Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17/06/2024, 05:14
Behavioral task
behavioral1
Sample
4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
27 signatures
150 seconds
Behavioral task
behavioral2
Sample
4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
27 signatures
150 seconds
General
-
Target
4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe
-
Size
66KB
-
MD5
4f638f90ece1cd2c4f8b10a792956d70
-
SHA1
ab95276f68053c4bdaea10975610dea6b0b042eb
-
SHA256
e70f2481aa838b9592454700e264c29acb17521fda0303adfbaac30963ec6a59
-
SHA512
e5801242754199a6ff77dc2d8ec266f2051971b8dc74f5f05108ecbdce2ab9346a2ab0bde9847ba075edfaf0ed5be88d380d89750e7cfe842caffd410f9a2bbb
-
SSDEEP
1536:37OE59Vyzrc8K3WgFtKhJP+tcrVOXKzaJThZfaKhQiSEKNJ:LV5998K3WQ8fjEXKgZfnhfxu
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Gaara.exe -
Executes dropped EXE 30 IoCs
pid Process 2360 smss.exe 2380 smss.exe 3112 Gaara.exe 4140 smss.exe 5060 Gaara.exe 520 csrss.exe 3028 smss.exe 3712 Gaara.exe 1444 csrss.exe 3100 Kazekage.exe 1232 smss.exe 4652 Gaara.exe 4408 csrss.exe 2396 Kazekage.exe 2032 system32.exe 2648 smss.exe 3740 Gaara.exe 628 csrss.exe 3792 Kazekage.exe 800 system32.exe 3388 system32.exe 112 Kazekage.exe 3556 system32.exe 1988 csrss.exe 2960 Kazekage.exe 456 system32.exe 4332 Gaara.exe 2948 csrss.exe 3436 Kazekage.exe 3480 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 2360 smss.exe 2380 smss.exe 3112 Gaara.exe 4140 smss.exe 5060 Gaara.exe 520 csrss.exe 3028 smss.exe 3712 Gaara.exe 1444 csrss.exe 1232 smss.exe 4652 Gaara.exe 4408 csrss.exe 2648 smss.exe 3740 Gaara.exe 628 csrss.exe 1988 csrss.exe 4332 Gaara.exe 2948 csrss.exe -
resource yara_rule behavioral2/memory/1544-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0007000000023400-31.dat upx behavioral2/memory/2360-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0007000000023405-57.dat upx behavioral2/files/0x0007000000023404-53.dat upx behavioral2/files/0x0007000000023403-49.dat upx behavioral2/files/0x0007000000023402-45.dat upx behavioral2/files/0x0007000000023401-41.dat upx behavioral2/memory/2380-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0007000000023405-97.dat upx behavioral2/files/0x0007000000023404-93.dat upx behavioral2/files/0x0007000000023403-89.dat upx behavioral2/files/0x0007000000023402-85.dat upx behavioral2/memory/4140-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/520-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0007000000023405-139.dat upx behavioral2/files/0x0007000000023404-135.dat upx behavioral2/memory/3712-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0007000000023403-180.dat upx behavioral2/files/0x0007000000023405-184.dat upx behavioral2/memory/2360-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1232-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/520-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3792-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/800-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3792-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/800-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/520-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-310-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\P:\Desktop.ini Gaara.exe File opened for modification \??\Z:\Desktop.ini Kazekage.exe File opened for modification \??\Y:\Desktop.ini system32.exe File opened for modification \??\T:\Desktop.ini Gaara.exe File opened for modification \??\T:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification F:\Desktop.ini Kazekage.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification \??\J:\Desktop.ini system32.exe File opened for modification \??\L:\Desktop.ini system32.exe File opened for modification \??\X:\Desktop.ini 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification \??\H:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini csrss.exe File opened for modification \??\U:\Desktop.ini csrss.exe File opened for modification \??\X:\Desktop.ini Kazekage.exe File opened for modification \??\E:\Desktop.ini system32.exe File opened for modification \??\G:\Desktop.ini system32.exe File opened for modification \??\Y:\Desktop.ini smss.exe File opened for modification C:\Desktop.ini csrss.exe File opened for modification \??