Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22-08-2024 22:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9469e78f405795ec4c02ce5d9b479bf0N.exe
Resource
win7-20240704-en
windows7-x64
28 signatures
120 seconds
Behavioral task
behavioral2
Sample
9469e78f405795ec4c02ce5d9b479bf0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
28 signatures
120 seconds
General
-
Target
9469e78f405795ec4c02ce5d9b479bf0N.exe
-
Size
148KB
-
MD5
9469e78f405795ec4c02ce5d9b479bf0
-
SHA1
fda420f07893db4e065b7249fb7e9d16a72e53ea
-
SHA256
22bbdb6b0fe902df3383ccf29d6047c5f104036316e67d5fd6adc82b68a99a0f
-
SHA512
4774c113756f0a7ff363a0b0bfdf865e5b627a404844907a6ea147878506a6d27237e221139ed240089191a3896baa717ba79b9c8d33e18f787d08a254884416
-
SSDEEP
1536:IJo0IHgL2AHfb1mzaFXg+xsukl4Y17jsgS/jHagQNuXGpeVTV:sx6AHjYzaFXg+w17jsgS/jHagQg19V
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\system32.exe 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe 9469e78f405795ec4c02ce5d9b479bf0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe 9469e78f405795ec4c02ce5d9b479bf0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" 9469e78f405795ec4c02ce5d9b479bf0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" 9469e78f405795ec4c02ce5d9b479bf0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe 9469e78f405795ec4c02ce5d9b479bf0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe 9469e78f405795ec4c02ce5d9b479bf0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" 9469e78f405795ec4c02ce5d9b479bf0N.exe -
Executes dropped EXE 30 IoCs
pid Process 1948 smss.exe 1892 smss.exe 2668 Gaara.exe 4044 smss.exe 880 Gaara.exe 532 csrss.exe 2772 smss.exe 2036 Gaara.exe 4560 csrss.exe 5020 Kazekage.exe 4172 smss.exe 4048 Gaara.exe 3140 csrss.exe 4228 Kazekage.exe 4840 system32.exe 884 smss.exe 4120 Gaara.exe 1128 csrss.exe 3596 Kazekage.exe 1376 system32.exe 4056 system32.exe 3872 Kazekage.exe 3160 system32.exe 1428 csrss.exe 3156 Kazekage.exe 4768 system32.exe 5036 Gaara.exe 2376 csrss.exe 892 Kazekage.exe 3496 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 1948 smss.exe 1892 smss.exe 2668 Gaara.exe 4044 smss.exe 880 Gaara.exe 532 csrss.exe 2772 smss.exe 2036 Gaara.exe 4560 csrss.exe 4172 smss.exe 4048 Gaara.exe 3140 csrss.exe 884 smss.exe 4120 Gaara.exe 1128 csrss.exe 1428 csrss.exe 5036 Gaara.exe 2376 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 22 - 8 - 2024\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 22 - 8 - 2024\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "22-8-2024.exe" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 22 - 8 - 2024\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "22-8-2024.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "22-8-2024.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 22 - 8 - 2024\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 22 - 8 - 2024\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 22 - 8 - 2024\\Gaara.exe" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "22-8-2024.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 22 - 8 - 2024\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 22 - 8 - 2024\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 22 - 8 - 2024\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "22-8-2024.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "22-8-2024.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 22 - 8 - 2024\\smss.exe" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 22 - 8 - 2024\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 22 - 8 - 2024\\smss.exe" system32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\L:\Desktop.ini system32.exe File opened for modification \??\O:\Desktop.ini system32.exe File opened for modification C:\Desktop.ini Gaara.exe File opened for modification \??\Z:\Desktop.ini Kazekage.exe File opened for modification \??\E:\Desktop.ini 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification \??\L:\Desktop.ini 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification \??\X:\Desktop.ini 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification D:\Desktop.ini smss.exe File opened for modification \??