Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22/08/2024, 22:03 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9469e78f405795ec4c02ce5d9b479bf0N.exe
Resource
win7-20240704-en
windows7-x64
28 signatures
120 seconds
Behavioral task
behavioral2
Sample
9469e78f405795ec4c02ce5d9b479bf0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
28 signatures
120 seconds
General
-
Target
9469e78f405795ec4c02ce5d9b479bf0N.exe
-
Size
148KB
-
MD5
9469e78f405795ec4c02ce5d9b479bf0
-
SHA1
fda420f07893db4e065b7249fb7e9d16a72e53ea
-
SHA256
22bbdb6b0fe902df3383ccf29d6047c5f104036316e67d5fd6adc82b68a99a0f
-
SHA512
4774c113756f0a7ff363a0b0bfdf865e5b627a404844907a6ea147878506a6d27237e221139ed240089191a3896baa717ba79b9c8d33e18f787d08a254884416
-
SSDEEP
1536:IJo0IHgL2AHfb1mzaFXg+xsukl4Y17jsgS/jHagQNuXGpeVTV:sx6AHjYzaFXg+w17jsgS/jHagQg19V
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" 9469e78f405795ec4c02ce5d9b479bf0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe 9469e78f405795ec4c02ce5d9b479bf0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe 9469e78f405795ec4c02ce5d9b479bf0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe 9469e78f405795ec4c02ce5d9b479bf0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" 9469e78f405795ec4c02ce5d9b479bf0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Kazekage.exe -
Executes dropped EXE 30 IoCs
pid Process 2428 smss.exe 2876 smss.exe 2724 Gaara.exe 916 smss.exe 2620 Gaara.exe 1640 csrss.exe 544 smss.exe 776 Gaara.exe 2976 csrss.exe 2168 Kazekage.exe 408 smss.exe 2016 Gaara.exe 348 csrss.exe 1248 Kazekage.exe 1732 system32.exe 1944 smss.exe 1508 Gaara.exe 908 csrss.exe 660 Kazekage.exe 2076 system32.exe 2268 system32.exe 1532 Kazekage.exe 340 system32.exe 2964 csrss.exe 828 Kazekage.exe 2468 system32.exe 2476 Gaara.exe 1872 csrss.exe 888 Kazekage.exe 1880 system32.exe -
Loads dropped DLL 64 IoCs
pid Process 2308 9469e78f405795ec4c02ce5d9b479bf0N.exe 2308 9469e78f405795ec4c02ce5d9b479bf0N.exe 2428 smss.exe 2428 smss.exe 2876 smss.exe 2428 smss.exe 2428 smss.exe 2724 Gaara.exe 2724 Gaara.exe 2724 Gaara.exe 916 smss.exe 2724 Gaara.exe 2620 Gaara.exe 2724 Gaara.exe 2724 Gaara.exe 1640 csrss.exe 1640 csrss.exe 1640 csrss.exe 544 smss.exe 1640 csrss.exe 1640 csrss.exe 776 Gaara.exe 1640 csrss.exe 2976 csrss.exe 1640 csrss.exe 1640 csrss.exe 2168 Kazekage.exe 2168 Kazekage.exe 408 smss.exe 2168 Kazekage.exe 2168 Kazekage.exe 2016 Gaara.exe 2168 Kazekage.exe 2168 Kazekage.exe 348 csrss.exe 2168 Kazekage.exe 2168 Kazekage.exe 2168 Kazekage.exe 2168 Kazekage.exe 1732 system32.exe 1732 system32.exe 1944 smss.exe 1732 system32.exe 1732 system32.exe 1508 Gaara.exe 1732 system32.exe 1732 system32.exe 908 csrss.exe 1732 system32.exe 1732 system32.exe 1732 system32.exe 1732 system32.exe 1640 csrss.exe 1640 csrss.exe 2724 Gaara.exe 2724 Gaara.exe 2724 Gaara.exe 2724 Gaara.exe 2428 smss.exe 2428 smss.exe 2964 csrss.exe 2428 smss.exe 2428 smss.exe 2428 smss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "22-8-2024.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 22 - 8 - 2024\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 22 - 8 - 2024\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "22-8-2024.exe" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 22 - 8 - 2024\\smss.exe" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 22 - 8 - 2024\\Gaara.exe" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 22 - 8 - 2024\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 22 - 8 - 2024\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 22 - 8 - 2024\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 22 - 8 - 2024\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "22-8-2024.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 22 - 8 - 2024\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 22 - 8 - 2024\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "22-8-2024.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 22 - 8 - 2024\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "22-8-2024.