Analysis
-
max time kernel
149s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 16:13
Behavioral task
behavioral1
Sample
84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
27 signatures
150 seconds
Behavioral task
behavioral2
Sample
84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
27 signatures
150 seconds
General
-
Target
84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe
-
Size
236KB
-
MD5
84d77513ffcc3a3de1ee70285a5a2210
-
SHA1
fd0d2ab4d05c67862c3122ccb81541f2d44db19d
-
SHA256
1d32beb2738933a0b21de3f776b04452b2a555d3435b998bb9020e395467cef9
-
SHA512
5f0b6d7c1df05983b545c78b03a00eda154cdb7489b72959681a25d8b33d3cda35cf0286d4e3a9bec695c65c3bb4e52a51d45c72aaf0ec872cce4562bbf58cdd
-
SSDEEP
3072:INx6AHjYzaFXg+w17jsgS/jHagQg19Vw+Hkaxu:INxzYzaFXi17jkw+E
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" smss.exe -
Executes dropped EXE 30 IoCs
pid Process 4208 smss.exe 1272 smss.exe 1620 Gaara.exe 1380 smss.exe 5180 Gaara.exe 3604 csrss.exe 3136 smss.exe 5372 Gaara.exe 5068 csrss.exe 2852 Kazekage.exe 4592 smss.exe 1700 Gaara.exe 660 csrss.exe 2148 Kazekage.exe 1304 system32.exe 1012 smss.exe 6132 Gaara.exe 3552 csrss.exe 4816 Kazekage.exe 4152 system32.exe 1084 system32.exe 5156 Kazekage.exe 1456 system32.exe 5960 csrss.exe 4888 Kazekage.exe 3080 system32.exe 1116 Gaara.exe 1680 csrss.exe 4708 Kazekage.exe 3176 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 4208 smss.exe 1272 smss.exe 1620 Gaara.exe 1380 smss.exe 5180 Gaara.exe 3604 csrss.exe 3136 smss.exe 5372 Gaara.exe 5068 csrss.exe 4592 smss.exe 1700 Gaara.exe 660 csrss.exe 1012 smss.exe 6132 Gaara.exe 3552 csrss.exe 5960 csrss.exe 1116 Gaara.exe 1680 csrss.exe -
resource yara_rule behavioral2/memory/6116-0-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x0007000000023406-31.dat upx behavioral2/memory/4208-34-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x0007000000023408-45.dat upx behavioral2/files/0x000700000002340b-57.dat upx behavioral2/files/0x000700000002340a-53.dat upx behavioral2/files/0x0007000000023409-49.dat upx behavioral2/files/0x0007000000023407-41.dat upx behavioral2/memory/1272-70-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/1620-78-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/1272-75-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x0007000000023408-84.dat upx behavioral2/files/0x000700000002340b-96.dat upx behavioral2/files/0x000700000002340a-92.dat upx behavioral2/files/0x0007000000023409-88.dat upx behavioral2/memory/5180-113-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/3604-121-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/5180-119-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x000700000002340a-132.dat upx behavioral2/files/0x000700000002340b-135.dat upx behavioral2/files/0x0007000000023409-127.dat upx behavioral2/memory/3136-152-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/5372-156-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/5068-158-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/5068-166-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/2852-164-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/6116-163-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x000700000002340b-176.dat upx behavioral2/files/0x0007000000023409-172.dat upx behavioral2/memory/4208-189-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4592-194-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/1700-198-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/1620-200-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/660-204-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/2148-205-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/2148-210-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/1304-211-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x0007000000023409-218.dat upx