\P:\Desktop.ini csrss.exe File opened for modification \??\Y:\Desktop.ini Kazekage.exe File opened for modification \??\R:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini Gaara.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification \??\X:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini smss.exe File opened for modification \??\L:\Desktop.ini csrss.exe File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini Kazekage.exe File opened for modification \??\R:\Desktop.ini Kazekage.exe File opened for modification \??\I:\Desktop.ini 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification \??\H:\Desktop.ini system32.exe File opened for modification \??\W:\Desktop.ini system32.exe File opened for modification \??\S:\Desktop.ini Gaara.exe File opened for modification \??\H:\Desktop.ini csrss.exe File opened for modification \??\Y:\Desktop.ini csrss.exe File opened for modification \??\G:\Desktop.ini smss.exe File opened for modification F:\Desktop.ini system32.exe File opened for modification \??\O:\Desktop.ini Gaara.exe File opened for modification \??\A:\Desktop.ini smss.exe File opened for modification \??\B:\Desktop.ini system32.exe File opened for modification \??\A:\Desktop.ini Gaara.exe File opened for modification \??\E:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini csrss.exe File opened for modification \??\H:\Desktop.ini smss.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\L:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini system32.exe File opened for modification \??\U:\Desktop.ini Kazekage.exe File opened for modification D:\Desktop.ini 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification \??\X:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini Gaara.exe File opened for modification \??\V:\Desktop.ini smss.exe File opened for modification D:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini csrss.exe File opened for modification \??\Q:\Desktop.ini csrss.exe File opened for modification \??\A:\Desktop.ini Kazekage.exe File opened for modification \??\A:\Desktop.ini 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification \??\G:\Desktop.ini csrss.exe File opened for modification \??\X:\Desktop.ini Gaara.exe File opened for modification \??\Z:\Desktop.ini csrss.exe File opened for modification \??\G:\Desktop.ini Kazekage.exe File opened for modification F:\Desktop.ini 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification \??\J:\Desktop.ini Gaara.exe File opened for modification \??\R:\Desktop.ini system32.exe File opened for modification \??\Y:\Desktop.ini Gaara.exe File opened for modification \??\K:\Desktop.ini csrss.exe File opened for modification \??\U:\Desktop.ini csrss.exe File opened for modification \??\W:\Desktop.ini Kazekage.exe File opened for modification \??\M:\Desktop.ini 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification \??\Q:\Desktop.ini system32.exe File opened for modification \??\E:\Desktop.ini Kazekage.exe File opened for modification \??\V:\Desktop.ini Kazekage.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: system32.exe File opened (read-only) \??\L: Gaara.exe File opened (read-only) \??\R: 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\J: Kazekage.exe File opened (read-only) \??\X: Kazekage.exe File opened (read-only) \??\S: 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\R: system32.exe File opened (read-only) \??\T: Gaara.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\A: Kazekage.exe File opened (read-only) \??\U: system32.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\A: csrss.exe File opened (read-only) \??\L: csrss.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\V: smss.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\V: Kazekage.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\W: Gaara.exe File opened (read-only) \??\W: 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\W: csrss.exe File opened (read-only) \??\Y: 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\X: 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened (read-only) \??\H: system32.exe File opened (read-only) \??\Q: Gaara.