Analysis
-
max time kernel
119s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 08:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5445d29b38e1208c42cf7457ee49ebd0N.exe
Resource
win7-20240708-en
windows7-x64
28 signatures
120 seconds
Behavioral task
behavioral2
Sample
5445d29b38e1208c42cf7457ee49ebd0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
28 signatures
120 seconds
General
-
Target
5445d29b38e1208c42cf7457ee49ebd0N.exe
-
Size
148KB
-
MD5
5445d29b38e1208c42cf7457ee49ebd0
-
SHA1
ddfbc4ad07b733a1a19decaaf18c92bcac8880a5
-
SHA256
0a560b139bf877671cdcbee6f10f1a8faa7cbc5f5caf32c302b1b02a04e1e6c1
-
SHA512
08bc4527a29561e87a2129a9015da9eddd6db32e52b71ba55d7837b83c8166235b26febe35df3c33bf153db5829c3b565a6072fed2d820c693158ce193b87c41
-
SSDEEP
1536:VJo0IHgL2AHfb1mzaFXg+xsukl4Y17jsgS/jHagQNuXGpeVTV:Tx6AHjYzaFXg+w17jsgS/jHagQg19V
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 5445d29b38e1208c42cf7457ee49ebd0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 5445d29b38e1208c42cf7457ee49ebd0N.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 5445d29b38e1208c42cf7457ee49ebd0N.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 5445d29b38e1208c42cf7457ee49ebd0N.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5445d29b38e1208c42cf7457ee49ebd0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 5445d29b38e1208c42cf7457ee49ebd0N.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 5445d29b38e1208c42cf7457ee49ebd0N.exe File created C:\Windows\SysWOW64\drivers\system32.exe 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe 5445d29b38e1208c42cf7457ee49ebd0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe 5445d29b38e1208c42cf7457ee49ebd0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe 5445d29b38e1208c42cf7457ee49ebd0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" 5445d29b38e1208c42cf7457ee49ebd0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe 5445d29b38e1208c42cf7457ee49ebd0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" 5445d29b38e1208c42cf7457ee49ebd0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe 5445d29b38e1208c42cf7457ee49ebd0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe 5445d29b38e1208c42cf7457ee49ebd0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe 5445d29b38e1208c42cf7457ee49ebd0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe 5445d29b38e1208c42cf7457ee49ebd0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Kazekage.exe -
Executes dropped EXE 30 IoCs
pid Process 4320 smss.exe 1540 smss.exe 2932 Gaara.exe 884 smss.exe 1928 Gaara.exe 860 csrss.exe 4556 smss.exe 692 Gaara.exe 2768 csrss.exe 3612 Kazekage.exe 2196 smss.exe 4380 Gaara.exe 3140 csrss.exe 3508 Kazekage.exe 320 system32.exe 2740 smss.exe 4512 Gaara.exe 2224 csrss.exe 4472 Kazekage.exe 2732 system32.exe 5008 system32.exe 3668 Kazekage.exe 4892 system32.exe 1688 csrss.exe 4528 Kazekage.exe 2880 system32.exe 1780 Gaara.exe 4288 csrss.exe 2580 Kazekage.exe 1276 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 4320 smss.exe 1540 smss.exe 2932 Gaara.exe 884 smss.exe 1928 Gaara.exe 860 csrss.exe 4556 smss.exe 692 Gaara.exe 2768 csrss.exe 2196 smss.exe 4380 Gaara.exe 3140 csrss.exe 2740 smss.exe 4512 Gaara.exe 2224 csrss.exe 1688 csrss.exe 1780 Gaara.exe 4288 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 8 - 2024\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 8 - 2024\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 8 - 2024\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-8-2024.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 8 - 2024\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-8-2024.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-8-2024.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 8 - 2024\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 8 - 2024\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 8 - 2024\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-8-2024.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 8 - 2024\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-8-2024.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 8 - 2024\\smss.exe" 5445d29b38e1208c42cf7457ee49ebd0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 5445d29b38e1208c42cf7457ee49ebd0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 8 - 2024\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 8 - 2024\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 8 - 2024\\Gaara.exe" 5445d29b38e1208c42cf7457ee49ebd0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-8-2024.exe" 5445d29b38e1208c42cf7457ee49ebd0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5445d29b38e1208c42cf7457ee49ebd0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\P:\Desktop.ini 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened for modification \??