behavioral2/memory/3604-230-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/1012-233-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/6132-236-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/2852-241-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4816-242-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4152-245-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/1084-251-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/5156-254-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/1456-257-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/5960-260-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/1304-261-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/3080-264-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4888-265-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/3080-268-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/1116-271-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/1680-274-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4708-277-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/3176-280-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x000a000000023365-292.dat upx behavioral2/files/0x000c000000023375-390.dat upx -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 9 - 5 - 2024\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 9 - 5 - 2024\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "9-5-2024.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 9 - 5 - 2024\\smss.exe" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 9 - 5 - 2024\\Gaara.exe" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "9-5-2024.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "9-5-2024.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 9 - 5 - 2024\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 9 - 5 - 2024\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "9-5-2024.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "9-5-2024.exe" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 9 - 5 - 2024\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 9 - 5 - 2024\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 9 - 5 - 2024\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 9 - 5 - 2024\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 9 - 5 - 2024\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 9 - 5 - 2024\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "9-5-2024.exe" smss.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\B:\Desktop.ini Kazekage.exe File opened for modification \??\J:\Desktop.ini 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification \??\J:\Desktop.ini Gaara.exe File opened for modification \??\X:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini Kazekage.exe File opened for modification \??\Y:\Desktop.ini Kazekage.exe File opened for modification \??\X:\Desktop.ini 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification \??\N:\Desktop.ini system32.exe File opened for modification \??\H:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini csrss.exe File opened for modification F:\Desktop.ini Kazekage.exe File opened for modification \??\R:\Desktop.ini 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Desktop.ini system32.exe File opened for modification \??\H:\Desktop.ini smss.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\R:\Desktop.ini system32.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification \??\H:\Desktop.ini Kazekage.exe File opened for modification \??\M:\Desktop.ini Kazekage.exe File opened for modification \??\V:\Desktop.ini 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification \??\E:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini csrss.exe File opened for modification \??\U:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification \??\G:\Desktop.ini system32.exe File opened for modification \??\H:\Desktop.ini system32.exe File opened for modification \??\M:\Desktop.ini Gaara.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini smss.exe File opened for modification \??\G:\Desktop.ini Gaara.exe File opened for modification \??\R:\Desktop.ini csrss.exe File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification \??\E:\Desktop.ini system32.exe File opened for modification \??\L:\Desktop.ini Gaara.exe File opened for modification F:\Desktop.ini smss.exe File opened for modification \??\K:\Desktop.ini smss.exe File opened for modification D:\Desktop.ini system32.exe File opened for modification \??\K:\Desktop.ini Gaara.exe File opened for modification D:\Desktop.ini Kazekage.exe File opened for modification \??\J:\Desktop.ini Kazekage.exe File opened for modification \??\Z:\Desktop.ini 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification \??