Analysis
-
max time kernel
149s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09-04-2024 22:05
Behavioral task
behavioral1
Sample
997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Resource
win7-20231129-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
28 signatures
150 seconds
General
-
Target
997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
-
Size
3.0MB
-
MD5
1138af762ea974c40591ecf18fc08510
-
SHA1
748bf62069ad5e51063ce98fe1cc5b119de18bff
-
SHA256
997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4
-
SHA512
3559ef4ea08feb7a6a7255a6bffa9f8405ae0fb28e6ee6fc302c5f6eae1823b7d55ede073c4a8fe7149fbd587d63a655cc7fce422c4c8fe5555b07b49980e640
-
SSDEEP
24576:PN7VG8rVG8tN7VG8WN7VG8rVG8tN7VG8YN7VG8rVG8tN7VG8kN7VG8rVG8tN7VGX:P55H5455H5i55H5m55H5055H5Q55H5s
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe -
UPX dump on OEP (original entry point) 56 IoCs
resource yara_rule behavioral2/memory/4556-0-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/files/0x00070000000231f1-12.dat UPX behavioral2/files/0x00070000000231ef-31.dat UPX behavioral2/memory/1416-32-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/files/0x00070000000231f0-41.dat UPX behavioral2/files/0x00070000000231f3-53.dat UPX behavioral2/files/0x00070000000231f4-57.dat UPX behavioral2/files/0x00070000000231f2-49.dat UPX behavioral2/files/0x00070000000231f1-45.dat UPX behavioral2/memory/4280-74-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/memory/5108-75-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/files/0x00070000000231f1-83.dat UPX behavioral2/files/0x00070000000231f4-95.dat UPX behavioral2/files/0x00070000000231f3-91.dat UPX behavioral2/files/0x00070000000231f2-87.dat UPX behavioral2/memory/872-109-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/memory/872-112-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/memory/4996-116-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/memory/932-121-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/files/0x00070000000231f2-127.dat UPX behavioral2/files/0x00070000000231f4-135.dat UPX behavioral2/files/0x00070000000231f3-131.dat UPX behavioral2/memory/2044-152-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/memory/1108-158-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/memory/2932-164-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/memory/4556-163-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/memory/388-160-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/memory/1416-188-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/memory/4916-194-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/memory/4648-193-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/memory/4648-200-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/memory/5108-199-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/memory/1384-204-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/memory/3644-206-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/memory/3644-208-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/files/0x00070000000231f4-211.dat UPX behavioral2/memory/2600-212-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/files/0x00070000000231f2-218.dat UPX behavioral2/memory/932-230-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/memory/4576-236-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/memory/4076-235-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/memory/2932-242-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/memory/4432-241-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/memory/4752-243-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/memory/4752-246-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/memory/3284-252-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/memory/3028-255-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/memory/4000-258-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/memory/1260-261-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/memory/2600-263-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/memory/3548-265-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/memory/4084-268-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/memory/3872-271-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/memory/2580-274-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/memory/3500-277-0x0000000000400000-0x000000000042B000-memory.dmp UPX behavioral2/memory/3856-280-0x0000000000400000-0x000000000042B000-memory.dmp UPX -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Gaara.exe -
Executes dropped EXE 30 IoCs
