Analysis
-
max time kernel
120s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2024, 14:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe
Resource
win7-20240903-en
windows7-x64
28 signatures
120 seconds
Behavioral task
behavioral2
Sample
5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe
Resource
win10v2004-20240910-en
windows10-2004-x64
28 signatures
120 seconds
General
-
Target
5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe
-
Size
148KB
-
MD5
57703a155f9702db14ee8a2b78fcf080
-
SHA1
96e38ed8c3717cda62e0d7ab2ae1f11462a359b8
-
SHA256
5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cad
-
SHA512
57fd4db79ee156ed12d58fb508207d2d4c217e9bba7075f02e20537a74db83564988a0f4ce993f2b2c5cedfa370ece0f8c727bab6c389522404442092df95de0
-
SSDEEP
1536:DJo0IHgL2AHfb1mzaFXg+xsukl4Y17jsgS/jHagQNuXGpeVTV:tx6AHjYzaFXg+w17jsgS/jHagQg19V
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File created C:\Windows\SysWOW64\drivers\system32.exe 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" system32.exe -
Executes dropped EXE 30 IoCs
pid Process 1812 smss.exe 4984 smss.exe 1780 Gaara.exe 4184 smss.exe 3952 Gaara.exe 1700 csrss.exe 2896 smss.exe 3400 Gaara.exe 4368 csrss.exe 1936 Kazekage.exe 3908 smss.exe 2964 Gaara.exe 1212 csrss.exe 4884 Kazekage.exe 1068 system32.exe 2480 smss.exe 4772 Gaara.exe 4112 csrss.exe 1080 Kazekage.exe 3944 system32.exe 2892 system32.exe 2844 Kazekage.exe 2324 system32.exe 1476 csrss.exe 1916 Kazekage.exe 1108 system32.exe 4532 Gaara.exe 4340 csrss.exe 3616 Kazekage.exe 3344 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 1812 smss.exe 4984 smss.exe 1780 Gaara.exe 4184 smss.exe 3952 Gaara.exe 1700 csrss.exe 2896 smss.exe 3400 Gaara.exe 4368 csrss.exe 3908 smss.exe 2964 Gaara.exe 1212 csrss.exe 2480 smss.exe 4772 Gaara.exe 4112 csrss.exe 1476 csrss.exe 4532 Gaara.exe 4340 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 9 - 2024\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 9 - 2024\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 9 - 2024\\Gaara.exe" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-9-2024.exe" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-9-2024.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-9-2024.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 9 - 2024\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 9 - 2024\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-9-2024.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 9 - 2024\\smss.exe" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-9-2024.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-9-2024.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 9 - 2024\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 9 - 2024\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 9 - 2024\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 9 - 2024\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 9 - 2024\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 9 - 2024\\Gaara.exe" csrss.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\R:\Desktop.ini system32.exe File opened for modification \??\N:\Desktop.ini csrss.exe File opened for modification \??\W:\Desktop.ini Kazekage.exe File opened for modification \??\B:\Desktop.ini 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened for modification F:\Desktop.ini 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened for modification \??\G:\Desktop.ini 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened for modification \??\A:\Desktop.ini smss.exe File opened for modification \??\S:\Desktop.ini smss.exe File opened for modification D:\Desktop.ini csrss.exe File opened for modification \??\M:\Desktop.ini csrss.exe File opened for modification \??\S:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened for modification \??\Z:\Desktop.ini 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened for modification \??\A:\Desktop.ini system32.exe File opened for modification \??\E:\Desktop.ini Kazekage.exe File opened for modification \??\U:\Desktop.ini Kazekage.exe File opened for modification \??\N:\Desktop.ini 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened for modification \??\J:\Desktop.ini system32.exe File opened for modification \??\P:\Desktop.ini system32.exe File opened for modification \??\N:\Desktop.ini Gaara.exe File opened for modification \??\P:\Desktop.ini csrss.exe File opened for modification \??