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\M: Gaara.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\M: smss.exe File opened (read-only) \??\Y: Kazekage.exe File opened (read-only) \??\E: 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\K: system32.exe File opened (read-only) \??\K: Gaara.exe File opened (read-only) \??\S: Kazekage.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\T: Kazekage.exe File opened (read-only) \??\Q: system32.exe File opened (read-only) \??\J: Gaara.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\O: Kazekage.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\R: Gaara.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\E: system32.exe File opened (read-only) \??\U: Kazekage.exe File opened (read-only) \??\T: 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\G: Kazekage.exe File opened (read-only) \??\L: Kazekage.exe File opened (read-only) \??\A: 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\N: system32.exe File opened (read-only) \??\Y: Gaara.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\U: csrss.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\B:\Autorun.inf Gaara.exe File created \??\A:\Autorun.inf system32.exe File opened for modification \??\W:\Autorun.inf system32.exe File created C:\Autorun.inf 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification \??\I:\Autorun.inf 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification \??\Q:\Autorun.inf smss.exe File created \??\W:\Autorun.inf smss.exe File opened for modification \??\W:\Autorun.inf Gaara.exe File opened for modification \??\Y:\Autorun.inf Gaara.exe File created \??\Z:\Autorun.inf system32.exe File created \??\M:\Autorun.inf 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification \??\J:\Autorun.inf smss.exe File opened for modification \??\L:\Autorun.inf smss.exe File opened for modification \??\X:\Autorun.inf smss.exe File opened for modification \??\Y:\Autorun.inf system32.exe File created \??\H:\Autorun.inf smss.exe File created \??\A:\Autorun.inf csrss.exe File opened for modification C:\Autorun.inf csrss.exe File opened for modification \??\K:\Autorun.inf system32.exe File opened for modification \??\R:\Autorun.inf smss.exe File created \??\W:\Autorun.inf Gaara.exe File opened for modification \??\Q:\Autorun.inf csrss.exe File created \??\M:\Autorun.inf Kazekage.exe File created \??\N:\Autorun.inf Gaara.exe File created \??\V:\Autorun.inf Gaara.exe File opened for modification \??\A:\Autorun.inf Kazekage.exe File created \??\A:\Autorun.inf Kazekage.exe File created \??\K:\Autorun.inf 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification \??\B:\Autorun.inf smss.exe File opened for modification \??\G:\Autorun.inf smss.exe File created \??\P:\Autorun.inf smss.exe File created \??\I:\Autorun.inf system32.exe File created \??\O:\Autorun.inf system32.exe File opened for modification \??\Q:\Autorun.inf Gaara.exe File opened for modification \??\I:\Autorun.inf csrss.exe File created \??\Z:\Autorun.inf Kazekage.exe File opened for modification \??\O:\Autorun.inf csrss.exe File created \??\P:\Autorun.inf system32.exe File opened for modification \??\G:\Autorun.inf 9469e78f405795ec4c02ce5d9b479bf0N.exe File created \??\Y:\Autorun.inf 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification \??\T:\Autorun.inf smss.exe File created \??\J:\Autorun.inf Gaara.exe File created \??\S:\Autorun.inf Kazekage.exe File created \??\L:\Autorun.inf 9469e78f405795ec4c02ce5d9b479bf0N.exe File created \??\P:\Autorun.inf 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification \??\B:\Autorun.inf csrss.exe File opened for modification \??\U:\Autorun.inf csrss.exe File opened for modification \??\J:\Autorun.inf system32.exe File created \??\S:\Autorun.inf system32.exe File opened for modification \??\V:\Autorun.inf system32.exe File opened for modification F:\Autorun.inf 9469e78f405795ec4c02ce5d9b479bf0N.exe File created \??\I:\Autorun.inf Gaara.exe File created \??\Q:\Autorun.inf csrss.exe File created \??\U:\Autorun.inf Kazekage.exe File created \??\Y:\Autorun.inf Kazekage.exe File opened for modification \??