\R:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini smss.exe File opened for modification \??\Y:\Desktop.ini smss.exe File opened for modification \??\W:\Desktop.ini Gaara.exe File opened for modification \??\L:\Desktop.ini Kazekage.exe File opened for modification \??\E:\Desktop.ini 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification \??\J:\Desktop.ini system32.exe File opened for modification \??\O:\Desktop.ini system32.exe File opened for modification \??\I:\Desktop.ini csrss.exe File opened for modification \??\O:\Desktop.ini smss.exe File opened for modification F:\Desktop.ini Gaara.exe File opened for modification C:\Desktop.ini Gaara.exe File opened for modification \??\N:\Desktop.ini csrss.exe File opened for modification \??\V:\Desktop.ini csrss.exe File opened for modification \??\Q:\Desktop.ini Kazekage.exe File opened for modification F:\Desktop.ini 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification \??\U:\Desktop.ini 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification \??\S:\Desktop.ini smss.exe File opened for modification \??\Q:\Desktop.ini system32.exe File opened for modification \??\Z:\Desktop.ini Gaara.exe File opened for modification \??\T:\Desktop.ini csrss.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\S: system32.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\W: csrss.exe File opened (read-only) \??\L: Kazekage.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\O: Kazekage.exe File opened (read-only) \??\G: 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened (read-only) \??\L: 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\T: Kazekage.exe File opened (read-only) \??\U: 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened (read-only) \??\M: system32.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\B: Kazekage.exe File opened (read-only) \??\I: Kazekage.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\S: Kazekage.exe File opened (read-only) \??\P: system32.exe File opened (read-only) \??\B: Gaara.exe File opened (read-only) \??\L: Gaara.exe File opened (read-only) \??\A: csrss.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\R: Gaara.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\Z: 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\H: system32.exe File opened (read-only) \??\L: system32.exe File opened (read-only) \??\V: system32.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\K: 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\I: system32.exe File opened (read-only) \??\I: Gaara.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\R: 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\E: 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened (read-only) \??\I: 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened (read-only) \??\Y: 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\H: Kazekage.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\Q: Gaara.exe File opened (read-only) \??\Y: Gaara.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\Q: 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\U: Kazekage.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\G: system32.exe File opened (read-only) \??\M: Kazekage.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\M: Gaara.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\P: Kazekage.exe File opened (read-only) \??\B: 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened (read-only) \??\R: system32.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created \??\L:\Autorun.inf Kazekage.exe File created \??\B:\Autorun.inf system32.exe File opened for modification \??\U:\Autorun.inf 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File created \??\J:\Autorun.inf smss.exe File created \??\A:\Autorun.inf Gaara.exe File created \??\R:\Autorun.inf Gaara.exe File opened for modification \??\I:\Autorun.inf smss.exe File created \??\Q:\Autorun.inf csrss.exe File created \??\U:\Autorun.inf system32.exe File created \??\V:\Autorun.inf system32.exe File opened for modification \??\P:\Autorun.inf 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification \??\Y:\Autorun.inf smss.exe File opened for modification \??\A:\Autorun.inf Gaara.exe File created \??\Q:\Autorun.inf system32.exe File opened for modification \??