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "22-8-2024.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 22 - 8 - 2024\\smss.exe" Gaara.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\J:\Desktop.ini smss.exe File opened for modification \??\R:\Desktop.ini 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification \??\S:\Desktop.ini 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification \??\B:\Desktop.ini 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification \??\W:\Desktop.ini Kazekage.exe File opened for modification \??\Z:\Desktop.ini system32.exe File opened for modification \??\K:\Desktop.ini 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification \??\Z:\Desktop.ini smss.exe File opened for modification \??\M:\Desktop.ini Kazekage.exe File opened for modification \??\T:\Desktop.ini system32.exe File opened for modification \??\E:\Desktop.ini smss.exe File opened for modification \??\O:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification \??\Q:\Desktop.ini csrss.exe File opened for modification \??\O:\Desktop.ini Gaara.exe File opened for modification \??\A:\Desktop.ini Kazekage.exe File opened for modification \??\B:\Desktop.ini Kazekage.exe File opened for modification D:\Desktop.ini 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\P:\Desktop.ini 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification \??\X:\Desktop.ini smss.exe File opened for modification \??\L:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini Gaara.exe File opened for modification \??\A:\Desktop.ini csrss.exe File opened for modification \??\X:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini Kazekage.exe File opened for modification \??\O:\Desktop.ini Kazekage.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification \??\G:\Desktop.ini system32.exe File opened for modification \??\A:\Desktop.ini 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification \??\Z:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini system32.exe File opened for modification C:\Desktop.ini 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification \??\N:\Desktop.ini 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification \??\H:\Desktop.ini csrss.exe File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification \??\R:\Desktop.ini system32.exe File opened for modification \??\W:\Desktop.ini system32.exe File opened for modification D:\Desktop.ini smss.exe File opened for modification \??\Q:\Desktop.ini 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification \??\K:\Desktop.ini system32.exe File opened for modification \??\L:\Desktop.ini system32.exe File opened for modification \??\Q:\Desktop.ini system32.exe File opened for modification \??\V:\Desktop.ini system32.exe File opened for modification \??\H:\Desktop.ini smss.exe File opened for modification \??\Y:\Desktop.ini smss.exe File opened for modification \??\J:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini Gaara.exe File opened for modification \??\X:\Desktop.ini Gaara.exe File opened for modification D:\Desktop.ini Kazekage.exe File opened for modification \??\U:\Desktop.ini Kazekage.exe File opened for modification \??\T:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification \??\K:\Desktop.ini smss.exe File opened for modification \??\Z:\Desktop.ini Gaara.exe File opened for modification D:\Desktop.ini csrss.exe File opened for modification C:\Desktop.ini Kazekage.exe File opened for modification \??\N:\Desktop.ini smss.exe File opened for modification \??\I:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini Gaara.exe File opened for modification \??\E:\Desktop.ini csrss.exe File opened for modification \??\N:\Desktop.ini csrss.exe File opened for modification \??\R:\Desktop.ini csrss.exe File opened for modification \??\Z:\Desktop.ini Kazekage.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: Gaara.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\J: Kazekage.exe File opened (read-only) \??