.exe File opened for modification \??\X:\Desktop.ini csrss.exe File opened for modification \??\Y:\Desktop.ini Kazekage.exe File opened for modification \??\Z:\Desktop.ini Kazekage.exe File opened for modification \??\G:\Desktop.ini system32.exe File opened for modification \??\M:\Desktop.ini system32.exe File opened for modification \??\W:\Desktop.ini c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification \??\N:\Desktop.ini smss.exe File opened for modification \??\A:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini Kazekage.exe File opened for modification \??\X:\Desktop.ini Kazekage.exe File opened for modification C:\Desktop.ini system32.exe File opened for modification \??\Z:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini Gaara.exe File opened for modification \??\Z:\Desktop.ini Gaara.exe File opened for modification \??\H:\Desktop.ini c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification \??\H:\Desktop.ini csrss.exe File opened for modification \??\P:\Desktop.ini csrss.exe File opened for modification \??\V:\Desktop.ini Kazekage.exe File opened for modification \??\S:\Desktop.ini smss.exe File opened for modification \??\X:\Desktop.ini smss.exe File opened for modification \??\L:\Desktop.ini csrss.exe File opened for modification \??\M:\Desktop.ini csrss.exe File opened for modification \??\G:\Desktop.ini Kazekage.exe File opened for modification \??\J:\Desktop.ini system32.exe File opened for modification D:\Desktop.ini smss.exe File opened for modification \??\J:\Desktop.ini Gaara.exe File opened for modification \??\V:\Desktop.ini smss.exe File opened for modification D:\Desktop.ini Gaara.exe File opened for modification \??\T:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini Kazekage.exe File opened for modification \??\A:\Desktop.ini smss.exe File opened for modification \??\B:\Desktop.ini Gaara.exe File opened for modification \??\H:\Desktop.ini Gaara.exe File opened for modification \??\E:\Desktop.ini Kazekage.exe File opened for modification F:\Desktop.ini system32.exe File opened for modification \??\P:\Desktop.ini smss.exe File opened for modification \??\O:\Desktop.ini system32.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification \??\U:\Desktop.ini csrss.exe File opened for modification \??\B:\Desktop.ini Kazekage.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: Gaara.exe File opened (read-only) \??\V: Kazekage.exe File opened (read-only) \??\G: c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened (read-only) \??\R: c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\Y: Kazekage.exe File opened (read-only) \??\X: system32.exe File opened (read-only) \??\H: Gaara.exe File opened (read-only) \??\Q: Gaara.exe File opened (read-only) \??\R: Gaara.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\Y: system32.exe File opened (read-only) \??\K: c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened (read-only) \??\U: c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\H: Kazekage.exe File opened (read-only) \??\M: Kazekage.exe File opened (read-only) \??\P: Gaara.exe File opened (read-only) \??\X: Gaara.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\O: Kazekage.exe File opened (read-only) \??\V: system32.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\S: Kazekage.exe File opened (read-only) \??\R: system32.exe File opened (read-only) \??\E: c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened (read-only) \??\N: c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\E: Gaara.exe File opened (read-only) \??\W: Gaara.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\K: Gaara.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\J: c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\M: smss.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\B: Gaara.exe File opened (read-only) \??\T: Gaara.exe File opened (read-only) \??\A: Kazekage.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\K: system32.exe File opened (read-only) \??\O: system32.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\I: system32.exe File opened (read-only) \??\S: c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened (read-only) \??\B: csrss.exe File opened (read-only) \??\B: system32.exe File opened (read-only) \??\L: system32.exe File opened (read-only) \??\V: c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened (read-only) \??\Z: c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened (read-only) \??