\X:\Autorun.inf system32.exe File opened for modification \??\B:\Autorun.inf 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification \??\P:\Autorun.inf smss.exe File opened for modification \??\S:\Autorun.inf Gaara.exe File created \??\X:\Autorun.inf Gaara.exe File created \??\L:\Autorun.inf Gaara.exe File created \??\Y:\Autorun.inf csrss.exe File opened for modification \??\L:\Autorun.inf Gaara.exe File opened for modification \??\N:\Autorun.inf csrss.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\22-8-2024.exe 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\SysWOW64\22-8-2024.exe csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\22-8-2024.exe smss.exe File opened for modification C:\Windows\SysWOW64\22-8-2024.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File created C:\Windows\SysWOW64\Desktop.ini 9469e78f405795ec4c02ce5d9b479bf0N.exe File created C:\Windows\SysWOW64\mscomctl.ocx 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\SysWOW64\ 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 9469e78f405795ec4c02ce5d9b479bf0N.exe File created C:\Windows\SysWOW64\22-8-2024.exe 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\SysWOW64\22-8-2024.exe system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\SysWOW64\22-8-2024.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 9469e78f405795ec4c02ce5d9b479bf0N.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Fonts\Admin 22 - 8 - 2024\msvbvm60.dll system32.exe File opened for modification C:\Windows\system\mscoree.dll 9469e78f405795ec4c02ce5d9b479bf0N.exe File created C:\Windows\WBEM\msvbvm60.dll 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File opened for modification C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe csrss.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File created C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\system\msvbvm60.dll 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File created C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 22 - 8 - 2024\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File created C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe system32.exe File opened for modification C:\Windows\ smss.exe File created C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe Gaara.exe File created C:\Windows\msvbvm60.dll 9469e78f405795ec4c02ce5d9b479bf0N.exe File created C:\Windows\system\msvbvm60.dll 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe smss.exe File created C:\Windows\Fonts\Admin 22 - 8 - 2024\msvbvm60.dll smss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 22 - 8 - 2024\msvbvm60.dll 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx 9469e78f405795ec4c02ce5d9b479bf0N.exe File created C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe smss.exe File created C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe Gaara.exe File created C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe Kazekage.exe File created C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe Kazekage.exe File created C:\Windows\mscomctl.ocx 9469e78f405795ec4c02ce5d9b479bf0N.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\ Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File opened for modification C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe csrss.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe 9469e78f405795ec4c02ce5d9b479bf0N.exe File created C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe smss.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe smss.exe File created C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe 9469e78f405795ec4c02ce5d9b479bf0N.exe File created C:\Windows\Fonts\Admin 22 - 8 - 2024\msvbvm60.dll 9469e78f405795ec4c02ce5d9b479bf0N.exe File opened for modification C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe system32.exe -