\P: Kazekage.exe File opened (read-only) \??\Z: Kazekage.exe File opened (read-only) \??\X: system32.exe File opened (read-only) \??\P: Gaara.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\V: smss.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\T: Kazekage.exe File opened (read-only) \??\M: smss.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\E: Gaara.exe File opened (read-only) \??\M: Gaara.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\S: Gaara.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\S: Kazekage.exe File opened (read-only) \??\S: system32.exe File opened (read-only) \??\H: 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\P: system32.exe File opened (read-only) \??\A: 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\Y: 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\S: 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened (read-only) \??\X: 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\Y: system32.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\A: Kazekage.exe File opened (read-only) \??\E: Kazekage.exe File opened (read-only) \??\G: Kazekage.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\Y: Gaara.exe File opened (read-only) \??\H: system32.exe File opened (read-only) \??\J: 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened (read-only) \??\O: 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\J: Gaara.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\J: system32.exe File opened (read-only) \??\Q: system32.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\X: Kazekage.exe File opened (read-only) \??\W: system32.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\T: 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\K: Gaara.exe File opened (read-only) \??\I: system32.exe File opened (read-only) \??\R: system32.exe File opened (read-only) \??\G: Gaara.exe File opened (read-only) \??\L: Kazekage.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created \??\W:\Autorun.inf Kazekage.exe File created \??\L:\Autorun.inf smss.exe File opened for modification \??\M:\Autorun.inf smss.exe File opened for modification \??\Y:\Autorun.inf smss.exe File opened for modification \??\K:\Autorun.inf system32.exe File created \??\H:\Autorun.inf Gaara.exe File created \??\E:\Autorun.inf Kazekage.exe File opened for modification F:\Autorun.inf Kazekage.exe File created \??\Y:\Autorun.inf 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification \??\G:\Autorun.inf smss.exe File created \??\Q:\Autorun.inf Gaara.exe File created \??\I:\Autorun.inf Kazekage.exe File opened for modification \??\U:\Autorun.inf Kazekage.exe File opened for modification \??\W:\Autorun.inf Kazekage.exe File created \??\H:\Autorun.inf Kazekage.exe File opened for modification \??\E:\Autorun.inf 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification \??\W:\Autorun.inf smss.exe File opened for modification \??\B:\Autorun.inf csrss.exe File opened for modification \??\A:\Autorun.inf Gaara.exe File opened for modification C:\Autorun.inf Gaara.exe File opened for modification \??\U:\Autorun.inf system32.exe File opened for modification \??\V:\Autorun.inf Gaara.exe File opened for modification \??\A:\Autorun.inf smss.exe File created D:\Autorun.inf system32.exe File created \??\G:\Autorun.inf csrss.exe File created \??\L:\Autorun.inf system32.exe File opened for modification \??\Q:\Autorun.inf Kazekage.exe File created \??\R:\Autorun.inf Kazekage.exe File opened for modification \??\L:\Autorun.inf 9469e78f405795ec4c02ce5d9b479bf0N.exe File created \??\B:\Autorun.inf smss.exe File opened for modification \??\H:\Autorun.inf csrss.exe File opened for modification \??\S:\Autorun.inf Gaara.exe File opened for modification \??\E:\Autorun.inf Kazekage.exe File opened for modification \??\U:\Autorun.inf 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification \??\U:\Autorun.inf smss.exe File opened for modification D:\Autorun.inf csrss.exe File opened for modification \??