\Q:\Autorun.inf csrss.exe File opened for modification \??\Q:\Autorun.inf system32.exe File opened for modification \??\X:\Autorun.inf system32.exe File opened for modification D:\Autorun.inf 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File created \??\Q:\Autorun.inf smss.exe File created \??\G:\Autorun.inf csrss.exe File opened for modification \??\K:\Autorun.inf csrss.exe File opened for modification C:\Autorun.inf 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification \??\K:\Autorun.inf smss.exe File created \??\E:\Autorun.inf csrss.exe File opened for modification \??\T:\Autorun.inf Kazekage.exe File opened for modification \??\H:\Autorun.inf Gaara.exe File opened for modification \??\I:\Autorun.inf Gaara.exe File created \??\V:\Autorun.inf Gaara.exe File created \??\L:\Autorun.inf csrss.exe File created \??\I:\Autorun.inf 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification \??\L:\Autorun.inf 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File created \??\P:\Autorun.inf 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification \??\Q:\Autorun.inf smss.exe File created \??\X:\Autorun.inf csrss.exe File opened for modification \??\O:\Autorun.inf 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File created \??\M:\Autorun.inf csrss.exe File opened for modification \??\J:\Autorun.inf Kazekage.exe File created \??\T:\Autorun.inf system32.exe File opened for modification \??\X:\Autorun.inf smss.exe File opened for modification \??\Z:\Autorun.inf Gaara.exe File opened for modification \??\B:\Autorun.inf 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File created \??\E:\Autorun.inf smss.exe File created \??\A:\Autorun.inf Kazekage.exe File created \??\I:\Autorun.inf system32.exe File created \??\H:\Autorun.inf system32.exe File created \??\S:\Autorun.inf csrss.exe File opened for modification \??\T:\Autorun.inf csrss.exe File opened for modification \??\W:\Autorun.inf csrss.exe File opened for modification \??\Q:\Autorun.inf Kazekage.exe File created \??\O:\Autorun.inf Kazekage.exe File opened for modification F:\Autorun.inf 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File created \??\N:\Autorun.inf 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification F:\Autorun.inf Kazekage.exe File created \??\M:\Autorun.inf Kazekage.exe File created \??\X:\Autorun.inf smss.exe File opened for modification F:\Autorun.inf csrss.exe File created \??\E:\Autorun.inf Gaara.exe File opened for modification \??\N:\Autorun.inf csrss.exe File opened for modification D:\Autorun.inf Kazekage.exe File opened for modification \??\V:\Autorun.inf Kazekage.exe File created \??\W:\Autorun.inf system32.exe File created C:\Autorun.inf 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File created \??\Y:\Autorun.inf 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File created \??\H:\Autorun.inf smss.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\9-5-2024.exe smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\9-5-2024.exe system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File created C:\Windows\SysWOW64\9-5-2024.exe 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File created C:\Windows\SysWOW64\msvbvm60.dll 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File created C:\Windows\SysWOW64\mscomctl.ocx 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\9-5-2024.exe csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Desktop.ini 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\9-5-2024.exe 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\9-5-2024.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\9-5-2024.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\ 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\ smss.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe Gaara.exe File opened for modification C:\Windows\ smss.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe Gaara.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe system32.exe File created C:\Windows\Fonts\The Kazekage.jpg 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File created C:\Windows\msvbvm60.dll 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe Gaara.