\E:\Desktop.ini Kazekage.exe File opened for modification \??\R:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini smss.exe File opened for modification \??\J:\Desktop.ini smss.exe File opened for modification \??\I:\Desktop.ini Gaara.exe File opened for modification \??\A:\Desktop.ini csrss.exe File opened for modification \??\A:\Desktop.ini Kazekage.exe File opened for modification \??\M:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini Kazekage.exe File opened for modification \??\V:\Desktop.ini system32.exe File opened for modification \??\A:\Desktop.ini 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification \??\M:\Desktop.ini Gaara.exe File opened for modification \??\P:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini Kazekage.exe File opened for modification \??\W:\Desktop.ini Kazekage.exe File opened for modification \??\B:\Desktop.ini 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification \??\O:\Desktop.ini 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification \??\T:\Desktop.ini 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification \??\G:\Desktop.ini Gaara.exe File opened for modification D:\Desktop.ini csrss.exe File opened for modification \??\O:\Desktop.ini system32.exe File opened for modification \??\X:\Desktop.ini Gaara.exe File opened for modification \??\H:\Desktop.ini Kazekage.exe File opened for modification \??\K:\Desktop.ini 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification \??\L:\Desktop.ini 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification \??\M:\Desktop.ini smss.exe File opened for modification \??\K:\Desktop.ini csrss.exe File opened for modification F:\Desktop.ini system32.exe File opened for modification \??\W:\Desktop.ini system32.exe File opened for modification \??\O:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini smss.exe File opened for modification \??\Z:\Desktop.ini smss.exe File opened for modification \??\L:\Desktop.ini csrss.exe File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification \??\O:\Desktop.ini Kazekage.exe File opened for modification \??\K:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini system32.exe File opened for modification \??\R:\Desktop.ini 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification \??\H:\Desktop.ini csrss.exe File opened for modification \??\R:\Desktop.ini csrss.exe File opened for modification C:\Desktop.ini Kazekage.exe File opened for modification \??\Z:\Desktop.ini 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification F:\Desktop.ini smss.exe File opened for modification \??\J:\Desktop.ini Kazekage.exe File opened for modification \??\N:\Desktop.ini system32.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\E: Kazekage.exe File opened (read-only) \??\U: Kazekage.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\X: 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\A: csrss.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\I: 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened (read-only) \??\P: 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened (read-only) \??\Q: 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened (read-only) \??\V: system32.exe File opened (read-only) \??\S: 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened (read-only) \??\T: Gaara.exe File opened (read-only) \??\K: Kazekage.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\I: system32.exe File opened (read-only) \??\U: system32.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\E: system32.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\J: 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\G: Gaara.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\Z: Kazekage.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\J: system32.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\H: Kazekage.exe File opened (read-only) \??\J: Kazekage.exe File opened (read-only) \??\E: 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\T: 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\L: Gaara.exe File opened (read-only) \??\W: Gaara.exe File opened (read-only) \??\O: Kazekage.exe File opened (read-only) \??\H: 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened (read-only) \??