\Q:\Desktop.ini smss.exe File opened for modification \??\L:\Desktop.ini system32.exe File opened for modification \??\S:\Desktop.ini csrss.exe File opened for modification \??\T:\Desktop.ini csrss.exe File opened for modification \??\V:\Desktop.ini csrss.exe File opened for modification \??\I:\Desktop.ini 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened for modification \??\K:\Desktop.ini 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened for modification \??\U:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini Kazekage.exe File opened for modification \??\L:\Desktop.ini 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened for modification \??\Y:\Desktop.ini 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened for modification \??\V:\Desktop.ini system32.exe File opened for modification \??\Z:\Desktop.ini Kazekage.exe File opened for modification \??\E:\Desktop.ini 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened for modification \??\P:\Desktop.ini smss.exe File opened for modification F:\Desktop.ini Gaara.exe File opened for modification \??\R:\Desktop.ini Gaara.exe File opened for modification \??\R:\Desktop.ini csrss.exe File opened for modification \??\E:\Desktop.ini Kazekage.exe File opened for modification \??\O:\Desktop.ini Kazekage.exe File opened for modification \??\T:\Desktop.ini system32.exe File opened for modification \??\A:\Desktop.ini Gaara.exe File opened for modification \??\K:\Desktop.ini Gaara.exe File opened for modification \??\V:\Desktop.ini Gaara.exe File opened for modification \??\H:\Desktop.ini Kazekage.exe File opened for modification F:\Desktop.ini system32.exe File opened for modification \??\B:\Desktop.ini smss.exe File opened for modification \??\K:\Desktop.ini smss.exe File opened for modification \??\O:\Desktop.ini smss.exe File opened for modification \??\N:\Desktop.ini Gaara.exe File opened for modification \??\T:\Desktop.ini Gaara.exe File opened for modification \??\Y:\Desktop.ini Gaara.exe File opened for modification \??\M:\Desktop.ini csrss.exe File opened for modification \??\N:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini system32.exe File opened for modification D:\Desktop.ini Gaara.exe File opened for modification \??\R:\Desktop.ini smss.exe File opened for modification \??\X:\Desktop.ini system32.exe File opened for modification F:\Desktop.ini Kazekage.exe File opened for modification \??\O:\Desktop.ini 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened for modification \??\S:\Desktop.ini 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened for modification \??\E:\Desktop.ini Gaara.exe File opened for modification \??\P:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini Gaara.exe File opened for modification \??\B:\Desktop.ini Kazekage.exe File opened for modification C:\Desktop.ini system32.exe File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini Kazekage.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\W:\Desktop.ini smss.exe File opened for modification \??\W:\Desktop.ini system32.exe File opened for modification \??\G:\Desktop.ini Gaara.exe File opened for modification \??\A:\Desktop.ini Kazekage.exe File opened for modification C:\Desktop.ini smss.exe File opened for modification \??\B:\Desktop.ini system32.exe File opened for modification \??\J:\Desktop.ini system32.exe File opened for modification \??\I:\Desktop.ini csrss.exe File opened for modification \??\U:\Desktop.ini csrss.exe File opened for modification \??\S:\Desktop.ini Kazekage.exe File opened for modification \??\Y:\Desktop.ini Kazekage.exe File opened for modification \??\G:\Desktop.ini smss.exe File opened for modification \??\P:\Desktop.ini system32.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: csrss.exe File opened (read-only) \??\Z: Kazekage.exe File opened (read-only) \??\B: 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened (read-only) \??\N: 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened (read-only) \??\V: smss.exe File opened (read-only) \??\W: 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened (read-only) \??\W: system32.exe File opened (read-only) \??\H: Gaara.exe File opened (read-only) \??\M: Kazekage.exe File opened (read-only) \??\Y: Kazekage.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\H: system32.exe File opened (read-only) \??