\T:\Autorun.inf system32.exe File opened for modification \??\N:\Autorun.inf 9469e78f405795ec4c02ce5d9b479bf0N.exe File created \??\T:\Autorun.inf system32.exe File opened for modification \??\T:\Autorun.inf Kazekage.exe File created \??\A:\Autorun.inf csrss.exe File created \??\E:\Autorun.inf csrss.exe File opened for modification F:\Autorun.inf csrss.exe File opened for modification \??\O:\Autorun.inf system32.exe File created \??\R:\Autorun.inf system32.exe File opened for modification F:\Autorun.inf Gaara.exe File created \??\O:\Autorun.inf Kazekage.exe File opened for modification \??\Z:\Autorun.inf smss.exe File created \??\Q:\Autorun.inf system32.exe File opened for modification \??\L:\Autorun.inf csrss.exe File created \??\X:\Autorun.inf Gaara.exe File opened for modification \??\J:\Autorun.inf Kazekage.exe File opened for modification \??\S:\Autorun.inf Kazekage.exe File opened for modification \??\Z:\Autorun.inf Kazekage.exe File opened for modification \??\O:\Autorun.inf Kazekage.exe File opened for modification \??\A:\Autorun.inf 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification F:\Autorun.inf 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification \??\H:\Autorun.inf 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification \??\J:\Autorun.inf 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification \??\G:\Autorun.inf csrss.exe File created \??\U:\Autorun.inf Gaara.exe File created \??\U:\Autorun.inf csrss.exe File created D:\Autorun.inf Gaara.exe File opened for modification \??\I:\Autorun.inf Gaara.exe -
Drops file in System32 directory 38 IoCs
description ioc Process File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\ 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File created C:\Windows\SysWOW64\Desktop.ini 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File created C:\Windows\SysWOW64\22-8-2024.exe 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\SysWOW64\22-8-2024.exe smss.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\22-8-2024.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\22-8-2024.exe system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll 9469e78f405795ec4c02ce5d9b479bf0N.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\22-8-2024.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\22-8-2024.exe 9469e78f405795ec4c02ce5d9b479bf0N.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\22-8-2024.exe csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 9469e78f405795ec4c02ce5d9b479bf0N.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe system32.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File created C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe csrss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\mscoree.dll 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\ 9469e78f405795ec4c02ce5d9b479bf0N.exe File created C:\Windows\Fonts\Admin 22 - 8 - 2024\msvbvm60.dll 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File created C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe 9469e78f405795ec4c02ce5d9b479bf0N.exe File created C:\Windows\system\msvbvm60.dll 9469e78f405795ec4c02ce5d9b479bf0N.exe File created C:\Windows\WBEM\msvbvm60.dll 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File created C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\Fonts\Admin 22 - 8 - 2024\msvbvm60.dll 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\msvbvm60.dll 9469e78f405795ec4c02ce5d9b479bf0N.exe File created C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe Gaara.exe File created C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe Gaara.exe File created C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File created C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe system32.exe File created C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe smss.