pid Process 1416 smss.exe 4280 smss.exe 5108 Gaara.exe 872 smss.exe 4996 Gaara.exe 932 csrss.exe 2044 smss.exe 1108 Gaara.exe 388 csrss.exe 2932 Kazekage.exe 4916 smss.exe 4648 Gaara.exe 1384 csrss.exe 3644 Kazekage.exe 2600 system32.exe 1888 smss.exe 4576 Gaara.exe 4076 csrss.exe 4432 Kazekage.exe 4752 system32.exe 3284 system32.exe 3028 Kazekage.exe 4000 system32.exe 1260 csrss.exe 3548 Kazekage.exe 4084 system32.exe 3872 Gaara.exe 2580 csrss.exe 3500 Kazekage.exe 3856 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 1416 smss.exe 4280 smss.exe 5108 Gaara.exe 872 smss.exe 4996 Gaara.exe 932 csrss.exe 2044 smss.exe 1108 Gaara.exe 388 csrss.exe 4916 smss.exe 4648 Gaara.exe 1384 csrss.exe 1888 smss.exe 4576 Gaara.exe 4076 csrss.exe 1260 csrss.exe 3872 Gaara.exe 2580 csrss.exe -
resource yara_rule behavioral2/memory/4556-0-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x00070000000231f1-12.dat upx behavioral2/files/0x00070000000231ef-31.dat upx behavioral2/memory/1416-32-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x00070000000231f0-41.dat upx behavioral2/files/0x00070000000231f3-53.dat upx behavioral2/files/0x00070000000231f4-57.dat upx behavioral2/files/0x00070000000231f2-49.dat upx behavioral2/files/0x00070000000231f1-45.dat upx behavioral2/memory/4280-74-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/5108-75-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x00070000000231f1-83.dat upx behavioral2/files/0x00070000000231f4-95.dat upx behavioral2/files/0x00070000000231f3-91.dat upx behavioral2/files/0x00070000000231f2-87.dat upx behavioral2/memory/872-109-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/872-112-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4996-116-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/932-121-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x00070000000231f2-127.dat upx behavioral2/files/0x00070000000231f4-135.dat upx behavioral2/files/0x00070000000231f3-131.dat upx behavioral2/memory/2044-152-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/1108-158-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/2932-164-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4556-163-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/388-160-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/1416-188-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4916-194-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4648-193-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4648-200-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/5108-199-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/1384-204-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3644-206-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3644-208-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x00070000000231f4-211.dat upx behavioral2/memory/2600-212-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x00070000000231f2-218.dat upx behavioral2/memory/932-230-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4576-236-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4076-235-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/2932-242-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4432-241-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4752-243-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4752-246-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3284-252-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3028-255-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4000-258-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/1260-261-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/2600-263-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3548-265-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4084-268-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3872-271-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/2580-274-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3500-277-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3856-280-0x0000000000400000-0x000000000042B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 9 - 4 - 2024\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 9 - 4 - 2024\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 9 - 4 - 2024\\Gaara.exe" 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "9-4-2024.exe" 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 9 - 4 - 2024\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "9-4-2024.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 9 - 4 - 2024\\smss.exe" 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 9 - 4 - 2024\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 9 - 4 - 2024\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "9-4-2024.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 9 - 4 - 2024\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "9-4-2024.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "9-4-2024.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "9-4-2024.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 9 - 4 - 2024\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 9 - 4 - 2024\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 9 - 4 - 2024\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 9 - 4 - 2024\\smss.exe" csrss.