\X: 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\G: 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened (read-only) \??\P: 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\T: Kazekage.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\Z: 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\K: Gaara.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\M: 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened (read-only) \??\V: 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\P: Gaara.exe File opened (read-only) \??\K: Kazekage.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\X: system32.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\N: system32.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\O: system32.exe File opened (read-only) \??\X: Kazekage.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\S: Gaara.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\L: csrss.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\Q: Gaara.exe File opened (read-only) \??\J: system32.exe File opened (read-only) \??\A: Kazekage.exe File opened (read-only) \??\U: Kazekage.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\E: Kazekage.exe File opened (read-only) \??\E: 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened (read-only) \??\M: smss.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\B: Gaara.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created \??\H:\Autorun.inf Gaara.exe File opened for modification \??\Z:\Autorun.inf Gaara.exe File opened for modification \??\N:\Autorun.inf csrss.exe File opened for modification \??\N:\Autorun.inf Gaara.exe File opened for modification \??\L:\Autorun.inf 5445d29b38e1208c42cf7457ee49ebd0N.exe File created \??\I:\Autorun.inf smss.exe File opened for modification F:\Autorun.inf Gaara.exe File created \??\P:\Autorun.inf Kazekage.exe File created \??\Z:\Autorun.inf Kazekage.exe File created \??\V:\Autorun.inf 5445d29b38e1208c42cf7457ee49ebd0N.exe File created \??\L:\Autorun.inf smss.exe File created \??\E:\Autorun.inf csrss.exe File created \??\G:\Autorun.inf system32.exe File opened for modification \??\R:\Autorun.inf smss.exe File created \??\R:\Autorun.inf Gaara.exe File opened for modification \??\A:\Autorun.inf csrss.exe File opened for modification \??\I:\Autorun.inf csrss.exe File opened for modification \??\H:\Autorun.inf system32.exe File opened for modification \??\N:\Autorun.inf Kazekage.exe File created \??\B:\Autorun.inf system32.exe File created \??\O:\Autorun.inf system32.exe File opened for modification \??\Q:\Autorun.inf Kazekage.exe File opened for modification \??\M:\Autorun.inf system32.exe File opened for modification \??\T:\Autorun.inf system32.exe File opened for modification \??\O:\Autorun.inf smss.exe File opened for modification \??\E:\Autorun.inf Kazekage.exe File created \??\N:\Autorun.inf Kazekage.exe File opened for modification \??\T:\Autorun.inf Kazekage.exe File opened for modification \??\Q:\Autorun.inf smss.exe File created \??\Y:\Autorun.inf smss.exe File created \??\T:\Autorun.inf Gaara.exe File opened for modification \??\J:\Autorun.inf csrss.exe File created \??\U:\Autorun.inf csrss.exe File created \??\T:\Autorun.inf Kazekage.exe File created \??\A:\Autorun.inf system32.exe File created \??\W:\Autorun.inf system32.exe File created F:\Autorun.inf 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened for modification \??\T:\Autorun.inf 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened for modification \??\W:\Autorun.inf Gaara.exe File opened for modification \??\A:\Autorun.inf system32.exe File created \??\Q:\Autorun.inf system32.exe File opened for modification \??\R:\Autorun.inf system32.exe File opened for modification \??\S:\Autorun.inf system32.exe File opened for modification \??\Z:\Autorun.inf smss.exe File created \??\K:\Autorun.inf Gaara.exe File created \??\Y:\Autorun.inf Gaara.exe File opened for modification \??\O:\Autorun.inf csrss.exe File created \??\W:\Autorun.inf csrss.exe File opened for modification \??\P:\Autorun.inf system32.exe File created \??\U:\Autorun.inf smss.exe File opened for modification \??\U:\Autorun.inf Gaara.exe File opened for modification \??\H:\Autorun.inf csrss.exe File opened for modification \??\I:\Autorun.inf system32.exe File opened for modification \??\V:\Autorun.inf system32.exe File opened for modification \??\Z:\Autorun.inf 5445d29b38e1208c42cf7457ee49ebd0N.exe File created \??\T:\Autorun.inf csrss.exe File opened for modification D:\Autorun.inf system32.exe File created \??\G:\Autorun.inf Gaara.exe File opened for modification \??