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 9 - 5 - 2024\msvbvm60.dll 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\msvbvm60.dll 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File opened for modification C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe system32.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe smss.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\msvbvm60.dll Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe system32.exe File opened for modification C:\Windows\ Gaara.exe File opened for modification C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe csrss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File opened for modification C:\Windows\ system32.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe smss.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe csrss.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\mscoree.dll 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File opened for modification C:\Windows\ 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\WallpaperStyle = "2" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main smss.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe -
Modifies registry class 51 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe -
Runs ping.exe 1 TTPs 36 IoCs
pid Process 1336 ping.exe 820 ping.exe 4324 ping.exe 3612 ping.exe 5288 ping.exe 5180 ping.exe 5424 ping.exe 5100 ping.exe 5268 ping.exe 4640 ping.exe 4076 ping.exe 2352 ping.exe 1120 ping.exe 5796 ping.exe 5792 ping.exe 4596 ping.exe 5208 ping.exe 1228 ping.exe 5112 ping.exe 4468 ping.exe 3592 ping.exe 6056 ping.exe 1376 ping.exe 5092 ping.exe 3936 ping.exe 684 ping.exe 1596 ping.exe 3212 ping.exe 3660 ping.exe 4572 ping.exe 2144 ping.exe 1324 ping.exe 2868 ping.exe 3928 ping.exe 4316 ping.exe 5296 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3604 csrss.exe 3604 csrss.exe 3604 csrss.exe 3604 csrss.exe 3604 csrss.exe 3604 csrss.exe 3604 csrss.exe 3604 csrss.exe 3604 csrss.exe 3604 csrss.exe 3604 csrss.exe 3604 csrss.exe 3604 csrss.exe 3604 csrss.exe 3604 csrss.exe 3604 csrss.exe 3604 csrss.exe 3604 csrss.exe 3604 csrss.exe 3604 csrss.exe 3604 csrss.exe 3604 csrss.exe 3604 csrss.exe 3604 csrss.exe 2852 Kazekage.exe 2852 Kazekage.exe 2852 Kazekage.exe 2852 Kazekage.exe 2852 Kazekage.exe 2852 Kazekage.exe 2852 Kazekage.exe 2852 Kazekage.exe 2852 Kazekage.exe 2852 Kazekage.exe 2852 Kazekage.exe 2852 Kazekage.exe 2852 Kazekage.exe 2852 Kazekage.exe 2852 Kazekage.exe 2852 Kazekage.exe 2852 Kazekage.exe 2852 Kazekage.exe 2852 Kazekage.exe 2852 Kazekage.exe 2852 Kazekage.exe 2852 Kazekage.exe 2852 Kazekage.exe 2852 Kazekage.exe 6116 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 6116 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 6116 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 6116 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 6116 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 6116 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 6116 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 6116 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 6116 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 6116 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 6116 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 6116 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 6116 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 6116 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 6116 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 6116 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 6116 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 4208 smss.exe 1272 smss.exe 1620 Gaara.exe 1380 smss.exe 5180 Gaara.exe 3604 csrss.exe 3136 smss.exe 5372 Gaara.exe 5068 csrss.exe 2852 Kazekage.exe 4592 smss.exe 1700 Gaara.exe 660 csrss.exe 2148 Kazekage.exe 1304 system32.exe 1012 smss.exe 6132 Gaara.exe 3552 csrss.exe 4816 Kazekage.exe 4152 system32.exe 1084 system32.exe 5156 Kazekage.exe 1456 system32.exe 5960 csrss.exe 4888 Kazekage.exe 3080 system32.exe 1116 Gaara.exe 1680 csrss.exe 4708 Kazekage.exe 3176 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 6116 wrote to memory of 4208 6116 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 83 PID 6116 wrote to memory of 4208 6116 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 83 PID 6116 wrote to memory of 4208 6116 