\L: Kazekage.exe File opened (read-only) \??\M: system32.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created \??\U:\Autorun.inf csrss.exe File created D:\Autorun.inf Kazekage.exe File created \??\M:\Autorun.inf system32.exe File opened for modification \??\Q:\Autorun.inf c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification \??\Q:\Autorun.inf smss.exe File created \??\H:\Autorun.inf Gaara.exe File created \??\Z:\Autorun.inf csrss.exe File opened for modification \??\R:\Autorun.inf Kazekage.exe File created \??\N:\Autorun.inf system32.exe File opened for modification \??\I:\Autorun.inf c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File created \??\J:\Autorun.inf c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification \??\V:\Autorun.inf smss.exe File created \??\V:\Autorun.inf Gaara.exe File created \??\O:\Autorun.inf Gaara.exe File opened for modification \??\Q:\Autorun.inf Gaara.exe File created \??\M:\Autorun.inf csrss.exe File opened for modification D:\Autorun.inf c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File created \??\P:\Autorun.inf Gaara.exe File opened for modification \??\T:\Autorun.inf csrss.exe File opened for modification C:\Autorun.inf c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification \??\H:\Autorun.inf smss.exe File created \??\Z:\Autorun.inf smss.exe File opened for modification \??\G:\Autorun.inf csrss.exe File created \??\K:\Autorun.inf csrss.exe File opened for modification \??\Q:\Autorun.inf csrss.exe File opened for modification \??\I:\Autorun.inf Kazekage.exe File created \??\U:\Autorun.inf Kazekage.exe File opened for modification F:\Autorun.inf smss.exe File created \??\K:\Autorun.inf Gaara.exe File opened for modification \??\P:\Autorun.inf csrss.exe File opened for modification \??\Z:\Autorun.inf Kazekage.exe File opened for modification \??\J:\Autorun.inf c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification \??\W:\Autorun.inf c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification \??\E:\Autorun.inf smss.exe File created \??\Y:\Autorun.inf smss.exe File created \??\R:\Autorun.inf Gaara.exe File opened for modification \??\A:\Autorun.inf csrss.exe File opened for modification C:\Autorun.inf Kazekage.exe File created \??\G:\Autorun.inf Kazekage.exe File created \??\T:\Autorun.inf system32.exe File opened for modification \??\V:\Autorun.inf system32.exe File opened for modification F:\Autorun.inf c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification D:\Autorun.inf csrss.exe File created \??\K:\Autorun.inf Kazekage.exe File opened for modification \??\U:\Autorun.inf c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File created \??\N:\Autorun.inf Gaara.exe File created \??\S:\Autorun.inf Gaara.exe File created \??\O:\Autorun.inf Kazekage.exe File created \??\I:\Autorun.inf system32.exe File opened for modification \??\P:\Autorun.inf c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification \??\B:\Autorun.inf csrss.exe File opened for modification F:\Autorun.inf system32.exe File created \??\H:\Autorun.inf c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification \??\L:\Autorun.inf csrss.exe File created \??\B:\Autorun.inf system32.exe File created \??\K:\Autorun.inf smss.exe File opened for modification \??\N:\Autorun.inf smss.exe File created \??\T:\Autorun.inf smss.exe File created \??\B:\Autorun.inf Kazekage.exe File opened for modification \??\S:\Autorun.inf c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification \??\A:\Autorun.inf Gaara.exe File created \??\U:\Autorun.inf Gaara.exe File opened for modification \??\B:\Autorun.inf system32.exe File opened for modification \??\L:\Autorun.inf c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\27-3-2024.exe csrss.exe File created C:\Windows\SysWOW64\mscomctl.ocx c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File created C:\Windows\SysWOW64\Desktop.ini c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\27-3-2024.exe Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\27-3-2024.exe c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\SysWOW64\27-3-2024.exe system32.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\27-3-2024.exe c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\27-3-2024.exe smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\27-3-2024.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\ c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe system32.