\R:\Desktop.ini csrss.exe File opened for modification \??\T:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini smss.exe File opened for modification C:\Desktop.ini system32.exe File opened for modification \??\L:\Desktop.ini system32.exe File opened for modification \??\A:\Desktop.ini Gaara.exe File opened for modification \??\G:\Desktop.ini Gaara.exe File opened for modification \??\R:\Desktop.ini Gaara.exe File opened for modification \??\Z:\Desktop.ini Gaara.exe File opened for modification \??\E:\Desktop.ini smss.exe File opened for modification \??\E:\Desktop.ini system32.exe File opened for modification \??\O:\Desktop.ini Kazekage.exe File opened for modification \??\N:\Desktop.ini system32.exe File opened for modification \??\G:\Desktop.ini smss.exe File opened for modification \??\O:\Desktop.ini system32.exe File opened for modification \??\G:\Desktop.ini system32.exe File opened for modification \??\Q:\Desktop.ini Kazekage.exe File opened for modification \??\E:\Desktop.ini 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened for modification \??\J:\Desktop.ini 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened for modification \??\R:\Desktop.ini 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\K:\Desktop.ini smss.exe File opened for modification \??\L:\Desktop.ini smss.exe File opened for modification \??\J:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini csrss.exe File opened for modification \??\N:\Desktop.ini Kazekage.exe File opened for modification C:\Desktop.ini 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened for modification \??\I:\Desktop.ini system32.exe File opened for modification \??\Y:\Desktop.ini system32.exe File opened for modification \??\Y:\Desktop.ini csrss.exe File opened for modification \??\Q:\Desktop.ini smss.exe File opened for modification \??\B:\Desktop.ini Gaara.exe File opened for modification D:\Desktop.ini Kazekage.exe File opened for modification \??\T:\Desktop.ini system32.exe File opened for modification \??\X:\Desktop.ini system32.exe File opened for modification \??\Z:\Desktop.ini csrss.exe File opened for modification \??\I:\Desktop.ini Gaara.exe File opened for modification F:\Desktop.ini csrss.exe File opened for modification \??\A:\Desktop.ini Kazekage.exe File opened for modification \??\G:\Desktop.ini Kazekage.exe File opened for modification \??\O:\Desktop.ini 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened for modification \??\G:\Desktop.ini csrss.exe File opened for modification \??\P:\Desktop.ini Kazekage.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: system32.exe File opened (read-only) \??\G: 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\M: system32.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\S: Kazekage.exe File opened (read-only) \??\U: Kazekage.exe File opened (read-only) \??\G: Kazekage.exe File opened (read-only) \??\P: Kazekage.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\R: system32.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\A: system32.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\A: Kazekage.exe File opened (read-only) \??\N: 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened (read-only) \??\J: system32.exe File opened (read-only) \??\P: system32.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\I: Gaara.exe File opened (read-only) \??\M: Kazekage.exe File opened (read-only) \??\K: 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\W: Gaara.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\J: 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened (read-only) \??\Y: system32.exe File opened (read-only) \??\J: Kazekage.exe File opened (read-only) \??\L: Kazekage.exe File opened (read-only) \??\M: 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened (read-only) \??\R: 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\L: system32.exe File opened (read-only) \??\W: system32.exe File opened (read-only) \??\J: Gaara.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\E: Kazekage.exe File opened (read-only) \??\U: 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened (read-only) \??\V: 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened (read-only) \??\N: Gaara.exe File opened (read-only) \??\R: Gaara.exe File opened (read-only) \??\L: csrss.exe File opened (read-only) \??\O: system32.exe File opened (read-only) \??\W: csrss.exe File opened (read-only) \??