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\ Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx 9469e78f405795ec4c02ce5d9b479bf0N.exe File created C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe Gaara.exe File created C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe system32.exe File opened for modification C:\Windows\ Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe smss.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File created C:\Windows\msvbvm60.dll 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe system32.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe smss.exe File created C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe csrss.exe File created C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe system32.exe File created C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe Gaara.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe -
System Location Discovery: System Language Discovery 1 TTPs 51 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9469e78f405795ec4c02ce5d9b479bf0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 20 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2552 ping.exe 680 ping.exe 2604 ping.exe 2680 ping.exe 1756 ping.exe 2860 ping.exe 2580 ping.exe 884 ping.exe 2100 ping.exe 2484 ping.exe 2120 ping.exe 1936 ping.exe 1088 ping.exe 2028 ping.exe 2268 ping.exe 2484 ping.exe 324 ping.exe 2500 ping.exe 2228 ping.exe 3056 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 9469e78f405795ec4c02ce5d9b479bf0N.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\WallpaperStyle = "2" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 9469e78f405795ec4c02ce5d9b479bf0N.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee\Size = "72" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop 9469e78f405795ec4c02ce5d9b479bf0N.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main system32.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 9469e78f405795ec4c02ce5d9b479bf0N.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe -
Modifies registry class 48 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 9469e78f405795ec4c02ce5d9b479bf0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 9469e78f405795ec4c02ce5d9b479bf0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 9469e78f405795ec4c02ce5d9b479bf0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe -
Runs ping.exe 1 TTPs 20 IoCs
pid Process 1936 ping.exe 324 ping.exe 1088 ping.exe 2484 ping.exe 2604 ping.exe 2680 ping.exe 2500 ping.exe 2860 ping.exe 2120 ping.exe 2552 ping.exe 1756 ping.exe 2228 ping.exe 3056 ping.exe 2484 ping.exe 680 ping.exe 2028 ping.exe 2580 ping.exe 884 ping.exe 2268 ping.exe 2100 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2428 smss.exe 2428 smss.exe 2428 smss.exe 2428 smss.exe 2428 smss.exe 2428 smss.exe 2428 smss.exe 2428 smss.exe 2428 smss.exe 2428 smss.exe 2428 smss.exe 2428 smss.exe 2308 9469e78f405795ec4c02ce5d9b479bf0N.exe 2308 9469e78f405795ec4c02ce5d9b479bf0N.exe 2308 9469e78f405795ec4c02ce5d9b479bf0N.exe 2308 9469e78f405795ec4c02ce5d9b479bf0N.exe 2308 9469e78f405795ec4c02ce5d9b479bf0N.exe 2308 9469e78f405795ec4c02ce5d9b479bf0N.exe 2308 9469e78f405795ec4c02ce5d9b479bf0N.exe 2308 9469e78f405795ec4c02ce5d9b479bf0N.exe 2308 9469e78f405795ec4c02ce5d9b479bf0N.exe 2308 9469e78f405795ec4c02ce5d9b479bf0N.exe 2308 9469e78f405795ec4c02ce5d9b479bf0N.exe 2308 9469e78f405795ec4c02ce5d9b479bf0N.exe 2724 Gaara.exe 2724 Gaara.exe 2724 Gaara.exe 2724 Gaara.exe 2724 Gaara.exe 2724 Gaara.exe 2724 Gaara.exe 2724 Gaara.exe 2724 Gaara.exe 2724 Gaara.exe 2724 Gaara.exe 2724 Gaara.exe 1640 csrss.exe 1640 csrss.exe 1640 csrss.exe 1640 csrss.exe 1640 csrss.exe 1640 csrss.exe 1640 csrss.exe 1640 csrss.exe 1640 csrss.exe 1640 csrss.exe 1640 csrss.exe 1640 csrss.exe 2168 Kazekage.exe 2168 Kazekage.exe 2168 Kazekage.exe 2168 Kazekage.exe 2168 Kazekage.exe 2168 Kazekage.exe 2168 Kazekage.exe 2168 Kazekage.exe 2168 Kazekage.exe 2168 Kazekage.exe 2168 Kazekage.exe 2168 Kazekage.exe 1732 system32.exe 1732 system32.exe 1732 system32.exe 1732 system32.