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification D:\Desktop.ini 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification \??\V:\Desktop.ini system32.exe File opened for modification \??\S:\Desktop.ini csrss.exe File opened for modification \??\T:\Desktop.ini csrss.exe File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification \??\E:\Desktop.ini 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification \??\K:\Desktop.ini 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification \??\O:\Desktop.ini smss.exe File opened for modification \??\E:\Desktop.ini csrss.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification \??\V:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification C:\Desktop.ini smss.exe File opened for modification F:\Desktop.ini smss.exe File opened for modification \??\H:\Desktop.ini Gaara.exe File opened for modification \??\X:\Desktop.ini csrss.exe File opened for modification C:\Desktop.ini 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification \??\S:\Desktop.ini system32.exe File opened for modification \??\Y:\Desktop.ini system32.exe File opened for modification \??\I:\Desktop.ini Gaara.exe File opened for modification \??\V:\Desktop.ini Kazekage.exe File opened for modification \??\O:\Desktop.ini 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification \??\Y:\Desktop.ini smss.exe File opened for modification \??\G:\Desktop.ini system32.exe File opened for modification \??\X:\Desktop.ini system32.exe File opened for modification \??\G:\Desktop.ini Gaara.exe File opened for modification \??\Y:\Desktop.ini Gaara.exe File opened for modification D:\Desktop.ini csrss.exe File opened for modification \??\T:\Desktop.ini 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification F:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini smss.exe File opened for modification \??\Q:\Desktop.ini Gaara.exe File opened for modification \??\Y:\Desktop.ini csrss.exe File opened for modification \??\A:\Desktop.ini 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification \??\T:\Desktop.ini system32.exe File opened for modification \??\A:\Desktop.ini Gaara.exe File opened for modification \??\I:\Desktop.ini csrss.exe File opened for modification \??\A:\Desktop.ini system32.exe File opened for modification \??\I:\Desktop.ini Kazekage.exe File opened for modification \??\K:\Desktop.ini Kazekage.exe File opened for modification \??\L:\Desktop.ini 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification \??\E:\Desktop.ini smss.exe File opened for modification \??\M:\Desktop.ini Gaara.exe File opened for modification \??\R:\Desktop.ini Gaara.exe File opened for modification \??\N:\Desktop.ini csrss.exe File opened for modification \??\P:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification \??\Y:\Desktop.ini 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification \??\P:\Desktop.ini smss.exe File opened for modification \??\Z:\Desktop.ini smss.exe File opened for modification \??\B:\Desktop.ini csrss.exe File opened for modification \??\S:\Desktop.ini Kazekage.exe File opened for modification \??\U:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini system32.exe File opened for modification \??\T:\Desktop.ini Gaara.exe File opened for modification F:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini Kazekage.exe File opened for modification \??\U:\Desktop.ini system32.exe File opened for modification \??\E:\Desktop.ini Gaara.exe File opened for modification \??\L:\Desktop.ini csrss.exe File opened for modification \??\B:\Desktop.ini system32.exe File opened for modification \??\X:\Desktop.ini smss.exe File opened for modification \??\B:\Desktop.ini Gaara.exe File opened for modification C:\Desktop.ini Kazekage.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: Kazekage.exe File opened (read-only) \??\Y: 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\N: Gaara.exe File opened (read-only) \??\Q: Gaara.exe File opened (read-only) \??\V: Kazekage.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\B: 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\K: system32.exe File opened (read-only) \??\H: Gaara.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\M: Kazekage.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\H: 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened (read-only) \??\J: 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\G: system32.exe File opened (read-only) \??\I: system32.exe File opened (read-only) \??\M: system32.exe File opened (read-only) \??\K: Kazekage.exe File opened (read-only) \??\H: Kazekage.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\H: system32.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\G: Kazekage.exe File opened (read-only) \??\P: 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\B: system32.