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe smss.exe File opened for modification C:\Windows\ Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\Fonts\Admin 27 - 3 - 2024\msvbvm60.dll c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe Gaara.exe File opened for modification C:\Windows\system\mscoree.dll c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe smss.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File opened for modification C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe system32.exe File opened for modification C:\Windows\ c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe smss.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\msvbvm60.dll smss.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe csrss.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\ system32.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File created C:\Windows\msvbvm60.dll c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File created C:\Windows\system\msvbvm60.dll c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe system32.exe File opened for modification C:\Windows\ Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe system32.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\msvbvm60.dll system32.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe csrss.exe File created C:\Windows\mscomctl.ocx c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File opened for modification C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\msvbvm60.dll c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File created C:\Windows\WBEM\msvbvm60.dll c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe Gaara.exe File opened for modification C:\Windows\ smss.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File created C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe File opened for modification C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File opened for modification C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe smss.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Speed = "4" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Size = "72" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\WallpaperStyle = "2" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main system32.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe -
Modifies registry class 51 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe -
Runs ping.exe 1 TTPs 32 IoCs
pid Process 2948 ping.exe 2176 ping.exe 3764 ping.exe 4824 ping.exe 3580 ping.exe 2124 ping.exe 1044 ping.exe 1224 ping.exe 404 ping.exe 4880 ping.exe 1584 ping.exe 1648 ping.exe 3692 ping.exe 3492 ping.exe 1788 ping.exe 4016 ping.exe 1072 ping.exe 2944 ping.exe 1632 ping.exe 4416 ping.exe 1424 ping.exe 2540 ping.exe 2924 ping.exe 2424 ping.exe 4764 ping.exe 4768 ping.exe 1580 ping.exe 2896 ping.exe 3608 ping.exe 4368 ping.exe 1116 ping.exe 3964 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4088 smss.exe 4088 smss.exe 4088 smss.exe 4088 smss.exe 4088 smss.exe 4088 smss.exe 4088 smss.exe 4088 smss.exe 4088 smss.exe 4088 smss.exe 4088 smss.exe 4088 smss.exe 4088 smss.exe 4088 smss.exe 4088 smss.exe 4088 smss.exe 4088 smss.exe 4088 smss.exe 4088 smss.exe 4088 smss.exe 4088 smss.exe 4088 smss.exe 4088 smss.exe 4088 smss.exe 3008 Gaara.exe 3008 Gaara.exe 3008 Gaara.exe 3008 Gaara.exe 3008 Gaara.exe 3008 Gaara.exe 3008 Gaara.exe 3008 Gaara.exe 3008 Gaara.exe 3008 Gaara.exe 3008 Gaara.exe 3008 Gaara.exe 3008 Gaara.exe 3008 Gaara.exe 3008 Gaara.exe 3008 Gaara.exe 3008 Gaara.exe 3008 Gaara.exe 3008 Gaara.exe 3008 Gaara.exe 3008 Gaara.exe 3008 Gaara.exe 3008 Gaara.exe 3008 Gaara.exe 4892 csrss.exe 4892 csrss.exe 4892 csrss.exe 4892 csrss.exe 4892 csrss.exe 4892 csrss.exe 4892 csrss.exe 4892 csrss.exe 4892 csrss.exe 4892 csrss.exe 4892 csrss.exe 4892 csrss.exe 4892 csrss.exe 4892 csrss.exe 4892 csrss.exe 4892 csrss.