\N: 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\T: Kazekage.exe File opened (read-only) \??\V: 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\S: Gaara.exe File opened (read-only) \??\P: Kazekage.exe File opened (read-only) \??\V: smss.exe File opened (read-only) \??\L: system32.exe File opened (read-only) \??\M: 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened (read-only) \??\U: 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened (read-only) \??\H: Gaara.exe File opened (read-only) \??\P: Gaara.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\J: Gaara.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\X: Gaara.exe File opened (read-only) \??\Y: Gaara.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created \??\S:\Autorun.inf Gaara.exe File created \??\R:\Autorun.inf csrss.exe File created \??\T:\Autorun.inf csrss.exe File created \??\G:\Autorun.inf Kazekage.exe File created \??\H:\Autorun.inf Kazekage.exe File created \??\K:\Autorun.inf 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification \??\G:\Autorun.inf smss.exe File created \??\R:\Autorun.inf Gaara.exe File opened for modification D:\Autorun.inf system32.exe File opened for modification \??\E:\Autorun.inf system32.exe File opened for modification \??\T:\Autorun.inf Gaara.exe File created \??\L:\Autorun.inf Kazekage.exe File opened for modification \??\G:\Autorun.inf system32.exe File created \??\L:\Autorun.inf system32.exe File created \??\X:\Autorun.inf system32.exe File opened for modification \??\R:\Autorun.inf 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification \??\V:\Autorun.inf 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification \??\H:\Autorun.inf Gaara.exe File created \??\H:\Autorun.inf 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification \??\H:\Autorun.inf smss.exe File created \??\R:\Autorun.inf smss.exe File opened for modification \??\Y:\Autorun.inf Gaara.exe File opened for modification \??\V:\Autorun.inf Kazekage.exe File created \??\X:\Autorun.inf 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File created \??\A:\Autorun.inf smss.exe File created \??\N:\Autorun.inf smss.exe File created \??\X:\Autorun.inf csrss.exe File opened for modification \??\Z:\Autorun.inf 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification \??\X:\Autorun.inf Gaara.exe File opened for modification \??\A:\Autorun.inf csrss.exe File created \??\U:\Autorun.inf Kazekage.exe File opened for modification \??\T:\Autorun.inf system32.exe File opened for modification \??\Z:\Autorun.inf system32.exe File opened for modification \??\N:\Autorun.inf Kazekage.exe File opened for modification \??\Z:\Autorun.inf Kazekage.exe File created \??\U:\Autorun.inf system32.exe File opened for modification \??\N:\Autorun.inf smss.exe File opened for modification \??\P:\Autorun.inf Gaara.exe File opened for modification \??\E:\Autorun.inf csrss.exe File created \??\S:\Autorun.inf smss.exe File created \??\W:\Autorun.inf Gaara.exe File opened for modification \??\S:\Autorun.inf csrss.exe File opened for modification \??\U:\Autorun.inf 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File created \??\U:\Autorun.inf 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File created \??\G:\Autorun.inf smss.exe File opened for modification \??\W:\Autorun.inf csrss.exe File created \??\B:\Autorun.inf Kazekage.exe File opened for modification \??\K:\Autorun.inf Kazekage.exe File created \??\O:\Autorun.inf Kazekage.exe File opened for modification \??\X:\Autorun.inf Kazekage.exe File created D:\Autorun.inf 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File created \??\P:\Autorun.inf Gaara.exe File opened for modification D:\Autorun.inf csrss.exe File created \??\S:\Autorun.inf csrss.exe File created \??\J:\Autorun.inf Kazekage.exe File opened for modification \??\T:\Autorun.inf Kazekage.exe File created \??\E:\Autorun.inf system32.exe File created \??\E:\Autorun.inf 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File created F:\Autorun.inf 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File created \??\H:\Autorun.inf csrss.exe File created \??\U:\Autorun.inf Gaara.exe File opened for modification \??