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\W: Gaara.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\O: 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\I: 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\W: 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\K: Gaara.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\N: system32.exe File opened (read-only) \??\B: Gaara.exe File opened (read-only) \??\N: 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened (read-only) \??\A: system32.exe File opened (read-only) \??\U: Kazekage.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\L: 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\O: system32.exe File opened (read-only) \??\B: Kazekage.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\J: Kazekage.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\X:\Autorun.inf 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification C:\Autorun.inf smss.exe File created \??\L:\Autorun.inf csrss.exe File opened for modification \??\T:\Autorun.inf csrss.exe File created \??\B:\Autorun.inf Kazekage.exe File created \??\N:\Autorun.inf Kazekage.exe File opened for modification \??\I:\Autorun.inf 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File created \??\S:\Autorun.inf Gaara.exe File opened for modification \??\L:\Autorun.inf csrss.exe File opened for modification \??\T:\Autorun.inf Kazekage.exe File opened for modification \??\Y:\Autorun.inf 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification \??\K:\Autorun.inf Gaara.exe File created \??\L:\Autorun.inf Gaara.exe File opened for modification \??\G:\Autorun.inf csrss.exe File created \??\H:\Autorun.inf csrss.exe File opened for modification \??\S:\Autorun.inf 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification \??\E:\Autorun.inf smss.exe File created \??\K:\Autorun.inf system32.exe File created \??\V:\Autorun.inf system32.exe File opened for modification \??\Y:\Autorun.inf Kazekage.exe File opened for modification \??\N:\Autorun.inf system32.exe File opened for modification \??\A:\Autorun.inf smss.exe File opened for modification D:\Autorun.inf smss.exe File created \??\K:\Autorun.inf smss.exe File opened for modification \??\O:\Autorun.inf smss.exe File opened for modification \??\U:\Autorun.inf smss.exe File created \??\M:\Autorun.inf Gaara.exe File created \??\R:\Autorun.inf system32.exe File opened for modification \??\S:\Autorun.inf system32.exe File opened for modification \??\A:\Autorun.inf system32.exe File created \??\N:\Autorun.inf system32.exe File opened for modification \??\Y:\Autorun.inf Gaara.exe File created \??\V:\Autorun.inf csrss.exe File opened for modification \??\E:\Autorun.inf Kazekage.exe File created \??\H:\Autorun.inf Kazekage.exe File opened for modification \??\M:\Autorun.inf Kazekage.exe File opened for modification \??\V:\Autorun.inf Kazekage.exe File opened for modification \??\T:\Autorun.inf system32.exe File opened for modification \??\Y:\Autorun.inf system32.exe File opened for modification \??\L:\Autorun.inf 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File created \??\V:\Autorun.inf 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File created \??\B:\Autorun.inf csrss.exe File opened for modification \??\N:\Autorun.inf 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification \??\N:\Autorun.inf csrss.exe File created \??\X:\Autorun.inf csrss.exe File created \??\Y:\Autorun.inf csrss.exe File opened for modification \??\M:\Autorun.inf smss.exe File created \??\W:\Autorun.inf smss.exe File opened for modification \??\E:\Autorun.inf system32.exe File created \??\J:\Autorun.inf system32.exe File opened for modification \??\L:\Autorun.inf system32.exe File opened for modification D:\Autorun.inf 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification \??\J:\Autorun.inf 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File created \??\R:\Autorun.inf 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification \??\B:\Autorun.inf Gaara.exe File opened for modification \??\Y:\Autorun.inf csrss.exe File opened for modification \??\W:\Autorun.inf Kazekage.exe File created \??\S:\Autorun.inf 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification C:\Autorun.inf csrss.exe File created \??\T:\Autorun.inf csrss.exe File created \??\Q:\Autorun.inf Kazekage.exe File created \??\P:\Autorun.inf 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification \??\J:\Autorun.inf smss.exe File opened for modification \??\U:\Autorun.inf Kazekage.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\9-4-2024.exe Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification C:\Windows\SysWOW64\ 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\9-4-2024.exe system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File created C:\Windows\SysWOW64\9-4-2024.exe 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\9-4-2024.exe csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\9-4-2024.exe 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification C:\Windows\SysWOW64\9-4-2024.exe smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\9-4-2024.