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 4632 c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe 4088 smss.exe 2128 smss.exe 3008 Gaara.exe 544 smss.exe 1188 Gaara.exe 4892 csrss.exe 540 smss.exe 528 Gaara.exe 4552 csrss.exe 3476 Kazekage.exe 4440 smss.exe 4216 Gaara.exe 4756 csrss.exe 2164 Kazekage.exe 2852 system32.exe 5092 smss.exe 2436 Gaara.exe 1668 csrss.exe 4000 Kazekage.exe 4336 system32.exe 2564 system32.exe 4880 Kazekage.exe 5100 system32.exe 4272 csrss.exe 2848 Kazekage.exe 2888 system32.exe 2904 Gaara.exe 3532 csrss.exe 4864 Kazekage.exe 228 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4632 wrote to memory of 4088 4632 c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe 87 PID 4632 wrote to memory of 4088 4632 c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe 87 PID 4632 wrote to memory of 4088 4632 c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe 87 PID 4088 wrote to memory of 2128 4088 smss.exe 88 PID 4088 wrote to memory of 2128 4088 smss.exe 88 PID 4088 wrote to memory of 2128 4088 smss.exe 88 PID 4088 wrote to memory of 3008 4088 smss.exe 90 PID 4088 wrote to memory of 3008 4088 smss.exe 90 PID 4088 wrote to memory of 3008 4088 smss.exe 90 PID 3008 wrote to memory of 544 3008 Gaara.exe 91 PID 3008 wrote to memory of 544 3008 Gaara.exe 91 PID 3008 wrote to memory of 544 3008 Gaara.exe 91 PID 3008 wrote to memory of 1188 3008 Gaara.exe 92 PID 3008 wrote to memory of 1188 3008 Gaara.exe 92 PID 3008 wrote to memory of 1188 3008 Gaara.exe 92 PID 3008 wrote to memory of 4892 3008 Gaara.exe 93 PID 3008 wrote to memory of 4892 3008 Gaara.exe 93 PID 3008 wrote to memory of 4892 3008 Gaara.exe 93 PID 4892 wrote to memory of 540 4892 csrss.exe 94 PID 4892 wrote to memory of 540 4892 csrss.exe 94 PID 4892 wrote to memory of 540 4892 csrss.exe 94 PID 4892 wrote to memory of 528 4892 csrss.exe 95 PID 4892 wrote to memory of 528 4892 csrss.exe 95 PID 4892 wrote to memory of 528 4892 csrss.exe 95 PID 4892 wrote to memory of 4552 4892 csrss.exe 96 PID 4892 wrote to memory of 4552 4892 csrss.exe 96 PID 4892 wrote to memory of 4552 4892 csrss.exe 96 PID 4892 wrote to memory of 3476 4892 csrss.exe 97 PID 4892 wrote to memory of 3476 4892 csrss.exe 97 PID 4892 wrote to memory of 3476 4892 csrss.exe 97 PID 3476 wrote to memory of 4440 3476 Kazekage.exe 98 PID 3476 wrote to memory of 4440 3476 Kazekage.exe 98 PID 3476 wrote to memory of 4440 3476 Kazekage.exe 98 PID 3476 wrote to memory of 4216 3476 Kazekage.exe 99 PID 3476 wrote to memory of 4216 3476 Kazekage.exe 99 PID 3476 wrote to memory of 4216 3476 Kazekage.exe 99 PID 3476 wrote to memory of 4756 3476 Kazekage.exe 100 PID 3476 wrote to memory of 4756 3476 Kazekage.exe 100 PID 3476 wrote to memory of 4756 3476 Kazekage.exe 100 PID 3476 wrote to memory of 2164 3476 Kazekage.exe 101 PID 3476 wrote to memory of 2164 3476 Kazekage.exe 101 PID 3476 wrote to memory of 2164 3476 Kazekage.exe 101 PID 3476 wrote to memory of 2852 3476 Kazekage.exe 102 PID 3476 wrote to memory of 2852 3476 Kazekage.exe 102 PID 3476 wrote to memory of 2852 3476 Kazekage.exe 102 PID 2852 wrote to memory of 5092 2852 system32.exe 103 PID 2852 wrote to memory of 5092 2852 system32.exe 103 PID 2852 wrote to memory of 5092 2852 system32.exe 103 PID 2852 wrote to memory of 2436 2852 system32.exe 104 PID 2852 wrote to memory of 2436 2852 system32.exe 104 PID 2852 wrote to memory of 2436 2852 system32.exe 104 PID 2852 wrote to memory of 1668 2852 system32.exe 105 PID 2852 wrote to memory of 1668 2852 system32.exe 105 PID 2852 wrote to memory of 1668 2852 system32.exe 105 PID 2852 wrote to memory of 4000 2852 system32.exe 106 PID 2852 wrote to memory of 4000 2852 system32.exe 106 PID 2852 wrote to memory of 4000 2852 system32.exe 106 PID 2852 wrote to memory of 4336 2852 system32.exe 107 PID 2852 wrote to memory of 4336 2852 system32.exe 107 PID 2852 wrote to memory of 4336 2852 system32.exe 107 PID 4892 wrote to memory of 2564 4892 csrss.exe 108 PID 4892 wrote to memory of 2564 4892 csrss.exe 108 PID 4892 wrote to memory of 2564 4892 csrss.exe 108 PID 3008 wrote to memory of 4880 3008 Gaara.exe 111 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe"C:\Users\Admin\AppData\Local\Temp\c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4632 -
C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4088 -
C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2128
-
-
C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3008 -
C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:544
-
-
C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1188
-
-
C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4892 -
C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:540
-
-
C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:528
-
-
C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4552
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3476 -
C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4440
-
-
C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4216
-
-
C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4756