System Location Discovery: System Language Discovery 1 TTPs 53 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9469e78f405795ec4c02ce5d9b479bf0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 22 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 208 ping.exe 4240 ping.exe 3344 ping.exe 4872 ping.exe 2380 ping.exe 3280 ping.exe 1556 ping.exe 2456 ping.exe 628 ping.exe 2300 ping.exe 4584 ping.exe 5024 ping.exe 2272 ping.exe 1992 ping.exe 2696 ping.exe 984 ping.exe 2432 ping.exe 3536 ping.exe 2616 ping.exe 2864 ping.exe 3084 ping.exe 3156 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 9469e78f405795ec4c02ce5d9b479bf0N.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 9469e78f405795ec4c02ce5d9b479bf0N.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Screen Saver.Marquee Gaara.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\WallpaperStyle = "2" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Screen Saver.Marquee 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Screen Saver.Marquee\Size = "72" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop smss.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main system32.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main 9469e78f405795ec4c02ce5d9b479bf0N.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main smss.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe -
Modifies registry class 51 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 9469e78f405795ec4c02ce5d9b479bf0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 9469e78f405795ec4c02ce5d9b479bf0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 9469e78f405795ec4c02ce5d9b479bf0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 9469e78f405795ec4c02ce5d9b479bf0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe -
Runs ping.exe 1 TTPs 22 IoCs
pid Process 4872 ping.exe 984 ping.exe 2864 ping.exe 208 ping.exe 5024 ping.exe 4240 ping.exe 1992 ping.exe 2432 ping.exe 2300 ping.exe 4584 ping.exe 3536 ping.exe 3280 ping.exe 628 ping.exe 2272 ping.exe 2696 ping.exe 2616 ping.exe 3084 ping.exe 2456 ping.exe 3156 ping.exe 3344 ping.exe 1556 ping.exe 2380 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 532 csrss.exe 532 csrss.exe 532 csrss.exe 532 csrss.exe 532 csrss.exe 532 csrss.exe 532 csrss.exe 532 csrss.exe 532 csrss.exe 532 csrss.exe 532 csrss.exe 532 csrss.exe 532 csrss.exe 532 csrss.exe 532 csrss.exe 532 csrss.exe 532 csrss.exe 532 csrss.exe 532 csrss.exe 532 csrss.exe 532 csrss.exe 532 csrss.exe 532 csrss.exe 532 csrss.exe 5020 Kazekage.exe 5020 Kazekage.exe 5020 Kazekage.exe 5020 Kazekage.exe 5020 Kazekage.exe 5020 Kazekage.exe 5020 Kazekage.exe 5020 Kazekage.exe 5020 Kazekage.exe 5020 Kazekage.exe 5020 Kazekage.exe 5020 Kazekage.exe 5020 Kazekage.exe 5020 Kazekage.exe 5020 Kazekage.exe 5020 Kazekage.exe 5020 Kazekage.exe 5020 Kazekage.exe 5020 Kazekage.exe 5020 Kazekage.exe 5020 Kazekage.exe 5020 Kazekage.exe 5020 Kazekage.exe 5020 Kazekage.exe 324 9469e78f405795ec4c02ce5d9b479bf0N.exe 324 9469e78f405795ec4c02ce5d9b479bf0N.exe 324 9469e78f405795ec4c02ce5d9b479bf0N.exe 324 9469e78f405795ec4c02ce5d9b479bf0N.exe 324 9469e78f405795ec4c02ce5d9b479bf0N.exe 324 9469e78f405795ec4c02ce5d9b479bf0N.exe 324 9469e78f405795ec4c02ce5d9b479bf0N.exe 324 9469e78f405795ec4c02ce5d9b479bf0N.exe 324 9469e78f405795ec4c02ce5d9b479bf0N.exe 324 9469e78f405795ec4c02ce5d9b479bf0N.exe 324 9469e78f405795ec4c02ce5d9b479bf0N.exe 324 9469e78f405795ec4c02ce5d9b479bf0N.exe 324 9469e78f405795ec4c02ce5d9b479bf0N.exe 324 9469e78f405795ec4c02ce5d9b479bf0N.exe 324 9469e78f405795ec4c02ce5d9b479bf0N.exe 324 9469e78f405795ec4c02ce5d9b479bf0N.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 324 9469e78f405795ec4c02ce5d9b479bf0N.exe 1948 smss.exe 1892 smss.exe 2668 Gaara.exe 4044 smss.exe 880 Gaara.exe 532 csrss.exe 2772 smss.exe 2036 Gaara.exe 4560 csrss.exe 5020 Kazekage.exe 4172 smss.exe 4048 Gaara.exe 3140 csrss.exe 4228 Kazekage.exe 4840 system32.exe 884 smss.exe 4120 Gaara.exe 1128 csrss.exe 3596 Kazekage.exe 1376 system32.exe 4056 system32.exe 3872 Kazekage.exe 3160 system32.exe 1428 csrss.exe 3156 Kazekage.exe 4768 system32.exe 5036 Gaara.exe 2376 csrss.exe 892 Kazekage.exe 3496 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 324 wrote to memory of 1948 324 9469e78f405795ec4c02ce5d9b479bf0N.exe 92 PID 324 wrote to memory of 1948 324 9469e78f405795ec4c02ce5d9b479bf0N.exe 92 PID 324 wrote to memory of 1948 324 9469e78f405795ec4c02ce5d9b479bf0N.exe 92 PID 1948 wrote to