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 83 PID 4208 wrote to memory of 1272 4208 smss.exe 85 PID 4208 wrote to memory of 1272 4208 smss.exe 85 PID 4208 wrote to memory of 1272 4208 smss.exe 85 PID 4208 wrote to memory of 1620 4208 smss.exe 86 PID 4208 wrote to memory of 1620 4208 smss.exe 86 PID 4208 wrote to memory of 1620 4208 smss.exe 86 PID 1620 wrote to memory of 1380 1620 Gaara.exe 87 PID 1620 wrote to memory of 1380 1620 Gaara.exe 87 PID 1620 wrote to memory of 1380 1620 Gaara.exe 87 PID 1620 wrote to memory of 5180 1620 Gaara.exe 88 PID 1620 wrote to memory of 5180 1620 Gaara.exe 88 PID 1620 wrote to memory of 5180 1620 Gaara.exe 88 PID 1620 wrote to memory of 3604 1620 Gaara.exe 89 PID 1620 wrote to memory of 3604 1620 Gaara.exe 89 PID 1620 wrote to memory of 3604 1620 Gaara.exe 89 PID 3604 wrote to memory of 3136 3604 csrss.exe 90 PID 3604 wrote to memory of 3136 3604 csrss.exe 90 PID 3604 wrote to memory of 3136 3604 csrss.exe 90 PID 3604 wrote to memory of 5372 3604 csrss.exe 91 PID 3604 wrote to memory of 5372 3604 csrss.exe 91 PID 3604 wrote to memory of 5372 3604 csrss.exe 91 PID 3604 wrote to memory of 5068 3604 csrss.exe 92 PID 3604 wrote to memory of 5068 3604 csrss.exe 92 PID 3604 wrote to memory of 5068 3604 csrss.exe 92 PID 3604 wrote to memory of 2852 3604 csrss.exe 93 PID 3604 wrote to memory of 2852 3604 csrss.exe 93 PID 3604 wrote to memory of 2852 3604 csrss.exe 93 PID 2852 wrote to memory of 4592 2852 Kazekage.exe 94 PID 2852 wrote to memory of 4592 2852 Kazekage.exe 94 PID 2852 wrote to memory of 4592 2852 Kazekage.exe 94 PID 2852 wrote to memory of 1700 2852 Kazekage.exe 95 PID 2852 wrote to memory of 1700 2852 Kazekage.exe 95 PID 2852 wrote to memory of 1700 2852 Kazekage.exe 95 PID 2852 wrote to memory of 660 2852 Kazekage.exe 96 PID 2852 wrote to memory of 660 2852 Kazekage.exe 96 PID 2852 wrote to memory of 660 2852 Kazekage.exe 96 PID 2852 wrote to memory of 2148 2852 Kazekage.exe 97 PID 2852 wrote to memory of 2148 2852 Kazekage.exe 97 PID 2852 wrote to memory of 2148 2852 Kazekage.exe 97 PID 2852 wrote to memory of 1304 2852 Kazekage.exe 98 PID 2852 wrote to memory of 1304 2852 Kazekage.exe 98 PID 2852 wrote to memory of 1304 2852 Kazekage.exe 98 PID 1304 wrote to memory of 1012 1304 system32.exe 99 PID 1304 wrote to memory of 1012 1304 system32.exe 99 PID 1304 wrote to memory of 1012 1304 system32.exe 99 PID 1304 wrote to memory of 6132 1304 system32.exe 100 PID 1304 wrote to memory of 6132 1304 system32.exe 100 PID 1304 wrote to memory of 6132 1304 system32.exe 100 PID 1304 wrote to memory of 3552 1304 system32.exe 101 PID 1304 wrote to memory of 3552 1304 system32.exe 101 PID 1304 wrote to memory of 3552 1304 system32.exe 101 PID 1304 wrote to memory of 4816 1304 system32.exe 102 PID 1304 wrote to memory of 4816 1304 system32.exe 102 PID 1304 wrote to memory of 4816 1304 system32.exe 102 PID 1304 wrote to memory of 4152 1304 system32.exe 103 PID 1304 wrote to memory of 4152 1304 system32.exe 103 PID 1304 wrote to memory of 4152 1304 system32.exe 103 PID 3604 wrote to memory of 1084 3604 csrss.exe 104 PID 3604 wrote to memory of 1084 3604 csrss.exe 104 PID 3604 wrote to memory of 1084 3604 csrss.exe 104 PID 1620 wrote to memory of 5156 1620 Gaara.exe 105 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:6116 -
C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4208 -
C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1272
-
-
C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1620 -
C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1380
-
-
C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5180
-
-
C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3604 -
C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3136
-
-
C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5372
-
-
C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5068
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2852 -
C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4592
-
-
C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1700
-
-
C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:660
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2148
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1304 -
C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1012
-