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2164
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2852 -
C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5092
-
-
C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2436
-
-
C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1668
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4000
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4336
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:4016
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:4880
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:1788
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:1072
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:3764
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:1044
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:2424
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:1116
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:1584
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:3492
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:1632
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:2124
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2564
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:4368
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:404
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:4764
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:4768
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:3580
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:2896
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4880
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5100
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:2924
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:1224
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:4824
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:1580
-
-
-
C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4272
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2848
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2888
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:3608
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:2176
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:2948
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:3964
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:1424
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:2944
-
-
-
C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2904
-
-
C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe"C:\Windows\Fonts\Admin 27 - 3 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3532
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4864
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:228
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:4416
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:2540
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:1648
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:3692
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD5f0b57f58caf23b9c5c759b680749163b
SHA16ae6073a373d9f04b86483c842301ccc3141a5c2
SHA2560b9a0c16dc3f90798cdee0c1e111f1c6abd6f4a8b42e71c5bd05449782d1bcf0
SHA512ff4dce1e11faa718da0aaeb0527d258ffa9b345c8d34cc8be5a07e2eee662d45dd1c4764c907c926c8433a0c05499f2f3204584586a3b9dbff7ac917060816ee
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
54KB
MD58a489b43cb3a4a3a5a893b35af6c9280
SHA1e4eb2aa542084e233d6d83bcc4b295eb4b9d7cb8
SHA2564e74fb08b361e64f603d6b832a11801a607de2f14dd9b341bd2bf9e3904b738c
SHA51205626f49f1153d8a99170621a55708fed21448ff2fb576be77606725bf7c20614f8c233fe6e1fa129030204a020897743cbaa2b124c64a53a8f552de398319ab
-
Filesize
54KB
MD533ae7df5fe25355ef97e68fe977480dd
SHA13fc1713750d36117b4eed3c23787723154354dec
SHA256c2381fc7edb515d63e5da3ba6f503d79581ecb16bf7ba0e5c3e7724e2ed6b24a
SHA512659585fdc24b3e44ca5959757c1b7bf5f24b99fcc0baff95f167d94484238160241abf76c14064e7d9777a4250e4ebd00a42a5c00a3e219145c04dbf1cc45018
-
Filesize
54KB
MD59de2af19b47855a9eaf125fc5ed3bb7d
SHA154145b89b1e85d5df8a21fcd5a10c9610f973c57
SHA256525df9bfb7bd9fc3c25fe768d5e3cb8fe3dd3cd6987201e6040ed337dcf265b6
SHA512009ccc8e3d8fb1f13cce276cdbff890a01ed7e5c923e9801d3e877c83f35e657421d7652a1ea24d1905afe334bacf38c6bdda085c9f3b14d554286157c1875d8
-
Filesize
54KB
MD5c9a37c0d193db6ea0abbc85f0ada2bfe
SHA129895a2e00b4ef8b96e69e6345567d339d1b1e65
SHA256a2ab1db49fca9d3a41f85aee24cc903c314190f739a418ef3edff5b8612abfb1