memory of 1892 1948 smss.exe 94 PID 1948 wrote to memory of 1892 1948 smss.exe 94 PID 1948 wrote to memory of 1892 1948 smss.exe 94 PID 1948 wrote to memory of 2668 1948 smss.exe 96 PID 1948 wrote to memory of 2668 1948 smss.exe 96 PID 1948 wrote to memory of 2668 1948 smss.exe 96 PID 2668 wrote to memory of 4044 2668 Gaara.exe 97 PID 2668 wrote to memory of 4044 2668 Gaara.exe 97 PID 2668 wrote to memory of 4044 2668 Gaara.exe 97 PID 2668 wrote to memory of 880 2668 Gaara.exe 98 PID 2668 wrote to memory of 880 2668 Gaara.exe 98 PID 2668 wrote to memory of 880 2668 Gaara.exe 98 PID 2668 wrote to memory of 532 2668 Gaara.exe 99 PID 2668 wrote to memory of 532 2668 Gaara.exe 99 PID 2668 wrote to memory of 532 2668 Gaara.exe 99 PID 532 wrote to memory of 2772 532 csrss.exe 100 PID 532 wrote to memory of 2772 532 csrss.exe 100 PID 532 wrote to memory of 2772 532 csrss.exe 100 PID 532 wrote to memory of 2036 532 csrss.exe 101 PID 532 wrote to memory of 2036 532 csrss.exe 101 PID 532 wrote to memory of 2036 532 csrss.exe 101 PID 532 wrote to memory of 4560 532 csrss.exe 102 PID 532 wrote to memory of 4560 532 csrss.exe 102 PID 532 wrote to memory of 4560 532 csrss.exe 102 PID 532 wrote to memory of 5020 532 csrss.exe 103 PID 532 wrote to memory of 5020 532 csrss.exe 103 PID 532 wrote to memory of 5020 532 csrss.exe 103 PID 5020 wrote to memory of 4172 5020 Kazekage.exe 104 PID 5020 wrote to memory of 4172 5020 Kazekage.exe 104 PID 5020 wrote to memory of 4172 5020 Kazekage.exe 104 PID 5020 wrote to memory of 4048 5020 Kazekage.exe 107 PID 5020 wrote to memory of 4048 5020 Kazekage.exe 107 PID 5020 wrote to memory of 4048 5020 Kazekage.exe 107 PID 5020 wrote to memory of 3140 5020 Kazekage.exe 108 PID 5020 wrote to memory of 3140 5020 Kazekage.exe 108 PID 5020 wrote to memory of 3140 5020 Kazekage.exe 108 PID 5020 wrote to memory of 4228 5020 Kazekage.exe 109 PID 5020 wrote to memory of 4228 5020 Kazekage.exe 109 PID 5020 wrote to memory of 4228 5020 Kazekage.exe 109 PID 5020 wrote to memory of 4840 5020 Kazekage.exe 111 PID 5020 wrote to memory of 4840 5020 Kazekage.exe 111 PID 5020 wrote to memory of 4840 5020 Kazekage.exe 111 PID 4840 wrote to memory of 884 4840 system32.exe 113 PID 4840 wrote to memory of 884 4840 system32.exe 113 PID 4840 wrote to memory of 884 4840 system32.exe 113 PID 4840 wrote to memory of 4120 4840 system32.exe 115 PID 4840 wrote to memory of 4120 4840 system32.exe 115 PID 4840 wrote to memory of 4120 4840 system32.exe 115 PID 4840 wrote to memory of 1128 4840 system32.exe 116 PID 4840 wrote to memory of 1128 4840 system32.exe 116 PID 4840 wrote to memory of 1128 4840 system32.exe 116 PID 4840 wrote to memory of 3596 4840 system32.exe 117 PID 4840 wrote to memory of 3596 4840 system32.exe 117 PID 4840 wrote to memory of 3596 4840 system32.exe 117 PID 4840 wrote to memory of 1376 4840 system32.exe 118 PID 4840 wrote to memory of 1376 4840 system32.exe 118 PID 4840 wrote to memory of 1376 4840 system32.exe 118 PID 532 wrote to memory of 4056 532 csrss.exe 119 PID 532 wrote to memory of 4056 532 csrss.exe 119 PID 532 wrote to memory of 4056 532 csrss.exe 119 PID 2668 wrote to memory of 3872 2668 Gaara.exe 120 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 9469e78f405795ec4c02ce5d9b479bf0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9469e78f405795ec4c02ce5d9b479bf0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9469e78f405795ec4c02ce5d9b479bf0N.exe"C:\Users\Admin\AppData\Local\Temp\9469e78f405795ec4c02ce5d9b479bf0N.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:324 -
C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1948 -
C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1892
-
-
C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2668 -
C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4044
-
-
C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:880
-
-
C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:532 -
C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2772
-
-
C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2036
-
-
C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4560
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5020 -