-
C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:6132
-
-
C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3552
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4816
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4152
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:4324
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:5100
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:5796
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:4640
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:5092
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:5112
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:3212
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:1120
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:3660
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:5424
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:1376
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:820
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1084
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:2352
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:5296
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:2144
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:4572
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:1336
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:3928
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5156
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1456
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:5180
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:3592
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:3612
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:684
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:2868
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:1596
-
-
-
C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5960
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4888
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3080
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:4468
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:4596
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:3936
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:1228
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:1324
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:6056
-
-
-
C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1116
-
-
C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1680
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4708
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3176
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:4316
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:5792
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:5268
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:5208
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:4076
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:5288
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
236KB
MD584d77513ffcc3a3de1ee70285a5a2210
SHA1fd0d2ab4d05c67862c3122ccb81541f2d44db19d
SHA2561d32beb2738933a0b21de3f776b04452b2a555d3435b998bb9020e395467cef9
SHA5125f0b6d7c1df05983b545c78b03a00eda154cdb7489b72959681a25d8b33d3cda35cf0286d4e3a9bec695c65c3bb4e52a51d45c72aaf0ec872cce4562bbf58cdd
-
Filesize
236KB
MD5e2699572f18dc325f74f1ea9defa45ad
SHA135f9c44c0bfcd00d0e090c0fadf74b076fbd73f4
SHA25607c689a47511f53541c36bae3d3308d858378e44d04a0ab7e6f5cc307209f28b
SHA512c0df8f9c693624e0bf284fc0f7877d1958339b4a6e67a19ac1b93cd28c6eeeca212ec756998dbb453473a65cf32d86be3445586a2b44b249802915cdf1ed42f4
-
Filesize
236KB
MD5342d23a6c9ab09ce624d13e7f73f6ea6
SHA174452e2b3e1bfa1e5f8d670df257f1f1c46b6b5a
SHA2563bc88995b176e0c436f9ee16bbecd61ac9e055be746799c25e229c1d9d18ad2b
SHA512b3f61424dab53ffa4a1465612618e95b9816b9f82f9f458a67ffb54987431cb7afdef31813c78cb5510464ee57d81ce447b651ab56c98945d8a907a4b3382ae8
-
Filesize
236KB
MD5a34ffb9b20099d3a794358558c38bcc8
SHA1cb29b20910a98939c5bfc8a69b6cbeadc78562dc
SHA25629a37a0e572797b17bbfa5c7066ab295035bafa369ca57143f893a2e1b034bd8
SHA512cd783fe7ccd3c5b38aff44157d9485226e83e2a0212ba6608c0ea49a9411878403f3c8a3cff70715001d4d7dd4413fdc49fcc27433869b51dec7d918c36a48fa
-
Filesize
236KB
MD577456cac02c9849ec715c2ff8dedd77a
SHA1d38a1bead51b6e183ce07646ceb249590cda56ef