\I:\Autorun.inf Gaara.exe File opened for modification F:\Autorun.inf csrss.exe File opened for modification \??\P:\Autorun.inf csrss.exe File opened for modification \??\V:\Autorun.inf csrss.exe File created \??\W:\Autorun.inf 5445d29b38e1208c42cf7457ee49ebd0N.exe File created \??\V:\Autorun.inf smss.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\14-8-2024.exe 5445d29b38e1208c42cf7457ee49ebd0N.exe File created C:\Windows\SysWOW64\msvbvm60.dll 5445d29b38e1208c42cf7457ee49ebd0N.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File created C:\Windows\SysWOW64\14-8-2024.exe 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\14-8-2024.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\14-8-2024.exe smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\14-8-2024.exe csrss.exe File opened for modification C:\Windows\SysWOW64\ 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\14-8-2024.exe Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\14-8-2024.exe system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\Desktop.ini 5445d29b38e1208c42cf7457ee49ebd0N.exe File created C:\Windows\SysWOW64\mscomctl.ocx 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 5445d29b38e1208c42cf7457ee49ebd0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Fonts\The Kazekage.jpg 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened for modification C:\Windows\Fonts\Admin 14 - 8 - 2024\Gaara.exe 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened for modification C:\Windows\msvbvm60.dll 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 14 - 8 - 2024\Gaara.exe Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 14 - 8 - 2024\Gaara.exe Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 5445d29b38e1208c42cf7457ee49ebd0N.exe File created C:\Windows\Fonts\Admin 14 - 8 - 2024\csrss.exe 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened for modification C:\Windows\Fonts\Admin 14 - 8 - 2024\csrss.exe system32.exe File created C:\Windows\Fonts\Admin 14 - 8 - 2024\Gaara.exe smss.exe File opened for modification C:\Windows\ system32.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 14 - 8 - 2024\smss.exe system32.exe File created C:\Windows\Fonts\Admin 14 - 8 - 2024\csrss.exe Gaara.exe File created C:\Windows\Fonts\Admin 14 - 8 - 2024\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 14 - 8 - 2024\csrss.exe csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\ smss.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File created C:\Windows\Fonts\Admin 14 - 8 - 2024\Gaara.exe 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened for modification C:\Windows\Fonts\Admin 14 - 8 - 2024\msvbvm60.dll 5445d29b38e1208c42cf7457ee49ebd0N.exe File created C:\Windows\system\msvbvm60.dll 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File opened for modification C:\Windows\Fonts\Admin 14 - 8 - 2024\Gaara.exe Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File created C:\Windows\Fonts\Admin 14 - 8 - 2024\Gaara.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 14 - 8 - 2024\smss.exe 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened for modification C:\Windows\Fonts\Admin 14 - 8 - 2024\csrss.exe smss.exe File created C:\Windows\Fonts\Admin 14 - 8 - 2024\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 14 - 8 - 2024\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 14 - 8 - 2024\Gaara.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 14 - 8 - 2024\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 14 - 8 - 2024\msvbvm60.dll system32.exe File opened for modification C:\Windows\system\mscoree.dll 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 14 - 8 - 2024\csrss.exe Gaara.exe File opened for modification C:\Windows\ csrss.exe File created C:\Windows\WBEM\msvbvm60.dll 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened for modification C:\Windows\Fonts\Admin 14 - 8 - 2024\smss.exe Gaara.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 14 - 8 - 2024\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 14 - 8 - 2024\Gaara.exe system32.exe File created C:\Windows\Fonts\Admin 14 - 8 - 2024\smss.exe 5445d29b38e1208c42cf7457ee49ebd0N.exe File created C:\Windows\Fonts\Admin 14 - 8 - 2024\csrss.exe csrss.exe File created C:\Windows\Fonts\Admin 14 - 8 - 2024\csrss.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 14 - 8 - 2024\csrss.exe Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 14 - 8 - 2024\msvbvm60.dll 5445d29b38e1208c42cf7457ee49ebd0N.exe File created C:\Windows\msvbvm60.dll 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened for modification C:\Windows\system\msvbvm60.dll 5445d29b38e1208c42cf7457ee49ebd0N.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File created C:\Windows\Fonts\Admin 14 - 8 - 2024\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 14 - 8 - 2024\smss.exe smss.exe File created C:\Windows\Fonts\Admin 14 - 8 - 2024\smss.exe Gaara.exe -