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File created C:\Windows\SysWOW64\Desktop.ini 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File created C:\Windows\SysWOW64\mscomctl.ocx 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\ system32.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\system\msvbvm60.dll 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 9 - 4 - 2024\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe Kazekage.exe File created C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe smss.exe File created C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File created C:\Windows\system\msvbvm60.dll 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe Gaara.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File opened for modification C:\Windows\ system32.exe File created C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File opened for modification C:\Windows\ Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File created C:\Windows\Fonts\Admin 9 - 4 - 2024\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe system32.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File created C:\Windows\Fonts\Admin 9 - 4 - 2024\msvbvm60.dll 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File created C:\Windows\msvbvm60.dll 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File created C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe csrss.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe csrss.exe File created C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File created C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe smss.exe File opened for modification C:\Windows\ Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe system32.exe File created C:\Windows\mscomctl.ocx 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File opened for modification C:\Windows\Fonts\Admin 9 - 4 - 2024\msvbvm60.dll 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File created C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe smss.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 9 - 4 - 2024\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File created C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File created C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe Gaara.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File created C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe system32.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File created C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe system32.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\The Kazekage.jpg 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe File created C:\Windows\Fonts\Admin 9 - 4 - 2024\msvbvm60.dll smss.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe Gaara.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop smss.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop csrss.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Main system32.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Main 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe -
Modifies registry class 51 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe -
Runs ping.exe 1 TTPs 36 IoCs
pid Process 3952 ping.exe 4384 ping.exe 2392 ping.exe 4064 ping.exe 1496 ping.exe 1804 ping.exe 4052 ping.exe 1080 ping.exe 4124 ping.exe 3340 ping.exe 3628 ping.exe 4044 ping.exe 2300 ping.exe 4808 ping.exe 2060 ping.exe 404 ping.exe 2984 ping.exe 980 ping.exe 3568 ping.exe 5040 ping.exe 2892 ping.exe 5060 ping.exe 4940 ping.exe 4644 ping.exe 1668 ping.exe 3768 ping.exe 4680 ping.exe 3312 ping.exe 5092 ping.exe 3520 ping.exe 2144 ping.exe 1668 ping.exe 4920 ping.exe 3308 ping.exe 4604 ping.exe 2640 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 932 csrss.exe 932 csrss.exe 932 csrss.exe 932 csrss.exe 932 csrss.exe 932 csrss.exe 932 csrss.exe 932 csrss.exe 932 csrss.exe 932 csrss.exe 932 csrss.exe 932 csrss.exe 932 csrss.exe 932 csrss.exe 932 csrss.exe 932 csrss.exe 932 csrss.exe 932 csrss.exe 932 csrss.exe 932 csrss.exe 932 csrss.exe 932 csrss.exe 932 csrss.exe 932 csrss.exe 2932 Kazekage.exe 2932 Kazekage.exe 2932 Kazekage.exe 2932 Kazekage.exe 2932 Kazekage.exe 2932 Kazekage.exe 2932 Kazekage.exe 2932 Kazekage.exe 2932 Kazekage.exe 2932 Kazekage.exe 2932 Kazekage.exe 2932 Kazekage.exe 2932 Kazekage.exe 2932 Kazekage.exe 2932 Kazekage.exe 2932 Kazekage.exe 2932 Kazekage.exe 2932 Kazekage.exe 2932 Kazekage.exe 2932 Kazekage.exe 2932 Kazekage.exe 2932 Kazekage.exe 2932 Kazekage.exe 2932 Kazekage.exe 4556 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe 4556 