SHA25697178861e81c3158fd407e153cee58b7d7136e398907b30c43961b5096e791da
SHA51232618f7975a3208c74c0143b3d0110026788a1e1179fb327d326cd8bb47a30f349e4dd490fd666f0343b375b1233fea062c5c40a756be92dd5abe0069ed44e30
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
236KB
MD534a3d95474be7ae2201b958020f7a15f
SHA12b2b2e863c350dd555d75c01d73ee1f48a6ca181
SHA2560e764b6c00e8efccfeea71832b5f13e0fe3dbbb7e65f5a2ddf80bce651c0cda9
SHA512d0c6f0017c80761915403e6d63fc69d44ed653b3052169bbfd5fe06fa47185971449f6e56e4a0e55eaea9f9ff64a390f53c32a71aded45076b4a2b2df4b81be8
-
Filesize
236KB
MD559e83908f2dda16adc0b03e582073898
SHA180330be4ba9b960863449c938178a1ecf8722fab
SHA2564d2dbb6761ea72767d6e8b0e97a6f8f8fac2f232fd81ed3c07e8323f831b0f84
SHA51227288327d82ded1d830471a24d3e90fbd71c3b7fc8c34b8c321081a9b3f2f323b87f1a0163994a54b5ae598a2cee1c02af9733c50f6efb4879876b2b3a5e66b7
-
Filesize
236KB
MD54436241c59f4ab506b2fae8f0994cad2
SHA114177808e54b1d1d7f484740d8b1fc22cdae0dfd
SHA2566d064105f6c508f81a5238bc1e4a5c5829786a2db95269e9044a0ac9b59f1762
SHA5125443e95020ea95f313a9c34b2b8916c02329571c91cfa415b30d9953227ad8d03c8ef064e42f2e586fcac38560cb63198141475d4ff620ce445f16af4867adbb
-
Filesize
236KB
MD58f073bc2c1210a6845149c6a5e1eb9a5
SHA1176a82ac43f88ec120c9782cc1775c2390e8d093
SHA256d7d4bdf73782bf9b3580a8138c664e11b310960c05a21280f68d833ecb5ea84c
SHA51284a512ea4f19ff05a2b8e38a4a0c842ed2803c531c78958a6545ad011f23f10362e664ff19f945c6dd04efa62e607aed6f49991ebf6f8a3e98eb0538317a4a98
-
Filesize
236KB
MD57486bb60393e193f9ecd5e1acb3603f0
SHA19b883e2925879e1983061c22e41a02b5cb924f01
SHA256feaa1d954bf3e5b2afbb9a49f1dd5fe4de112316e0143ba1b234249f2fcca1dd
SHA5125c39feb0e7299eb05ecdca1d03b23d713e0b77bc6a160a71fd8558ea7ecfcbae8a96c3aa6cc09fb3db7b292cdf3fd5fa23dcf8dc243dcbdd496dffc0b59fcaef
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
236KB
MD570df4d40c705b690c7cec4913dc51a4b
SHA15455e07d328af08789bd2207425ea7c9544831d3
SHA2569c43c12153919e8beafc7b976232c7f3eaa9fc54d72c66ad91265dc404cfbda8
SHA51238b5ef3f510773a066b212f9a6fc807675f7da54d3eef153f5fabba1ed71def3af38f1f3c306e749ba79ff8f84dbb807615c5c7356fc9cf1b62c97c49efc1f54
-
Filesize
236KB
MD5a6678c6d12624eda01835e3fe7087d54
SHA1139207dd479f120b81cbad313d39082a21c129e1
SHA2569ec2acd58d5e30de16b99d636c267756f981845cf5a942f06158ef62779634ed
SHA512e13410a7d2b51471702b0b4ba39ff65521a05922026ea404e65d6f53388e1242ff91244aee6195df133e1f962e9087378dbb3b86d5e5651e570803eed7c9512c
-
Filesize
236KB
MD5a1da897c27506a7c2def19cb4987f78a
SHA1a13896c4fb6830c353818116abeba568fca684ac
SHA2564c99935d92877f87f94087a7e6ac8430a900f1696315a951e97f680d01050f4d
SHA51217c1ce872f8c14c3db92a76942cee027593745fceb8bfb520dff1c4135be0d3f7420dcb614cf183cb4d8a356302977214087972f3d29cfffeb496b4bd9011aa3
-
Filesize
236KB
MD541672602ac656a2695fd5fed94c97bc1
SHA1ffd137f7788cdfc38fecbf8132bd8422a455f353
SHA2561f1acaaed64479fb86a8db114aa76750d5de1bef2678e194bed7e72822b27713
SHA5124da8d19a95370d559fb3b676aeb33be16819423eeb0016193a0f114b3a59805472024c42ae35726434bf786311d1672b02ba309fdd37acde1b222c54ffb966fb
-
Filesize
236KB
MD5039fc6cc0414cbe1293459100db35821
SHA16e025ec6e8fe81d7d630bbd2a215f2579f063fd1
SHA2561099540780294797ceef97e6f65879dc01aa1a2754f4168194ee4d50dc5bfce0
SHA512f4f35793a630afc526ab1e75a1cba1bbf5e6008dba47bdbf4d7d52b1c6d2de66bb5ec3499155626e063b46f5e8ea03508acc265dad0fdca2ff392ef5756f37c5
-
Filesize
236KB
MD50cec3977a178b132f560013dc2ee58cc
SHA14dc43750ac059143d1d26cea2bf6fb31d2c0f702
SHA2565b2b260d7d529b8bd79183812ba171594ccad5ffbb52869d3f0dd391e02d2db7
SHA512b593152ee0fd4c05e0e34ef4c141b57b3c4277e5888413dcf6b4384d971699dc21789730678fbe13624b2681880f36338f0637d5713a4ce6592e347333de8c74
-
Filesize
236KB
MD54103bfc2b6314ad318d91ce8a7c45e91
SHA1c087ab9251e8be241c28b6a617d7640542dfd332
SHA256e5ee4e8a33e56b793b294ea9d96717dc2df59d0ab2c86e3f5a057295b2734668
SHA512c6d5547019adc164543480b72260ece3b74ab4e009fc7e3443b52e4550e820c9a0695e6e1914f77dc83594ec68fdccff8f605abb5c2e8270756baaf680dceacf
-
Filesize
236KB
MD546fa0ed90dfb59940f2f626038efd3f8
SHA1ccf843ee80b0cbcf1ccfbe6066fd7169800a0eff
SHA25625676499a2811bfb00803312fc7c5e86341f7821dfb7ed092163aeabae91ec9a
SHA512592c51cf7e12554a88ad3252b1517349bd673ea3deb76caba3fa87708a4738499610ff6c38ac60f2562d22fed5ed60a11079ba739aba491c66e524e8c3932a68
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