\A:\Autorun.inf Kazekage.exe File created \??\I:\Autorun.inf system32.exe File opened for modification \??\E:\Autorun.inf Kazekage.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\17-6-2024.exe 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\17-6-2024.exe csrss.exe File opened for modification C:\Windows\SysWOW64\ 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\17-6-2024.exe smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File created C:\Windows\SysWOW64\Desktop.ini 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\17-6-2024.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\17-6-2024.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\17-6-2024.exe system32.exe File created C:\Windows\SysWOW64\mscomctl.ocx 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File created C:\Windows\SysWOW64\17-6-2024.exe 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\msvbvm60.dll 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File opened for modification C:\Windows\ Kazekage.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe system32.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe system32.exe File opened for modification C:\Windows\ Gaara.exe File opened for modification C:\Windows\msvbvm60.dll 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe csrss.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File created C:\Windows\mscomctl.ocx 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\mscomctl.ocx 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe smss.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe smss.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe csrss.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File opened for modification C:\Windows\ 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\msvbvm60.dll 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe Kazekage.exe File created C:\Windows\system\msvbvm60.dll 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\ smss.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\system\msvbvm60.dll 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe system32.exe File opened for modification C:\Windows\ system32.exe File created C:\Windows\Fonts\The Kazekage.jpg 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File created C:\Windows\WBEM\msvbvm60.dll 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe csrss.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee csrss.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\WallpaperStyle = "2" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop Gaara.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Size = "72" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main system32.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe -
Modifies registry class 51 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe -
Runs ping.exe 1 TTPs 34 IoCs
pid Process 2020 ping.exe 3776 ping.exe 3560 ping.exe 2588 ping.exe 3628 ping.exe 3880 ping.exe 1276 ping.exe 448 ping.exe 2908 ping.exe 2292 ping.exe 4164 ping.exe 3760 ping.exe 856 ping.exe 3904 ping.exe 3940 ping.exe 1004 ping.exe 4048 ping.exe 3380 ping.exe 5092 ping.exe 3168 ping.exe 3564 ping.exe 1492 ping.exe 3456 ping.exe 3704 ping.exe 1164 ping.exe 3432 ping.exe 4572 ping.exe 228 ping.exe 456 ping.exe 2772 ping.exe 4596 ping.exe 3388 ping.exe 1596 ping.exe 1956 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3112 Gaara.exe 3112 Gaara.exe 3112 Gaara.exe 3112 Gaara.exe 3112 Gaara.exe 3112 Gaara.exe 3112 Gaara.exe 3112 Gaara.exe 3112 Gaara.exe 3112 Gaara.exe 3112 Gaara.exe 3112 Gaara.exe 3112 Gaara.exe 3112 Gaara.exe 3112 Gaara.exe 3112 Gaara.exe 3112 Gaara.exe 3112 Gaara.exe 3112 Gaara.exe 3112 Gaara.exe 3112 Gaara.exe 3112 Gaara.exe 3112 Gaara.exe 3112 Gaara.exe 520 csrss.exe 520 csrss.exe 520 csrss.exe 520 csrss.exe 520 csrss.exe 520 csrss.exe 520 csrss.exe 520 csrss.exe 520 csrss.exe 520 csrss.exe 520 csrss.exe 520 csrss.exe 520 csrss.exe 520 csrss.exe 520 csrss.exe 520 csrss.exe 520 csrss.exe 520 csrss.exe 520 csrss.exe 520 csrss.exe 520 csrss.exe 520 csrss.exe 520 csrss.exe 520 csrss.exe 3100 Kazekage.exe 3100 Kazekage.exe 3100 Kazekage.exe 3100 Kazekage.exe 3100 Kazekage.exe 3100 Kazekage.exe 3100 Kazekage.exe 3100 Kazekage.exe 3100 Kazekage.exe 3100 Kazekage.exe 3100 Kazekage.exe 3100 Kazekage.exe 3100 Kazekage.exe 3100 Kazekage.exe 3100 Kazekage.exe 3100 Kazekage.