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe 4556 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe 4556 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe 4556 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe 4556 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe 4556 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe 4556 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe 4556 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe 4556 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe 4556 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe 4556 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe 4556 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe 4556 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe 4556 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe 4556 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 4556 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe 1416 smss.exe 4280 smss.exe 5108 Gaara.exe 872 smss.exe 4996 Gaara.exe 932 csrss.exe 2044 smss.exe 1108 Gaara.exe 388 csrss.exe 2932 Kazekage.exe 4916 smss.exe 4648 Gaara.exe 1384 csrss.exe 3644 Kazekage.exe 2600 system32.exe 1888 smss.exe 4576 Gaara.exe 4076 csrss.exe 4432 Kazekage.exe 4752 system32.exe 3284 system32.exe 3028 Kazekage.exe 4000 system32.exe 1260 csrss.exe 3548 Kazekage.exe 4084 system32.exe 3872 Gaara.exe 2580 csrss.exe 3500 Kazekage.exe 3856 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4556 wrote to memory of 1416 4556 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe 85 PID 4556 wrote to memory of 1416 4556 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe 85 PID 4556 wrote to memory of 1416 4556 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe 85 PID 1416 wrote to memory of 4280 1416 smss.exe 87 PID 1416 wrote to memory of 4280 1416 smss.exe 87 PID 1416 wrote to memory of 4280 1416 smss.exe 87 PID 1416 wrote to memory of 5108 1416 smss.exe 89 PID 1416 wrote to memory of 5108 1416 smss.exe 89 PID 1416 wrote to memory of 5108 1416 smss.exe 89 PID 5108 wrote to memory of 872 5108 Gaara.exe 91 PID 5108 wrote to memory of 872 5108 Gaara.exe 91 PID 5108 wrote to memory of 872 5108 Gaara.exe 91 PID 5108 wrote to memory of 4996 5108 Gaara.exe 92 PID 5108 wrote to memory of 4996 5108 Gaara.exe 92 PID 5108 wrote to memory of 4996 5108 Gaara.exe 92 PID 5108 wrote to memory of 932 5108 Gaara.exe 93 PID 5108 wrote to memory of 932 5108 Gaara.exe 93 PID 5108 wrote to memory of 932 5108 Gaara.exe 93 PID 932 wrote to memory of 2044 932 csrss.exe 94 PID 932 wrote to memory of 2044 932 csrss.exe 94 PID 932 wrote to memory of 2044 932 csrss.exe 94 PID 932 wrote to memory of 1108 932 csrss.exe 95 PID 932 wrote to memory of 1108 932 csrss.exe 95 PID 932 wrote to memory of 1108 932 csrss.exe 95 PID 932 wrote to memory of 388 932 csrss.exe 96 PID 932 wrote to memory of 388 932 csrss.exe 96 PID 932 wrote to memory of 388 932 csrss.exe 96 PID 932 wrote to memory of 2932 932 csrss.exe 99 PID 932 wrote to memory of 2932 932 csrss.exe 99 PID 932 wrote to memory of 2932 932 csrss.exe 99 PID 2932 wrote to memory of 4916 2932 Kazekage.exe 100 PID 2932 wrote to memory of 4916 2932 Kazekage.exe 100 PID 2932 wrote to memory of 4916 2932 Kazekage.exe 100 PID 2932 wrote to memory of 4648 2932 Kazekage.exe 101 PID 2932 wrote to memory of 4648 2932 Kazekage.exe 101 PID 2932 wrote to memory of 4648 2932 Kazekage.exe 101 PID 2932 wrote to memory of 1384 2932 Kazekage.exe 102 PID 2932 wrote to memory of 1384 2932 Kazekage.exe 102 PID 2932 wrote to memory of 1384 2932 Kazekage.exe 102 PID 2932 wrote to memory of 3644 2932 Kazekage.exe 103 PID 2932 wrote to memory of 3644 2932 Kazekage.exe 103 PID 2932 wrote to memory of 3644 2932 Kazekage.exe 103 PID 2932 wrote to memory of 2600 2932 Kazekage.exe 105 PID 2932 wrote to memory of 2600 2932 Kazekage.exe 105 PID 2932 wrote to memory of 2600 2932 Kazekage.exe 105 PID 2600 wrote to memory of 1888 2600 system32.exe 107 PID 2600 wrote to memory of 1888 2600 system32.exe 107 PID 2600 wrote to memory of 1888 2600 system32.exe 107 PID 2600 wrote to memory of 4576 2600 system32.exe 108 PID 2600 wrote to memory of 4576 2600 system32.exe 108 PID 2600 wrote to memory of 4576 2600 system32.exe 108 PID 2600 wrote to memory of 4076 2600 system32.exe 109 PID 2600 wrote to memory of 4076 2600 system32.exe 109 PID 2600 wrote to memory of 4076 2600 system32.exe 109 PID 2600 wrote to memory of 4432 2600 system32.exe 110 PID 2600 wrote to memory of 4432 2600 system32.exe 110 PID 2600 wrote to memory of 4432 2600 system32.exe 110 PID 2600 wrote to memory of 4752 2600 system32.exe 111 PID 2600 wrote to memory of 4752 2600 system32.exe 111 PID 2600 wrote to memory of 4752 2600 system32.exe 111 PID 932 wrote to memory of 3284 932 csrss.exe 112 PID 932 wrote to memory of 3284 932 csrss.exe 112 PID 932 wrote to memory of 3284 932 csrss.exe 112 PID 5108 wrote to memory of 3028 5108 Gaara.exe 113 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe"C:\Users\Admin\AppData\Local\Temp\997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4556 -