C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4172
-
-
C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4048
-
-
C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3140
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4228
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4840 -
C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:884
-
-
C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4120
-
-
C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1128
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3596
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1376
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1556
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4872
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3156
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2300
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2696
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1992
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2432
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:628
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4056
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3344
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2272
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3084
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2456
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3872
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3160
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3280
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4240
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2864
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:984
-
-
-
C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1428
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3156
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4768
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3536
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5024
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2380
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2616
-
-
-
C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5036
-
-
C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe"C:\Windows\Fonts\Admin 22 - 8 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2376
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:892
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3496
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4584
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4408,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=3664 /prefetch:81⤵PID:3884
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
148KB
MD59469e78f405795ec4c02ce5d9b479bf0
SHA1fda420f07893db4e065b7249fb7e9d16a72e53ea
SHA25622bbdb6b0fe902df3383ccf29d6047c5f104036316e67d5fd6adc82b68a99a0f
SHA5124774c113756f0a7ff363a0b0bfdf865e5b627a404844907a6ea147878506a6d27237e221139ed240089191a3896baa717ba79b9c8d33e18f787d08a254884416
-
Filesize
148KB
MD59ff587af124e4e424c770402fdaa8f6f
SHA1ee07e9ddeec7937e8f479f7011181fccd5bffa21
SHA2566569dca5b4fef273df996ff2e9719248789cf174fdbcedc851e97b00f5c53a85
SHA51215171724d09aa17f083cf0060c6df1cc47cba39a5cd5f13b50ee43267ad1cf1f8e6ef89445463228c55b0312df4b6981ade41edc8a04a30c3a75377b8485502c
-
Filesize
148KB
MD5766a52b8b80be6a6a4ddf36d6b464280
SHA12d57544e559a1716761c3eff5a96f81a263a5298
SHA2562968234fea23a9e9495d8db0fdc5197e3a7500aed6b86e59371896946d4f7aa6
SHA512cb129c881850daf4333abc96ddf883316bfb2f4a4a8fec2dae1a68a09bc1cb932fe060da0f905e5e93ab61db8d8bf41a900142a90eb64cb7944c87155d4721a8
-
Filesize
148KB
MD5c4e4bb8f500718a21056dd6cbd519408
SHA176491e18b3ba53a6344e247c51aa7d7b9c2577c6
SHA2567e0ccd6f77e90d9c5c30d244dcb63b8e8362df0e93503d68c4d6cf7a1f377072
SHA5123756b30d03b06cddfcdfc85d61e81e545e427439cf15a7dcc42dd0807913f92bfbd3f039bd52446d77decdb30538b889eca02460261a4c2091d650dbf4fb1442
-
Filesize
148KB
MD59bdedfa7f1bee74d8131d8eb21271aea
SHA1c1498c391bbbffa7def3e47d573d5f6db1bfabb0
SHA25613efcf63a91de8156470a66a477f68f1e7c40a0d4594db6a4f88aa91aacbc99b