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 1544 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe 2360 smss.exe 2380 smss.exe 3112 Gaara.exe 4140 smss.exe 5060 Gaara.exe 520 csrss.exe 3028 smss.exe 3712 Gaara.exe 1444 csrss.exe 3100 Kazekage.exe 1232 smss.exe 4652 Gaara.exe 4408 csrss.exe 2396 Kazekage.exe 2032 system32.exe 2648 smss.exe 3740 Gaara.exe 628 csrss.exe 3792 Kazekage.exe 800 system32.exe 3388 system32.exe 112 Kazekage.exe 3556 system32.exe 1988 csrss.exe 2960 Kazekage.exe 456 system32.exe 4332 Gaara.exe 2948 csrss.exe 3436 Kazekage.exe 3480 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1544 wrote to memory of 2360 1544 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe 82 PID 1544 wrote to memory of 2360 1544 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe 82 PID 1544 wrote to memory of 2360 1544 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe 82 PID 2360 wrote to memory of 2380 2360 smss.exe 85 PID 2360 wrote to memory of 2380 2360 smss.exe 85 PID 2360 wrote to memory of 2380 2360 smss.exe 85 PID 2360 wrote to memory of 3112 2360 smss.exe 87 PID 2360 wrote to memory of 3112 2360 smss.exe 87 PID 2360 wrote to memory of 3112 2360 smss.exe 87 PID 3112 wrote to memory of 4140 3112 Gaara.exe 88 PID 3112 wrote to memory of 4140 3112 Gaara.exe 88 PID 3112 wrote to memory of 4140 3112 Gaara.exe 88 PID 3112 wrote to memory of 5060 3112 Gaara.exe 89 PID 3112 wrote to memory of 5060 3112 Gaara.exe 89 PID 3112 wrote to memory of 5060 3112 Gaara.exe 89 PID 3112 wrote to memory of 520 3112 Gaara.exe 90 PID 3112 wrote to memory of 520 3112 Gaara.exe 90 PID 3112 wrote to memory of 520 3112 Gaara.exe 90 PID 520 wrote to memory of 3028 520 csrss.exe 91 PID 520 wrote to memory of 3028 520 csrss.exe 91 PID 520 wrote to memory of 3028 520 csrss.exe 91 PID 520 wrote to memory of 3712 520 csrss.exe 92 PID 520 wrote to memory of 3712 520 csrss.exe 92 PID 520 wrote to memory of 3712 520 csrss.exe 92 PID 520 wrote to memory of 1444 520 csrss.exe 93 PID 520 wrote to memory of 1444 520 csrss.exe 93 PID 520 wrote to memory of 1444 520 csrss.exe 93 PID 520 wrote to memory of 3100 520 csrss.exe 94 PID 520 wrote to memory of 3100 520 csrss.exe 94 PID 520 wrote to memory of 3100 520 csrss.exe 94 PID 3100 wrote to memory of 1232 3100 Kazekage.exe 95 PID 3100 wrote to memory of 1232 3100 Kazekage.exe 95 PID 3100 wrote to memory of 1232 3100 Kazekage.exe 95 PID 3100 wrote to memory of 4652 3100 Kazekage.exe 96 PID 3100 wrote to memory of 4652 3100 Kazekage.exe 96 PID 3100 wrote to memory of 4652 3100 Kazekage.exe 96 PID 3100 wrote to memory of 4408 3100 Kazekage.exe 97 PID 3100 wrote to memory of 4408 3100 Kazekage.exe 97 PID 3100 wrote to memory of 4408 3100 Kazekage.exe 97 PID 3100 wrote to memory of 2396 3100 Kazekage.exe 98 PID 3100 wrote to memory of 2396 3100 Kazekage.exe 98 PID 3100 wrote to memory of 2396 3100 Kazekage.exe 98 PID 3100 wrote to memory of 2032 3100 Kazekage.exe 99 PID 3100 wrote to memory of 2032 3100 Kazekage.exe 99 PID 3100 wrote to memory of 2032 3100 Kazekage.exe 99 PID 2032 wrote to memory of 2648 2032 system32.exe 100 PID 2032 wrote to memory of 2648 2032 system32.exe 100 PID 2032 wrote to memory of 2648 2032 system32.exe 100 PID 2032 wrote to memory of 3740 2032 system32.exe 101 PID 2032 wrote to memory of 3740 2032 system32.exe 101 PID 2032 wrote to memory of 3740 2032 system32.exe 101 PID 2032 wrote to memory of 628 2032 system32.exe 102 PID 2032 wrote to memory of 628 2032 system32.exe 102 PID 2032 wrote to memory of 628 2032 system32.exe 102 PID 2032 wrote to memory of 3792 2032 system32.exe 103 PID 2032 wrote to memory of 3792 2032 system32.exe 103 PID 2032 wrote to memory of 3792 2032 system32.exe 103 PID 2032 wrote to memory of 800 2032 system32.exe 104 PID 2032 wrote to memory of 800 2032 system32.exe 104 PID 2032 wrote to memory of 800 2032 system32.exe 104 PID 520 wrote to memory of 3388 520 csrss.exe 105 PID 520 wrote to memory of 3388 520 csrss.exe 105 PID 520 wrote to memory of 3388 520 csrss.exe 105 PID 3112 wrote to memory of 112 3112 Gaara.exe 106 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1544 -