System Location Discovery: System Language Discovery 1 TTPs 51 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5445d29b38e1208c42cf7457ee49ebd0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 20 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4456 ping.exe 1484 ping.exe 2824 ping.exe 2232 ping.exe 3404 ping.exe 3096 ping.exe 4416 ping.exe 1880 ping.exe 2908 ping.exe 2200 ping.exe 4676 ping.exe 4768 ping.exe 3040 ping.exe 340 ping.exe 1500 ping.exe 3608 ping.exe 4596 ping.exe 2748 ping.exe 3776 ping.exe 4396 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 5445d29b38e1208c42cf7457ee49ebd0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 5445d29b38e1208c42cf7457ee49ebd0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 5445d29b38e1208c42cf7457ee49ebd0N.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 5445d29b38e1208c42cf7457ee49ebd0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\WallpaperStyle = "2" 5445d29b38e1208c42cf7457ee49ebd0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 5445d29b38e1208c42cf7457ee49ebd0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 5445d29b38e1208c42cf7457ee49ebd0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 5445d29b38e1208c42cf7457ee49ebd0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 5445d29b38e1208c42cf7457ee49ebd0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\Size = "72" 5445d29b38e1208c42cf7457ee49ebd0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 5445d29b38e1208c42cf7457ee49ebd0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main 5445d29b38e1208c42cf7457ee49ebd0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 5445d29b38e1208c42cf7457ee49ebd0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main system32.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main csrss.exe -
Modifies registry class 51 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 5445d29b38e1208c42cf7457ee49ebd0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 5445d29b38e1208c42cf7457ee49ebd0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 5445d29b38e1208c42cf7457ee49ebd0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 5445d29b38e1208c42cf7457ee49ebd0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 5445d29b38e1208c42cf7457ee49ebd0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 5445d29b38e1208c42cf7457ee49ebd0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 5445d29b38e1208c42cf7457ee49ebd0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 5445d29b38e1208c42cf7457ee49ebd0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe -
Runs ping.exe 1 TTPs 20 IoCs
pid Process 1880 ping.exe 2232 ping.exe 2824 ping.exe 1484 ping.exe 4676 ping.exe 340 ping.exe 3404 ping.exe 4596 ping.exe 2748 ping.exe 3776 ping.exe 4416 ping.exe 3040 ping.exe 3096 ping.exe 3608 ping.exe 4456 ping.exe 4396 ping.exe 2908 ping.exe 2200 ping.exe 1500 ping.exe 4768 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2932 Gaara.exe 2932 Gaara.exe 2932 Gaara.exe 2932 Gaara.exe 2932 Gaara.exe 2932 Gaara.exe 2932 Gaara.exe 2932 Gaara.exe 2932 Gaara.exe 2932 Gaara.exe 2932 Gaara.exe 2932 Gaara.exe 2932 Gaara.exe 2932 Gaara.exe 2932 Gaara.exe 2932 Gaara.exe 2932 Gaara.exe 2932 Gaara.exe 2932 Gaara.exe 2932 Gaara.exe 2932 Gaara.exe 2932 Gaara.exe 2932 Gaara.exe 2932 Gaara.exe 860 csrss.exe 860 csrss.exe 860 csrss.exe 860 csrss.exe 860 csrss.exe 860 csrss.exe 860 csrss.exe 860 csrss.exe 860 csrss.exe 860 csrss.exe 860 csrss.exe 860 csrss.exe 860 csrss.exe 860 csrss.exe 860 csrss.exe 860 csrss.exe 860 csrss.exe 860 csrss.exe 860 csrss.exe 860 csrss.exe 860 csrss.exe 860 csrss.exe 860 csrss.exe 860 csrss.exe 3612 Kazekage.exe 3612 Kazekage.exe 3612 Kazekage.exe 3612 Kazekage.exe 3612 Kazekage.exe 3612 Kazekage.exe 3612 Kazekage.exe 3612 Kazekage.exe 3612 Kazekage.exe 3612 Kazekage.exe 3612 Kazekage.exe 3612 Kazekage.exe 3612 Kazekage.exe 3612 Kazekage.exe 3612 Kazekage.exe 3612 Kazekage.