SHA5129ff0e9f4a60cc31d8b24a120ab3deaed0e99ec70d860a736d21f3d78f37835135ce621708aa749c771be7219e0cac3763d3f27c743c788474beeaadd7f6e526a
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
148KB
MD55b7e4140c6fac9e2d5be369b46c6de20
SHA1e4e875a42823a4e85e70de5cd165793dd3d8ac7d
SHA256ce24a9255019288092370b29b73532e4ed7f44000c94ce69fe26fed1935173cf
SHA512d1634883b9994ef01915cee10360972ef2c623b7f0573e087c20ca71ca84b71e6818d663d70379082e3a69c500815055864374216d3fcfe26697eb3328b9caf7
-
Filesize
148KB
MD5f07719e31a88e22a08f28d2fd76ebb87
SHA13bea6d78355fd2ceb72ea83548953a652c4706f0
SHA256379c1176beef18c9e0d2be30293d4ebf3185fab8f6f4ffce64af2b5a99ce6305
SHA512445cd4e86669ff9d0c8af5dde32850cf32254c6c6901bb8f50be656fd010d6752e1161f462d118040d1663b6dd320913a519ca73e32ede3040c2a6e95510b0ab
-
Filesize
148KB
MD5ae513e42ebe9db39ae71add25a9a8faa
SHA1f67ecb4877c669caec44889f50337fd7c0b64a21
SHA256a634c2e7b46fff73e039363a27bebb86eae1d09a46b6edbec98eb7b6591ccb3c
SHA512f9a133e737ca7720f50d72d1b4ad90702fbb2bca015e9374b129219839930bbb42fea55c61788732ab89ad6eb3c124ba87003edebc4204d785ba14497c2de2ca
-
Filesize
148KB
MD54f844329d2ecab624936c98de23709e1
SHA180d2d99be8c0441c4b1896ba990146f9c7bd8e73
SHA256999d057c58216f2ac122dee06d119a6f37b278428a23f165ab25a0a55a74fd23
SHA512fd61f9884771721647b962b2b4fd4a8eebdc45f3706052f15561498a0913e3cd2cda29b13cefb51f5d894a1e1f3398f5c3d259a9d7eefb6405e5204b7362d001
-
Filesize
148KB
MD5430d32545a82e0dc0556377af0b9b320
SHA16c69cb979509cb678270419425e24d02d15c3b40
SHA2561e8eddd20c881f0f63a9ff568c42431156d201c0da0349ea8594d13954b33657
SHA5128e2097da93566332798306bcdbd928ce28e6740d971b64a1f23555bccfbed18b87708e69363a66e3ff27aca3231ce24d06c18267745bbe0bf1db65f4b9e4f0d5
-
Filesize
148KB
MD5eaf4e653e7965e9f66d368fe31789ab0
SHA1fddc0012dac8d057d799b04d0ef67792c053010d
SHA2562d0a7671b9f16aeacbcaaf06c0e0a56df9f8fef09780f21342e5f3bd30ab6b56
SHA51214c65dcd25e28e384bec987d6c6aff8ef623c1bdfb07397532d5a7a003d5135f198daec35a3b682dd827dc11a6374a32ac48c6f502dc96d0ef943155b0bc842d
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
148KB
MD5c5177a484e1fb99e4bfb52c66007c48f
SHA16dd525aef751edb971129529f1b991d617e5382f
SHA2565c10759476617643e976bdaf01d4aed91f4c379b530a9e4ec74e98fa125b2362
SHA51223a27928f78d22aba1d952411aa9360311c1b62409ed2ad5ef7206cbbf14c6801568ed4ac5675909bb8f2acbe8eca7c81ebfd465c66a85a21ddbfcdb7ae73c32
-
Filesize
148KB
MD5bda1017a4448dcdf627a5558fe88b8d9
SHA1bcddfd75448f4784e5e8a9c8bececc9634a1f984
SHA256d405b26f4ae06978431d4c362ed43fddccaf9d420d318ea1ca39b0e704054167
SHA51290d5147026bbf8b487eb67d8032d7796a399b37681ad531ea8797c55510d8b75dc4b6b086c7e810bc7f437f889726dab5716be28ed5fa0d4789f6aa75c5ac27e
-
Filesize
148KB
MD530a75bb03899a0b70e1cffbdfd5f6176
SHA111cfeed01c0ef4c5800f68410996d6bc14794ebb
SHA256867de53fe87b36d136f3664e24a2176e70d7fb4d57ca337a0dbab12cd7fbf7f2
SHA51233094839d307d72e768e8c3a77720d6f17c138201b90d2ade9acad112eb398d748e222a51a6b3ccbcd1dd7afbc5263a09ef27e5fad20b7de3655f9248d302b77
-
Filesize
148KB
MD5b3202b80ba5dd6e1d487decce0135e79
SHA1ecf50efcfe66969bf111bfb1232e889c1ca4a5aa
SHA25652aff279f0ec95f78d570a277a92cbc2caf531c591168a8c6ad693eeef054fad
SHA51254db2515ef7b5dfccf825ac19cb3a7516e3cb2a94770315e502081cd26f40719614dcc8b645370c5b3233293d4ed1231dc588e7893a6efdffdb3d9b2f5d21748
-
Filesize
148KB
MD51a898fdae6fbc962f1139e07905e973b
SHA1af606940d49c7e08488614ab666cdd656c42c0e9
SHA256b811c69a0f36440ace3109453a0350c1685a215419bb242cf85ad34c63e10231
SHA512fa55b3b6c9b7ecff02e2e9e560d67e6c119fe17fd11415eb3e5b4ea90693a32b24fbaff7bde0717dcb60b09cec0aa77ffcc25f0682ad707dbaa9e936bae31cd4
-
Filesize
148KB
MD59fc9fbe4fa90ea7e4d4934d2561aa2c1
SHA1523d716417ceeb394f50321042beae0d136efe4b
SHA256910dfcdcaf6c75b92f1ffc625aee8d20819f63b30e7bbcf8d87b414cd59413a4
SHA512ad6af03f73c1566e75336715e4a561e0a72c6d571de8563650e7b1f1d8909dd0bb88d4f6ccce42006e5000594b1db7feeb1230fa4fe7db64078ee3c40dc2345a
-
Filesize
148KB
MD5dc24dc523aa66cf1cbc6a39740dcf4fa
SHA1eaefea64cebb15080e174993092998e82c075a7d
SHA256f583c48069d915b1df5c59130b660c71b79a2465476fc1147141c47181277add
SHA51228c7a9e18017ebb9d5dfe64aa1fc528a1408d51f8ae1f4e0b45265b6a6a922df08a5194f2274738165fc536778e3e136658ac487439656b23edf0682c32251b3
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