C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2360 -
C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2380
-
-
C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3112 -
C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4140
-
-
C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5060
-
-
C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:520 -
C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3028
-
-
C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3712
-
-
C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1444
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3100 -
C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1232
-
-
C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4652
-
-
C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4408
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2396
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2032 -
C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2648
-
-
C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3740
-
-
C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:628
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3792
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:800
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:3776
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:3456
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:4164
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:4572
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:3168
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:1276
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:3380
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:3432
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:3628
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:3880
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3388
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:3904
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:4596
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:4048
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:1164
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:2588
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:3564
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:112
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3556
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:448
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:856
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:1004
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:2908
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:3388
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:3560
-
-
-
C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1988
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2960
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:456
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:1492
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:2020
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:3940
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:456
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:228
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:2772
-
-
-
C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4332
-
-
C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2948
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3436
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3480
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:5092
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:3760
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:3704
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:1596
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:1956
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:2292
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
66KB
MD5f8e6acd8e3507d1a8e7cbd9e10bcb748
SHA15b7bb8a950ea4c2fe570d89855ead987f5db0296
SHA256539c8227be47cb3dc67bc467dc389773ac53913606af7f31306e62e7a7d1998c
SHA51203db1711cf6b2fd8ff0c34bc4a329937e8f4798895a683fef4cfc7c6243a174bcdbe16e68a560eb510b01e79fe4777ad0ce7998e12b7be0390aa2fd2af93b5ce
-
Filesize
66KB
MD5ade08a217229b2b8ecf6098e6d877616
SHA1435f31d0ed6e307f094bc1728a4d2f3805f189f4