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 5084 5445d29b38e1208c42cf7457ee49ebd0N.exe 4320 smss.exe 1540 smss.exe 2932 Gaara.exe 884 smss.exe 1928 Gaara.exe 860 csrss.exe 4556 smss.exe 692 Gaara.exe 2768 csrss.exe 3612 Kazekage.exe 2196 smss.exe 4380 Gaara.exe 3140 csrss.exe 3508 Kazekage.exe 320 system32.exe 2740 smss.exe 4512 Gaara.exe 2224 csrss.exe 4472 Kazekage.exe 2732 system32.exe 5008 system32.exe 3668 Kazekage.exe 4892 system32.exe 1688 csrss.exe 4528 Kazekage.exe 2880 system32.exe 1780 Gaara.exe 4288 csrss.exe 2580 Kazekage.exe 1276 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5084 wrote to memory of 4320 5084 5445d29b38e1208c42cf7457ee49ebd0N.exe 84 PID 5084 wrote to memory of 4320 5084 5445d29b38e1208c42cf7457ee49ebd0N.exe 84 PID 5084 wrote to memory of 4320 5084 5445d29b38e1208c42cf7457ee49ebd0N.exe 84 PID 4320 wrote to memory of 1540 4320 smss.exe 87 PID 4320 wrote to memory of 1540 4320 smss.exe 87 PID 4320 wrote to memory of 1540 4320 smss.exe 87 PID 4320 wrote to memory of 2932 4320 smss.exe 88 PID 4320 wrote to memory of 2932 4320 smss.exe 88 PID 4320 wrote to memory of 2932 4320 smss.exe 88 PID 2932 wrote to memory of 884 2932 Gaara.exe 89 PID 2932 wrote to memory of 884 2932 Gaara.exe 89 PID 2932 wrote to memory of 884 2932 Gaara.exe 89 PID 2932 wrote to memory of 1928 2932 Gaara.exe 90 PID 2932 wrote to memory of 1928 2932 Gaara.exe 90 PID 2932 wrote to memory of 1928 2932 Gaara.exe 90 PID 2932 wrote to memory of 860 2932 Gaara.exe 91 PID 2932 wrote to memory of 860 2932 Gaara.exe 91 PID 2932 wrote to memory of 860 2932 Gaara.exe 91 PID 860 wrote to memory of 4556 860 csrss.exe 92 PID 860 wrote to memory of 4556 860 csrss.exe 92 PID 860 wrote to memory of 4556 860 csrss.exe 92 PID 860 wrote to memory of 692 860 csrss.exe 93 PID 860 wrote to memory of 692 860 csrss.exe 93 PID 860 wrote to memory of 692 860 csrss.exe 93 PID 860 wrote to memory of 2768 860 csrss.exe 94 PID 860 wrote to memory of 2768 860 csrss.exe 94 PID 860 wrote to memory of 2768 860 csrss.exe 94 PID 860 wrote to memory of 3612 860 csrss.exe 95 PID 860 wrote to memory of 3612 860 csrss.exe 95 PID 860 wrote to memory of 3612 860 csrss.exe 95 PID 3612 wrote to memory of 2196 3612 Kazekage.exe 96 PID 3612 wrote to memory of 2196 3612 Kazekage.exe 96 PID 3612 wrote to memory of 2196 3612 Kazekage.exe 96 PID 3612 wrote to memory of 4380 3612 Kazekage.exe 97 PID 3612 wrote to memory of 4380 3612 Kazekage.exe 97 PID 3612 wrote to memory of 4380 3612 Kazekage.exe 97 PID 3612 wrote to memory of 3140 3612 Kazekage.exe 98 PID 3612 wrote to memory of 3140 3612 Kazekage.exe 98 PID 3612 wrote to memory of 3140 3612 Kazekage.exe 98 PID 3612 wrote to memory of 3508 3612 Kazekage.exe 99 PID 3612 wrote to memory of 3508 3612 Kazekage.exe 99 PID 3612 wrote to memory of 3508 3612 Kazekage.exe 99 PID 3612 wrote to memory of 320 3612 Kazekage.exe 100 PID 3612 wrote to memory of 320 3612 Kazekage.exe 100 PID 3612 wrote to memory of 320 3612 Kazekage.exe 100 PID 320 wrote to memory of 2740 320 system32.exe 103 PID 320 wrote to memory of 2740 320 system32.exe 103 PID 320 wrote to memory of 2740 320 system32.exe 103 PID 320 wrote to memory of 4512 320 system32.exe 104 PID 320 wrote to memory of 4512 320 system32.exe 104 PID 320 wrote to memory of 4512 320 system32.exe 104 PID 320 wrote to memory of 2224 320 system32.exe 105 PID 320 wrote to memory of 2224 320 system32.exe 105 PID 320 wrote to memory of 2224 320 system32.exe 105 PID 320 wrote to memory of 4472 320 system32.exe 106 PID 320 wrote to memory of 4472 320 system32.exe 106 PID 320 wrote to memory of 4472 320 system32.exe 106 PID 320 wrote to memory of 2732 320 system32.exe 107 PID 320 wrote to memory of 2732 320 system32.exe 107 PID 320 wrote to memory of 2732 320 system32.exe 107 PID 860 wrote to memory of 5008 860 csrss.exe 108 PID 860 wrote to memory of 5008 860 csrss.exe 108 PID 860 wrote to memory of 5008 860 csrss.exe 108 PID 2932 wrote to memory of 3668 2932 Gaara.exe 109 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 5445d29b38e1208c42cf7457ee49ebd0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5445d29b38e1208c42cf7457ee49ebd0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5445d29b38e1208c42cf7457ee49ebd0N.exe"C:\Users\Admin\AppData\Local\Temp\5445d29b38e1208c42cf7457ee49ebd0N.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5084 -
C:\Windows\Fonts\Admin 14 - 8 - 2024\smss.exe"C:\Windows\Fonts\Admin 14 - 8 - 2024\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4320 -
C:\Windows\Fonts\Admin 14 - 8 - 2024\smss.exe"C:\Windows\Fonts\Admin 14 - 8 - 2024\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1540
-
-
C:\Windows\Fonts\Admin 14 - 8 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 14 - 8 - 2024\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2932 -
C:\Windows\Fonts\Admin 14 - 8 - 2024\smss.exe"C:\Windows\Fonts\Admin 14 - 8 - 2024\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:884
-
-