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 2308 9469e78f405795ec4c02ce5d9b479bf0N.exe 2428 smss.exe 2876 smss.exe 2724 Gaara.exe 916 smss.exe 2620 Gaara.exe 1640 csrss.exe 544 smss.exe 776 Gaara.exe 2976 csrss.exe 2168 Kazekage.exe 408 smss.exe 2016 Gaara.exe 348 csrss.exe 1248 Kazekage.exe 1732 system32.exe 1944 smss.exe 1508 Gaara.exe 908 csrss.exe 660 Kazekage.exe 2076 system32.exe 2268 system32.exe 1532 Kazekage.exe 340 system32.exe 2964 csrss.exe 828 Kazekage.exe 2468 system32.exe 2476 Gaara.exe 1872 csrss.exe 888 Kazekage.exe 1880 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2308 wrote to memory of 2428 2308 9469e78f405795ec4c02ce5d9b479bf0N.exe 31 PID 2308 wrote to memory of 2428 2308 9469e78f405795ec4c02ce5d9b479bf0N.exe 31 PID 2308 wrote to memory of 2428 2308 9469e78f405795ec4c02ce5d9b479bf0N.exe 31 PID 2308 wrote to memory of 2428 2308 9469e78f405795ec4c02ce5d9b479bf0N.exe 31 PID 2428 wrote to memory of 2876 2428 smss.exe 32 PID 2428 wrote to memory of 2876 2428 smss.exe 32 PID 2428 wrote to memory of 2876 2428 smss.exe 32 PID 2428 wrote to memory of 2876 2428 smss.exe 32 PID 2428 wrote to memory of 2724 2428 smss.exe 33 PID 2428 wrote to memory of 2724 2428 smss.exe 33 PID 2428 wrote to memory of 2724 2428 smss.exe 33 PID 2428 wrote to memory of 2724 2428 smss.exe 33 PID 2724 wrote to memory of 916 2724 Gaara.exe 34 PID 2724 wrote to memory of 916 2724 Gaara.exe 34 PID 2724 wrote to memory of 916 2724 Gaara.exe 34 PID 2724 wrote to memory of 916 2724 Gaara.exe 34 PID 2724 wrote to memory of 2620 2724 Gaara.exe 35 PID 2724 wrote to memory of 2620 2724 Gaara.exe 35 PID 2724 wrote to memory of 2620 2724 Gaara.exe 35 PID 2724 wrote to memory of 2620 2724 Gaara.exe 35 PID 2724 wrote to memory of 1640 2724 Gaara.exe 36 PID 2724 wrote to memory of 1640 2724 Gaara.exe 36 PID 2724 wrote to memory of 1640 2724 Gaara.exe 36 PID 2724 wrote to memory of 1640 2724 Gaara.exe 36 PID 1640 wrote to memory of 544 1640 csrss.exe 37 PID 1640 wrote to memory of 544 1640 csrss.exe 37 PID 1640 wrote to memory of 544 1640 csrss.exe 37 PID 1640 wrote to memory of 544 1640 csrss.exe 37 PID 1640 wrote to memory of 776 1640 csrss.exe 38 PID 1640 wrote to memory of 776 1640 csrss.exe 38 PID 1640 wrote to memory of 776 1640 csrss.exe 38 PID 1640 wrote to memory of 776 1640 csrss.exe 38 PID 1640 wrote to memory of 2976 1640 csrss.exe 39 PID 1640 wrote to memory of 2976 1640 csrss.exe 39 PID 1640 wrote to memory of 2976 1640 csrss.exe 39 PID 1640 wrote to memory of 2976 1640 csrss.exe 39 PID 1640 wrote to memory of 2168 1640 csrss.exe 40 PID 1640 wrote to memory of 2168 1640 csrss.exe 40 PID 1640 wrote to memory of 2168 1640 csrss.exe 40 PID 1640 wrote to memory of 2168 1640 csrss.exe 40 PID 2168 wrote to memory of 408 2168 Kazekage.exe 41 PID 2168 wrote to memory of 408 2168 Kazekage.exe 41 PID 2168 wrote to memory of 408 2168 Kazekage.exe 41 PID 2168 wrote to memory of 408 2168 Kazekage.exe 41 PID 2168 wrote to memory of 2016 2168 Kazekage.exe 42 PID 2168 wrote to memory of 2016 2168 Kazekage.exe 42 PID 2168 wrote to memory of 2016 2168 Kazekage.exe 42 PID 2168 wrote to memory of 2016 2168 Kazekage.exe 42 PID 2168 wrote to memory of 348 2168 Kazekage.exe 43 PID 2168 wrote to memory of 348 2168 Kazekage.exe 43 PID 2168 wrote to memory of 348 2168 Kazekage.exe 43 PID 2168 wrote to memory of 348 2168 Kazekage.exe 43 PID 2168 wrote to memory of 1248 2168 Kazekage.exe 44 PID 2168 wrote to memory of 1248 2168 Kazekage.exe 44 PID 2168 wrote to memory of 1248 2168 Kazekage.exe 44 PID 2168 wrote to memory of 1248 2168 Kazekage.exe 44 PID 2168 wrote to memory of 1732 2168 Kazekage.exe 45 PID 2168 wrote to memory of 1732 2168 Kazekage.exe 45 PID 2168 wrote to memory of 1732 2168 Kazekage.exe 45 PID 2168 wrote to memory of 1732 2168 Kazekage.exe 45 PID 1732 wrote to memory of 1944 1732 system32.exe 46 PID 1732 wrote to memory of 1944 1732 system32.exe 46 PID 1732 wrote to memory of 1944 1732 system32.exe 46 PID 1732 wrote to memory of 1944 1732 system32.exe 46 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9469e78f405795ec4c02ce5d9b479bf0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 9469e78f405795ec4c02ce5d9b479bf0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9469e78f405795ec4c02ce5d9b479bf0N.exe"C:\Users\Admin\AppData\Local\Temp\9469e78f405795ec4c02ce5d9b479bf0N.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2308 -