SHA256d92dbdef131aa74be5094416a44f8e0808d1277483eb4efccee6785373499c70
SHA512c79b3c22bef2182ab2e617ccc43b8c45fb38cbfde739d319adc67f7f9ef836018860217a9efdd22013f50e1896fc02502dfad3c38c5319ee079dce2ce6ed3370
-
Filesize
66KB
MD558dc751be7925f6c269bdf1cb3314136
SHA1650311b4875e4f19f392b1b792fe83087b03714d
SHA256177b23be6f4351a12374bf4f281f007e3d605b64667bad760c53ce4face4eb66
SHA512ba1a2a801b18ebb09a5b1086e279ce93ffdb63652ecd61154eafeb43ef25449860ea52f9e64f95e4af5741f7ad71cb98628962cb11f75a9428bdea4b3e899990
-
Filesize
66KB
MD526cd74cfefe4c844efcb6aa1c609f010
SHA14e0631f8612d3748bb1d0d1a2422eb3f1e88d642
SHA256f94236012479ff7c0d8bc3871cc3fff3199f2006c414de346c7a9634b723fed7
SHA512b5abc5235a4d8ce222886cb4909882e04c3997c5e11e05ad9f63df51669ff2dec4d8ec9489c483f84e700c4243421e769b6794d18bc070d25a3acafc81e4225a
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
66KB
MD5ad38cb6a7dee2e98601bfb01f4ad23da
SHA1b662b00cf35d992f1e7c991f934d03d89722db1d
SHA256ea379a7314945019f0af152d1b3aa867e8286d6de4f5f484f8e11a7a950c8b15
SHA51271ed2411b53b4635497b111363cc527a19db9286f2fdcaffb3d3697fbd06aad8a926f6d5ead774cb075eaa894a49dba95f98a6e097fca984a5f87b9597b2239f
-
Filesize
66KB
MD592eb068d9fc062130e70a586734e2484
SHA1afe7d503097524ef6909df54bfa62a204079e11a
SHA2566dae946ae709486f556084211202f6b9e0fb5708182d14495fe9b16f248687ee
SHA5128fc100014db57e2cd6ea215eb16f44d28733c5293e7377f5a3deeb7237f33327aa7a8e9061ecd526ce0a42ba529222d7237013561b51bf6dabdedb99a5eefcab
-
Filesize
66KB
MD52aef202d213a5b3d0cdd09df686b8bcb
SHA1da0d3f4e0751b1a13d0449d95196f8b9071c0fbe
SHA256f43771c56df95d507eff4f8f569db96dd42a423fac45336bf9be8788797ff459
SHA5121ff05f9c07c8be1db3e46a586de10e033f6e68f43b4255989b11ab1bae3ae380e2921e07bba8af22df411020066f83ad618568f0b02c202252f9a5ca1097c75c
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
66KB
MD571c393886944cfbabd173fef7c1703c0
SHA117e6b1d588c76c6cbb515d156e507c32bb160a36
SHA256a3fe481defc9565201417d35eeb1d4d895924e2b63f961eddadf98843d0de2cd
SHA512bae215867d6d108f61adbb8359d4c6fd9fc9c769d8ea84f6aa0642aba8a1e740f93c35bb94a0feb56dd45c0bb41f147ca87cad27090ec09f0af9f791b41d8659
-
Filesize
66KB
MD5c05db41de34cd32d667c3805a5f3dd5e
SHA1bef57144ad3d8ba9218e7ace31ae9a61e9eba5c3
SHA256dcb15b123582eb32d92e98db68a22e674511dc118381e4a5dc7e878132f3a1b7
SHA512596431d920698d8bffd0103ab1d9432c4575ab0fcc15411a834d01fbd2105d99feab6046bbb5ad32eeda3d0913f4c34c7160e44acdadc6e59df33184cafb844e
-
Filesize
66KB
MD5e24b28a9d1d9f2b22501f3b455a4feae
SHA1630561059e67708faa0c8016a92e718c0735391e
SHA256815f39d4961e918aeeaab920006e70905b38854ef9728ddb4ad64d94bbbf5560
SHA512c631b172ed557736d845ebe0eea7502ffba24d843b0baf57663e375a68038e06b9536d6dd29a8a4943772da9c0fd0f3b4c302efa2675f4e7e712113eded39502
-
Filesize
66KB
MD5240c92251cfb8a75ce3c31647e532073
SHA13d04dbe66d1a6eefd84fbbde1c49c7af49fd5189
SHA256bc3fb974a239527a192583e45459020c5b1528a977e3f88d528757f6f21ad635
SHA512a737c1240ac30646b99cdbfb52062392bb7c509ab38c1ebfbdbf391975ae79b467ab5274d28b685dced5632a66925da31556b4c27585830624a8be8406a82bb7
-
Filesize
66KB
MD59d3a531e0dc899c3853498eb276aa4e9
SHA1aa515978a20600cf3943f4cee51288790953382c
SHA2568750fefd816d2ea1a5ce95c15b69a26823570635a7da409bf11422b453919d4b
SHA512e0eae0fe80188f4e8ab84d16d1b6e9eeceb56b7da885e68cd87778935bf8980daaec75a4828a1a64a209b08a11b0ae329755c84e755125cecdaf75fd980779e9
-
Filesize
66KB
MD57973b7409af7c2f4805111f5aa45d7c3
SHA13b9f10e678f929c513b850879d843cd75face745
SHA2565f336127806f983c22ecc8648f2f1b4dbe2cff58fed9f808bb800f5fa089bd46
SHA512633697bcceed4e8738b347c303bb4da9adec817611da9afef67ff096a150398c064de20dd6caed03fa12caf26868f643508e03422fe2629a413f4c610488b896
-
Filesize
66KB
MD51723fcc62611bc8dc57aa9fab5594b84
SHA13350a562942099a383b0c8f4bf529baf22c4c7be
SHA256d7f1f6a574249a285d0ded959013a694ce1ad98f1fa68cf3ae01afea97f264c2
SHA5126a38b45f072cf8f5ee9179d6b8c3b49c16f33ee842dbe490e87b0300e5e95460f9b9263de6dc782ae423f04a232be091251b85756df44210d63a7fbc35f1ed1f
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
66KB
MD54f638f90ece1cd2c4f8b10a792956d70
SHA1ab95276f68053c4bdaea10975610dea6b0b042eb
SHA256e70f2481aa838b9592454700e264c29acb17521fda0303adfbaac30963ec6a59
SHA512e5801242754199a6ff77dc2d8ec266f2051971b8dc74f5f05108ecbdce2ab9346a2ab0bde9847ba075edfaf0ed5be88d380d89750e7cfe842caffd410f9a2bbb