SHA512b6dade8efef05bc41384338596f3909ae654caaa667d8003afe2b6b99274af115b50a8c5c06ee1bc3ddc8f430993668671b2c60dfe0e06519ebfc1eaca60948d
-
Filesize
54KB
MD528aea8adde73c8d5c6f8c2aba0bc249f
SHA1ff4844c27a2f6dfa05f5f63f6c8abead60fd846c
SHA256f6cd64bdcb667e7d458a2aa58c78345ebce7bd383100753dbff7390c83a25742
SHA51232175c08fcc1041c1898c9e5d23dfe8e4f897532afe2cbe32840c62d27ccf059c0bae2f6d14bea9bfbb26170c01a99012729fef188e2778ecb80f8b21c7ff728
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
54KB
MD5fd6ea7600d65a511a82808bf758797a7
SHA15e1169cb652b974d55bd2475a2cd71280addf074
SHA256d20e969a1d4a20f7253e50bb4fd2f530b995328a1ca1065384451e02d5ba8bab
SHA512542cb78d3053697b418310e9bf60cae7250b5a459f8353c03b420e517c1d1b98a1897e45a235a4589f99ca626bcf45943803f7400de202c9480f1929125f0ca5
-
Filesize
54KB
MD559530a58267fbb4fded54b6c6e5fcec6
SHA106d670ad7aa4dc0888b68dba563cf5956606ac10
SHA2562234263b72d1128868ee215a5207a497b6cdad033465fb304ae410c8afe5c970
SHA5129c98ff81e5a90ef8042cb327ae9189193ea2c41153bf1831cff037623cce82e305d2bc46746156c130ff9cbac2bd11bb9df45a71a96bbefd8ca2a716fec6073a
-
Filesize
54KB
MD501b89619b74f1d3df04956e7d68bac93
SHA140009a576d040830090dd0d70cffb46f60775af1
SHA256856562d9a9f8d50f883e7b0f70cc5d90d527821ab587df9b4a6cde63c74da7cb
SHA5125d6405fdae59189dc1112f2fca8ad0c78c72b9905e8d22a74fbe0ee8e52acd4bb0151f12c563ba1aa25143adb7d3fa0689fc5d1f1db9fbd77ca8880adadb5697
-
Filesize
54KB
MD5e1320e182e072417d1604c2f1b66fafd
SHA10066138596c82e30acdafcaa434de95cf583ca78
SHA2562b2b5b0f517f45b3b8023d76923c978bf79302959e055e72ab97c0cc041f5557
SHA5125181b65637afb611fbfd933e3e2c8f0b1873152c7bc07e95ca28d02c22fe41b726f517e64b0e69ef106b04d3d788b046a035880332fc0558b8320d4c3246828d
-
Filesize
54KB
MD5433c00f4d04ccaac5a87669ce44c1099
SHA12e26aa661d7519b0fb64a5b44cf6cac40e2af3a2
SHA25609ef51251ead8a0f57ff4748b55a793c2ab97a45a59948a1d3efbec5ae0f288d
SHA512a1ad6a1fe087ce208d87b07b325360714d4424a2c1969e553415e23c425d666a96f5af5791b46591c732fee0b1c675bb6ee1a6e32fdf9435c24d9b9f822ae7ef
-
Filesize
54KB
MD526f5c4b1d7b4a131f0ff971202889180
SHA1773ac85c6d55ba84a105ac67b0c9ca7c5af711ac
SHA2564110cbe4f205fe962e74c79199c6213ac481f38884fc146c8d35b1d0ab1858a5
SHA51298fe9e06ab5b939d97e0db6cf55b8e48dccd6a3380433955213b52a585edbb29f02a64a2e14148dc0f7855c6931add0b8dea7e3c3ec13334292d93777780957d
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
54KB
MD55c73a71d39cad95ef3d56bc4c1e38b78
SHA1c5406f1d2c1f720adfa1de756ae7894110ac6945
SHA256f8e4795e742652ed8edb37bed5d9fa80cc93087782c94beeec701ed84983552f
SHA512100b30614e196c684c921ec7656c582175c088ba36786584fb954ab7b9ae83a2005041f84315a8969f1eada61d6a76371bbb984076b6034ac7f200ba998ba3c4
-
Filesize
54KB
MD5f2500543681108c52bcf77eb9eace892
SHA1e5b3215b8c9eb0309ef84a7ece0b3f2a03ba3166
SHA256fdc2413710c4ce4d9e0695ac9ff4bbd2507bc428d3f714e447a259b90f15cdc5
SHA512ffd0aba332ebcac772ca25b14c5326330597abadb724c9fb9da96b26297c8aa2d86f28b279a41913bd081443af646440475ecbb3c3b007e1b6602fd796110295
-
Filesize
54KB
MD5acd9b87065e721adca3f87707a6f3988
SHA18dbbf37395c6520184eb568c732d362b52a39f0c
SHA25611548f6eaf777bc601e1a90423f276bae5a51c50e9abdba827968ebf7de31b39
SHA5125a9a1fbe482e02ca3051a4d599d84f30a2a9d416ce9d00ec049589ff57507c2acbe8c05cc2bab3f0f45ecc9e63b5056a9449d8289699facd90131daae3dcdc44
-
Filesize
54KB
MD5c95a8f5617480141bd635e94bb861bfe
SHA1a36f4ffd00e8a7df12cc4f924d1aae058dfdbbf9
SHA256f3e382eba35103a09a7f22338ef3c3bdd39f202e4d1fc7383bb2d5acbc989ddc
SHA51216a80ae4d5010c508865c6015996a76c0da4c3fb60a498e4f37a7fd64390788430da8e61b998b1b6babcc5c1cfedb600375326ab1684b3b8381396f008e255e0
-
Filesize
54KB
MD506b365e59c49b27ada297701d2c626cf
SHA175d8c165f0863ce867a341d8bdb1eabd754820fb
SHA2562591fd384bbd66a1c93a5fb5c2ac8f3f23881caf54ee475612b38164477b186f
SHA51241a271fdec074a7441b46336526a5de95e0539ed0a53500f1f9635f16783b572b15d6fef067c62acd15440271dfa6d6386863b786e45c93695387fcd556eab2b
-
Filesize
54KB
MD599e12d93e45501ac3353e5d3080c0415
SHA1348738226b85bab40d27399263b2750b812774a8
SHA256d85c37857c2f5312734edd5a5d8f876e1b0e70e82618077695aa93ee0017be1e
SHA5123561a131966e1cbe7bf245143d761d3edb8fcd1c956bac6ae75afeba9de27714a892de6503ab89f9d6a2b9669fa9660751dd9238ee0aee24a57fd2e92c350841
-
Filesize
54KB
MD5925a12633e9e62c952e14f9cb45109b9
SHA1ec07ea52a871257751b03521010b586a3ad2ff22
SHA25620369ade69bc72d82e0d0a7547339e48f8ce7f31ad21e7db841edbd69d3eed4e
SHA512d1b2cdec75d2a413a774cb38598a524efc913e33c7337041ac5fc06f72deb9c5b32e8c66a1fc7934ef4ab50181d1f60f3978b22e3653df52efbc5e4976cb3048
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