C:\Windows\Fonts\Admin 14 - 8 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 14 - 8 - 2024\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1928
-
-
C:\Windows\Fonts\Admin 14 - 8 - 2024\csrss.exe"C:\Windows\Fonts\Admin 14 - 8 - 2024\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:860 -
C:\Windows\Fonts\Admin 14 - 8 - 2024\smss.exe"C:\Windows\Fonts\Admin 14 - 8 - 2024\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4556
-
-
C:\Windows\Fonts\Admin 14 - 8 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 14 - 8 - 2024\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:692
-
-
C:\Windows\Fonts\Admin 14 - 8 - 2024\csrss.exe"C:\Windows\Fonts\Admin 14 - 8 - 2024\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2768
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3612 -
C:\Windows\Fonts\Admin 14 - 8 - 2024\smss.exe"C:\Windows\Fonts\Admin 14 - 8 - 2024\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2196
-
-
C:\Windows\Fonts\Admin 14 - 8 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 14 - 8 - 2024\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4380
-
-
C:\Windows\Fonts\Admin 14 - 8 - 2024\csrss.exe"C:\Windows\Fonts\Admin 14 - 8 - 2024\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3140
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3508
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:320 -
C:\Windows\Fonts\Admin 14 - 8 - 2024\smss.exe"C:\Windows\Fonts\Admin 14 - 8 - 2024\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2740
-
-
C:\Windows\Fonts\Admin 14 - 8 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 14 - 8 - 2024\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4512
-
-
C:\Windows\Fonts\Admin 14 - 8 - 2024\csrss.exe"C:\Windows\Fonts\Admin 14 - 8 - 2024\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2224
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4472
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2732
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3096
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3608
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1500
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2200
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4768
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1484
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5008
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2908
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2824
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4416
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4676
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3668
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4892
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2232
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3404
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3776
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2748
-
-
-
C:\Windows\Fonts\Admin 14 - 8 - 2024\csrss.exe"C:\Windows\Fonts\Admin 14 - 8 - 2024\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1688
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4528
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2880
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4396
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:340
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4596
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4456
-
-
-
C:\Windows\Fonts\Admin 14 - 8 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 14 - 8 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1780
-
-
C:\Windows\Fonts\Admin 14 - 8 - 2024\csrss.exe"C:\Windows\Fonts\Admin 14 - 8 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4288
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2580
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1276
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1880
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3040
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
148KB
MD5d735fa7c8212cb576b475cbbd3cf2291
SHA14abde50a5faa7aec221b9b67eefb1c3b12d030d6
SHA256167e511e51c174ae9efd7a760dabc65bb33cd57853ee1d97824e8216a32db980
SHA51298a8de6d2964cc9f5ac6bd49fb0179da6b5bbba6776e5c014451dca4a2173c82aef200736fa94b1e7128ea22c34281af885966d475b925f5009f448628d51815
-
Filesize
148KB
MD5d4a9673d97873aa673b1e0a1ab8cb9da
SHA1a6c8a79073291d56329421f9400ad9296669182c
SHA256092d88c7a5171742b79bff62afd69bfb2f04e56f140e4f8959f2db32b0d65ece
SHA512aea24ebbea14db48e59ad8725a96d67b5b48ebed364b7c2055dbfd0fa8a2c04d69c896c4134a97530d7a492aba2e476331582d4638a80473df985b85ff3b04fd
-
Filesize
148KB
MD535220d7f469f8eb10bd67bdf99055af1