C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe"C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1416 -
C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe"C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4280
-
-
C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5108 -
C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe"C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:872
-
-
C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4996
-
-
C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe"C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:932 -
C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe"C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2044
-
-
C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1108
-
-
C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe"C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:388
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2932 -
C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe"C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4916
-
-
C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4648
-
-
C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe"C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1384
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3644
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2600 -
C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe"C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1888
-
-
C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4576
-
-
C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe"C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4076
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4432
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4752
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:1496
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:2060
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:4052
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:3308
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:4808
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:2640
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:4384
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:3768
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:4940
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:5060
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:2300
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:1080
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3284
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:2144
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:1668
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:2984
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:2892
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:4064
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:4044
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3028
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4000
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:5092
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:3520
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:3340
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:1804
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:4604
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:4680
-
-
-
C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe"C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1260
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3548
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4084
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:4124
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:3568
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:2392
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:5040
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:3952
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:1668
-
-
-
C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3872
-
-
C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe"C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2580
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3500
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3856
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:3312
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:980
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:4920
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:404
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:4644
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:3628
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
3.0MB
MD5769e400a8f385a6437ad42716db7215e
SHA1e69ddc19f31038be20a5ab56c940419bf6be88b9
SHA256edd975debade1288c5a5cd88db62cef5de9699fb0fc59e86a39415e55e0c18d6
SHA512943a59154a72293f132d09846aca3f643bdcaf0bb9c041761895a0325dd943bcb38428e2408bcf633c4040cadc12e4407490c6cbedb53d1db26eebfa77e91b4d
-
Filesize
3.0MB
MD51138af762ea974c40591ecf18fc08510
SHA1748bf62069ad5e51063ce98fe1cc5b119de18bff
SHA256997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4
SHA5123559ef4ea08feb7a6a7255a6bffa9f8405ae0fb28e6ee6fc302c5f6eae1823b7d55ede073c4a8fe7149fbd587d63a655cc7fce422c4c8fe5555b07b49980e640
-
Filesize
3.0MB
MD5abefe4a8becb56d6d4b6626f90937607
SHA1b262cd031cd248155ffa713c51c6c96d35ae5a0c
SHA256b15ada48d47bd0f9c70ecce4ea6c72893ef57b42231eb0fc8c4a43d012902dc2
SHA512bad2ad7320deac0cddf52d5ec5ff6efda850e01a53c21250dbba5ff19a8dadd7a4f063ccc1dc6ccc309aa84dc69763adab93970adaf7456eff62e335101cc09e
-
Filesize
3.0MB
MD5ce6f3e1acfa6053cd6f11617617a61b7
SHA1a91a4f51fe959c602e2f67faf85f0765da2bbc55
SHA25666d8543566d346014b9a7be0f013e4ac939e43260dde86fb1d305c8e6cc872b2
SHA512323cce667bb4448b7ab7f61cd05a0e4140df00904b5103c5fa4e1ee0a2c63a838cfaffa2afa27af757fabcbf968c7ed2212f1fd66310afa69a54ed34ee6e9783
-
Filesize
3.0MB
MD5dca266abcf0a0c81e054aef34af894a8
SHA1aff112446171a3ca8e76ae267b2dc324e0c8fdf5
SHA256eb00268ecfe41daa5b4a178493e85f038eccbde8320b1601cdb1c06bce64fc67
SHA5126cdacdbb7e58839fa84774240706b481eefe6e4226edba502a23a6edc9980e7231006aa443245a88d304144ce907fd37fbcb41f77e5a58a605050abc49a05622
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
2.1MB
MD56b8461ba9c1caca19aa4cc0fca08272a
SHA1631d44c3c6a249e9cef81c7e5de6bd0b97ab7616
SHA25641e5dbf35cb439b490180f7a23667bc1b336de77156072b751c9230878886357
SHA512e9bb394f2998b928ab34c77a7d69c6215aec41193c5de12661531908c7c94b101c1159e4716ad28ca3f75b1396082503d4d8436462d10e6b0d8295ad6eb23e53
-
Filesize
3.0MB
MD5d2906feb9c57b60a6ca83b0afe54d77d
SHA17219f72e00d046bbe3a2feb8fe970dc57cdc83cd
SHA2566a50207ad6d891367cb498b6a8b5dd6d8071cf8b0e889cb383d4de79da1ce4ef
SHA51235e568e5289e49f1efbf59ba01d531053491f7ba07ed3c830a14354a238fe1d9984aaa164f5f216ee209c7a0d1573291f9575880176e8d12b9da0f09a5cadccc
-
Filesize
3.0MB
MD5a90d192056f50b1d0c63d8e5ea88e54a
SHA1a6e2057771f804ac3b2a84130733798448dee691
SHA2564a750a056753cdb8b055932c8388c623b70a34bd3829d1c453e203250b87db9d
SHA512da1b4b885b63fb6648a5cb220de4ba29aa66a11913df0a72dc3b3d751c42ab87dddbb34f33942dc36a78851cc15a7cdaba84c0a717ccfafc2352df40aa6bda04
-
Filesize
3.0MB
MD5475f718e5c8211ba44de30fc38df6653
SHA174a57e3596b7593cb832b0601291cd28329f2b24
SHA256caa308478e69d5852a3bb1b91740cd6587391f79536a91142e3c2faa2e5ebc13
SHA51278edc42c7b08b30cad0eda355723fc22fd1d841fa89e90669d32bf8b686b6972f9d4e1f3be0bf9c620c6766e6d487043c80e7ddc8c45bff372c3a133f74b7102
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
3.0MB
MD5265c4f31d18eb6d848e90e8e673a4ad6
SHA1132a66bf99fd36baa72bce4d78fb7ee13f284a98
SHA256d62043c8c7be2bc2cdc5c93c8000b26ec1877eb19412ae1b9f00822eff24a140
SHA51205dcc65e5b11a3ee99fbf3a8843c04ae6227a1a9df80622fe71a004048d76c23b23620fe24aa6ea71b4ba020fa6579a01f404a80b842b7d55ad051b2c27e51af
-
Filesize
3.0MB
MD5034f24c764b469a387ba577aa39696b5
SHA16eae5009fdabf749195f24f38753c7237cf31c77
SHA256ded0278165ef1cbddbac82a3046f78986c61d9a3b643f5f14f5ee56b56a18d21
SHA5120f54a05a3391fca0c1b245839e0b4bd418964d306c3cc452514ee08a0792577a7cbfa856d5f7916627ef08ec5e235b9636fd8fbe60f4b799ad955b8eb07f96e1
-
Filesize
3.0MB
MD5f66acd5ded5f981f6032684b6d9c45c2
SHA1565747dcd18d5b9b01dbe5834ee8ded455317a05
SHA2564b2f107ee7a6135438f04fe8048be73d39bfed3fd964bc0f7b42d4d8052a1593
SHA512b0d0008ea5c3937b9034aa1b41a1bfad76016a4b3b76210f4939d2a199c86cfa479849613b5caf2dad0e60ddbcfeb08bbc0981d2b92ec35a8e9eb0e54dad391c
-
Filesize
3.0MB
MD5a63ef83f6b8baf9034687a1fce208386
SHA1d88e5ca4e1f647a3e69f86d1e291c32844f03d2a
SHA256d7e5ecf6d7a503b6a8f01992994d128412816c414ce0e8f0aa79d1835132070e
SHA5126b0b32d4496264e322480f5fca49063c6ffd4565bc00b91db6aaf3154039ac2893a1d5401468de987fbfb6e48e46ebc61b0c90d11d5fee2157abb6ccefc6c78a
-
Filesize
3.0MB
MD51884013ab478d2c0356b6327fac44717
SHA17287fd42690d59c609d9ba6f36667e38b006ede5
SHA256611002f06014eb55e49898d168e1b04e998db9d978cfaa8b3ebb14a53f259aa4
SHA5120680d5d8c7218fa0259aaaed87ac383c9c61fc7c5640f39cee29bfd66c26a4b4b57470beac0aa31c4f498b68caf3c2cf87f2123ce4781367deae07020fe2f1bc
-
Filesize
3.0MB
MD562fae29109774781135d39eee5a2d887
SHA150141775a9683cb7847bc88b1590f6000291653b
SHA25659016506fe7a30b872a6a3441f9851ddc30103730c541580dbfcf401bc84bd7b
SHA512f048ccc2b57d7face38780bf2fb96bf8466ac5b26f3a4446c7022fab8c315ffa0fe2147ec5361ec25e82dcb5727304b4c03291a344950fe9940a4f3405f53314
-
Filesize
3.0MB
MD5692a86819c763a4f9a91a71c061a0c05
SHA1fad11b2605041701b29c413e97d00a503957e638
SHA256bfdc249319f4064c166855fae2b4228517890b74c3d32c40f7a83a83d4b8326e
SHA51213a96fcb5e8c5bddd1ad1bf46ed7d8b954cde74b662e80a8939a59d83370ae07ab3819b5e1534db8c45a837ad48f616f353582e7a86652da34d5dc839f3934e6
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