C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2428 -
C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2876
-
-
C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2724 -
C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:916
-
-
C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2620
-
-
C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1640 -
C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:544
-
-
C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:776
-
-
C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2976
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2168 -
C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:408
-
-
C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2016
-
-
C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:348
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1248
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1732 -
C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1944
-
-
C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1508
-
-
C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:908
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:660
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2076
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2028
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2484
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3056
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2228
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2100
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2268
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2268
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:884
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2500
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1532
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:340
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1088
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:680
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2484
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1756
-
-
-
C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2964
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:828
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2468
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2552
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1936
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:324
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2580
-
-
-
C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2476
-
-
C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1872
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:888
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1880
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2860
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2120
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2604
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2680
-
Network
-
Remote address:8.8.8.8:53Request220.255.0.0.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request220.255.0.0.in-addr.arpaIN PTRResponse
No results found
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148KB
MD57a845c96057299dcecc6cb42ac6fc8d8
SHA181c14bb5604926ed4200d5b219f0cdb5a8095067
SHA256c5cdd0db88bcc798b1e6d35f652e0a0357c300edf9967f64a5cdecc62d09f3fe
SHA512aed2d6a67b630ccb5fa75772eb6969dada8b4c6e6fa019d9836dc891615da8977edb2f1a8dd215cca7d045259dfe7c4935487fe1294daeb8dde5b2913cc5ebde
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
148KB
MD59469e78f405795ec4c02ce5d9b479bf0