SHA1c70222176f0c43036d4ececd307e6cfab719d157
SHA256536411616b490ce4bd34268470dd92c2e302b47debf4d00f25fbec271a16161b
SHA51203dfe8999af3b2e6ef6ce99c5692448901b019e41a092df1597e8fe0ff5d313f0191b7c513c3909b0819ba29ba518a68fa129c5fedf98a3f65b2cda49febca5a
-
Filesize
148KB
MD58d6446f4124e028b359df25baccf79f6
SHA1649285c18e2ec64309dbbb3008ec207a955993fd
SHA256e78aca12a880c6bc7030b1756c3480dc00d3e33096fde37a6ea01de361ac2828
SHA51274cbf6f7dd3ca16eaf890f36e9583bb9c6cf3219bfdc134c49a09031600bf6325dbaefcbe616fcd142c2a728fed7009a7d7c8f41cb7ca252be8aa470149607eb
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
148KB
MD59a2e05dac6e847a4ada3b8f69c2e26c7
SHA13e7a653779d68cd05ed65626513a8e9aea06d74f
SHA256bcb669d994f4275648bc5e5edbcc1545deaf3684454615eae4256cd7e397829a
SHA512c4e07db33842245d8120b2a98382dc1354d54298f1bedba2749b425689eb87b45c045abb537b8d37232bf101f30a62fdc659ee0fd93fae737a244f22cba74472
-
Filesize
148KB
MD56f85c44235aaee4d8882eaf3a2d67f32
SHA1e7db0f0e3269f32029378e3a54d5c20d4220f4f3
SHA256b57bf74adc1c947d30e906aa733a3965b84f80258e427d206e25f4e00876ff21
SHA51234773f8faa5b118581d88053311c3bac1de28b7e1be3be7993802a89de4aa9b8fee97a940a6a0715986025c3a698c754e717dbc22a8088923ebc78e6d20978f3
-
Filesize
148KB
MD5176028484ee9aac9ea885b55d4f17099
SHA1b7f27438d8578250c566c26a3781db1463ceabea
SHA2566449c33cf4e35b2365191555ea005b8163b153742c45f07e5ab5acd34dc66180
SHA512aa774cd3aa633e96cf4987412dc9d85c2ec9d7e17b81bd5809b3a372cdfe52fb0943e8d550467497e579c6fffa52ae92c49f3a1d8426770a802e97827eb86542
-
Filesize
148KB
MD5a79fcc5043608a00603e4116ffa44394
SHA1e2f42bbc029938e81e7826e8c863b59c806151bb
SHA2561929e26a9442c0811762cb1dba0f2ffc9b134671a790e1dfc07fff5cea22bf51
SHA512134d9809588a594bd30a9cbeed480b07bb0cd181cb67554df1584bcbb344da759f634cac93cd745d854b33ad280cf7fef4e5382852bbfc0a0883c330bcc355e7
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
148KB
MD58fbe54929f0e6df8585e2515dc2aa0c4
SHA1190ca42b6bce383831c68811cfe712815547b5ae
SHA256d1b3b6baf478ccbf03cef8774ebe3bb96f3fcc3c2b0254d593b702fd954a611c
SHA512ebdb9b5eddb2e2b813c02bb480ee7606fb46770a3513619b9d4e735b69b1219980d2029e1a6bd3aaf75041aef17ee3fd7fcc21d7ae27da223955c4685b917fed
-
Filesize
148KB
MD5ee96b34d12e8f456ea26713acde01c69
SHA1ea50d6efb9d675e7847e357748e5fd46b8b72786
SHA256cc3d4e4190209955db6958f04b0c6dd41c714dd937965626bec2cb7ec2e5b412
SHA512a9b06652bd843d1c3735f8fea7bf05dd724ab3507c5a365d83f364f060c3e86a4e273b13b47d7fe30f1ccdeceac351fc240980608bd67e3f7e3221e6f0fb40cb
-
Filesize
148KB
MD521733c522eca4f74d37274dc917eee79
SHA17256a2137a189f65770e071330684674d1db3c26
SHA2565fa735ee367ee0ae0591e42cae6f07315d20661a4b048d5b4f6c41ce1d26d9a9
SHA51229d71ab855c835ecdf597b81e7d513f9d7d5e38efd0a7443171b12720330a8347021e340abd02f6f24d70b3da795414f29e1ae6e2c979a4ece590cb21798f6e4
-
Filesize
148KB
MD5eac09fbb545e7e0d51f198489fcfdd77
SHA1128d9c2626a27484b2d45ec6ee86f01df7085b9b
SHA256579edc1deec312638c32ca9a3b17f09dc02c4beb2f850d7e87fc4ecc78be79ff
SHA512f1fc590f85990d83c965d7e09a4d4e54c5364cbd4eb6a3946fb8853dc3c025cd42cce3a2a636787d1f6126e2b901857bf82f08f131ce980802589be941bb0aa6
-
Filesize
148KB
MD5ce41995fdcb85e1f93d5c9d236165435
SHA11c530d5bd4bde7f5202aa0ced1af5d82bf260c95
SHA256ee73ac8c4c301053fa7da15556a54210dbaa544e14120b9b3f715d5864d8d4e5
SHA512459cbe356d1c4d97c54a2bbd29e9abf1d4bfa81f8fc402151bf0400cb7741afe3695f38abc928be1ec8e68486aec0a9eeaa42dd8305ced4fbc0bd4818f577179
-
Filesize
148KB
MD5b4b8f312605e0d34d7b67588959748ef
SHA1bd88108d8680f6cb6aadb8024f37d3bc4f02de28
SHA2562110c9bdb7af57777f485546db47ada9aabcfdb5e7f05d5de6093f12ad51ae92
SHA512b192a4df5d01f6c061ca402b80c625fc3fb36e5a857c311f6f14ef40abf4fc4f1a0136c029819f999c127eee1d51d670e898190d6d89b9f7155261e94aed4cae
-
Filesize
148KB
MD53711e79a49b10e318f6874ba5749583b
SHA11a8d34e9e32cd8a33535f2bb9c03923a4afc95e5
SHA256220071125d2487e0592fc4db00ef5829d36245d2a9e7ec8262f6a60e48080737
SHA512e0c905cc08cf37d8608beb0b5ad788e7e1bd68d628bcfe22b680de649042d4c44e154740b16d6298c59a123538e89d05908eb7878ab2c4ef62164d5b318d4c06
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1016KB
MD548381372e81cd12b5789c18aae3da765
SHA148651625020deb8de195debb4315eaac0c2c8ce4
SHA25613a45f821672d42d1fcb109b6626877395d5b931f0169376f64a6253fe7c0e3c
SHA512ed7b03f141d1954715638ec7980aea2836d0b63b900dc3fd483c96fffabcc9efe9e063c25174c1209c7d3cbe15605166911ebbd2a50bbd9581c0c4eccaa0ae97
-
Filesize
148KB
MD55445d29b38e1208c42cf7457ee49ebd0
SHA1ddfbc4ad07b733a1a19decaaf18c92bcac8880a5
SHA2560a560b139bf877671cdcbee6f10f1a8faa7cbc5f5caf32c302b1b02a04e1e6c1
SHA51208bc4527a29561e87a2129a9015da9eddd6db32e52b71ba55d7837b83c8166235b26febe35df3c33bf153db5829c3b565a6072fed2d820c693158ce193b87c41