SHA1fda420f07893db4e065b7249fb7e9d16a72e53ea
SHA25622bbdb6b0fe902df3383ccf29d6047c5f104036316e67d5fd6adc82b68a99a0f
SHA5124774c113756f0a7ff363a0b0bfdf865e5b627a404844907a6ea147878506a6d27237e221139ed240089191a3896baa717ba79b9c8d33e18f787d08a254884416
-
Filesize
148KB
MD57520da5a2eecbb8d768b887a4f1ff2b2
SHA13227b03598645f3c09e68f6c121ce888d22b6bb7
SHA256c72489fde86040dacf5b4604bd9f9c546f79696fa34b6ed168e3b87bab5e8914
SHA51260bbda0d83fc83505752544baa4970cd2297d043f7b665a31e790a81d95921e3048a4fc2a2ec1b402cff79785de4b6898ec4b3fbf1e2137e676045b44f53917f
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
148KB
MD562bc1b819fd20154545ecebe8af4ebcd
SHA183741131b28f6bfe406097845ba39e01a16c2920
SHA25675884ed4e51cbda0fe63a93e458bd7f3b0244c975c304fca1dcfa7f52747ff9e
SHA5125b0de39b6f2efb1d5d414b8278bc81375a70cf06612f4aebb89ea44eaab988590c0cfd14d9abf68030462aaddece1196ad7064b21e36ee14b144b13d58150c75
-
Filesize
148KB
MD5d4f514da35c945f62a257d73b1d5b8a4
SHA12c9732cbead72e0b51b616f6e500b04448d7fda4
SHA2563329569e1f0f1ec4c5f514144ddef130c4fd2cb89d389a28e3f3d92f0b937416
SHA51282600dceaacdc1ee85a0dcbd2ed6fb6178eadf82a163fca710238fbcd8a28b318cba9874d6273f8cfbaf4a6a5cc1294155b5540dae3430e8e370ba24b91f9c5e
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
148KB
MD585d07860f180f57b512bf0e29825c385
SHA1d461d66789706c31848bb1f6d819645cc63f070a
SHA25622058d2065eb58853d9d56e45dc4939f50b66b0bc25ff23f3a38a5f419696eb5
SHA512dd3e1dcc309f1965d52c90d9b71e595aad15b87ee680187a9e38d375c999bf118823d51138aa91ece71667ad63ab2e780a7adfa1ed2b99764a3d48a6af11ddc9
-
Filesize
148KB
MD578fc08e192f644cc5763d006a9e3468b
SHA15be432c78a30cf2a30e4a5b7a57e194d891cf45a
SHA2566c45ccb3261e4a513df2864246ab0130991c6086c4c863a57081e703947ffbcc
SHA5129e6dcc2d708ef576508b39072b61130eb249581dd1532c1dcd4903e6513f09e09d91bfe750deee0f060bcfa840200d324761aa0f9b9ec30621bd0835c5e7dea5
-
Filesize
148KB
MD56fff853edfd603002c98005145fc9267
SHA1ee6dc66660f1f195fa9100367aebedd6fe5c637f
SHA25620f930b9d384608b6cccf953cdc4147fc2db2a699a720770c90652b136825917
SHA512bcb1b1eac044f0600386e9b97544249c2d0ebc65f52a3e4b298609e0fc41b18ba10b841e64d6f478c32ca390de900096cfe807794352ba071270ff06100493d4
-
Filesize
148KB
MD55adade984d44caed1dc21f3b4ca399e2
SHA1753f75a6457b0006041ed9d6ab096261600ea2c7
SHA256695926f0ab6ae659078b076be548f6583fc1d6f6430276705a97bb5fd6fe4f7f
SHA512ef64b1dc6278a455bc3757b0ee07b9b7717d22f01bae70bc88539ee8bb36e6882d40fc1a217d970168f240c8a17e7ce4ae0d86a9621689d1ed83617a047e9355
-
Filesize
148KB
MD591eef4b351ccad1722002bdaf4aa8501
SHA1c874ad07a9ded195c1e596abb2b9b85b8d982d76
SHA25663219ac218c3d7c0d3e14aade1ae875078434c41a446304f9eff31e061e3991f
SHA512be971c97462640568f9651bea98d1ae8276733c0cd29aa87a484fb517c78833ef6b3c41dee2160b12c044ab4efbfc248f6fb0de5db0d5c7a1f2c1c47732a0cd2
-
Filesize
148KB
MD54f75d47fb897056c0894583aca3220f2
SHA1837aff5654c9f9a2907d318da75b7bf66e12d890
SHA2566e2bc378a7db27f833e636e6b477970862217d7904d05e1cc6d94bf67fc1dafa
SHA512f66770751a0d974baab163f30f54562f817d2a3e0cc990f7da8e456b277dea21889f0c3b1f3f21ec72eafce9f2a0831bb4d605cc93ee695596f6deccba91d319
-
Filesize
148KB
MD5b4545fb59248a16e09a32ae2bad393bd
SHA1ac872f7cecf7e0523e4e69dd98d96d9c904598cd
SHA2563f5c3dc8f160a4ca242717fba196030f75c7bae1c9227eb46b88bdbf5c8231ad
SHA5120f8fc3793748d0a2bc07e43eef841f6706de5b319c55d214f906d275bfb48caaa083e8320c523e1749cd742093f022b6c72caf9611745755ac93a95f15120f54
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
148KB
MD554b572e3864338b55fd00a2b8d75fe06
SHA100dbef5d52cec6883fec47e36697f405453089c9
SHA256cdb1b0d979e90247ee55a62633b4c0c5358df5d13ec52b23e22a84508e580788
SHA512d519123583be7bf431f9922c1083f6946e2257cd74759ae543efdfc6869d684b5a085a5ccbcce144ef32e2c22767403e5a9aa3814e979190889def95988b5739
-
Filesize
148KB
MD54ca4d391cd91788045516a09bcf5b5de
SHA175829041764a84bff14b9feef6ad9e8af0f9018e
SHA256ff720ec4eadbcb78c62d531eeaeda25a17149f9be2a85b7e7ced37ad8b04483c
SHA5124db7033d887ca5371cb6573258c5e32894f99c771e3fc73d0c8308fc9db4795f7f0b7c0e5a6764201d158d2c9dba5cf4fb557b1194ce884c3fe97ddac140168f