\L: 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened (read-only) \??\X: 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened (read-only) \??\B: Kazekage.exe File opened (read-only) \??\Q: 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\Y: Kazekage.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\A: 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\N:\Autorun.inf Kazekage.exe File opened for modification \??\A:\Autorun.inf Gaara.exe File created \??\N:\Autorun.inf Gaara.exe File created \??\E:\Autorun.inf csrss.exe File opened for modification \??\O:\Autorun.inf csrss.exe File created \??\Y:\Autorun.inf csrss.exe File opened for modification \??\H:\Autorun.inf Kazekage.exe File opened for modification \??\L:\Autorun.inf Kazekage.exe File opened for modification \??\Z:\Autorun.inf system32.exe File opened for modification \??\N:\Autorun.inf system32.exe File created \??\K:\Autorun.inf 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened for modification \??\A:\Autorun.inf smss.exe File created \??\W:\Autorun.inf smss.exe File created \??\B:\Autorun.inf Gaara.exe File created \??\S:\Autorun.inf Gaara.exe File created \??\L:\Autorun.inf csrss.exe File opened for modification \??\P:\Autorun.inf Kazekage.exe File created \??\U:\Autorun.inf system32.exe File created \??\W:\Autorun.inf system32.exe File created \??\I:\Autorun.inf 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File created \??\T:\Autorun.inf csrss.exe File created D:\Autorun.inf Kazekage.exe File opened for modification \??\R:\Autorun.inf Kazekage.exe File opened for modification \??\V:\Autorun.inf system32.exe File opened for modification \??\O:\Autorun.inf 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File created \??\P:\Autorun.inf smss.exe File created \??\W:\Autorun.inf Gaara.exe File created \??\A:\Autorun.inf Kazekage.exe File opened for modification \??\R:\Autorun.inf smss.exe File created \??\O:\Autorun.inf Gaara.exe File created \??\U:\Autorun.inf csrss.exe File created \??\H:\Autorun.inf system32.exe File opened for modification \??\M:\Autorun.inf smss.exe File opened for modification \??\E:\Autorun.inf Gaara.exe File created \??\J:\Autorun.inf Gaara.exe File created \??\A:\Autorun.inf system32.exe File created \??\K:\Autorun.inf system32.exe File opened for modification C:\Autorun.inf 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened for modification \??\P:\Autorun.inf 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File created \??\E:\Autorun.inf smss.exe File opened for modification \??\U:\Autorun.inf smss.exe File opened for modification \??\K:\Autorun.inf Gaara.exe File created \??\X:\Autorun.inf Gaara.exe File created \??\K:\Autorun.inf csrss.exe File created \??\L:\Autorun.inf system32.exe File opened for modification \??\O:\Autorun.inf system32.exe File created \??\B:\Autorun.inf smss.exe File opened for modification \??\X:\Autorun.inf Gaara.exe File opened for modification \??\Y:\Autorun.inf csrss.exe File opened for modification \??\O:\Autorun.inf Kazekage.exe File created \??\M:\Autorun.inf system32.exe File opened for modification \??\U:\Autorun.inf 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File created \??\G:\Autorun.inf csrss.exe File created \??\Q:\Autorun.inf csrss.exe File created \??\U:\Autorun.inf 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File created \??\Q:\Autorun.inf Gaara.exe File created \??\X:\Autorun.inf csrss.exe File opened for modification \??\E:\Autorun.inf system32.exe File opened for modification \??\J:\Autorun.inf system32.exe File opened for modification \??\G:\Autorun.inf 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File created \??\T:\Autorun.inf smss.exe File created \??\A:\Autorun.inf Gaara.exe File created \??\M:\Autorun.inf csrss.exe File created \??\H:\Autorun.inf Kazekage.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\19-9-2024.exe system32.exe File created C:\Windows\SysWOW64\mscomctl.ocx 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened for modification C:\Windows\SysWOW64\ 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\19-9-2024.exe Kazekage.exe File created C:\Windows\SysWOW64\Desktop.ini 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\19-9-2024.exe csrss.exe File opened for modification C:\Windows\SysWOW64\19-9-2024.exe smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\19-9-2024.exe 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File created C:\Windows\SysWOW64\19-9-2024.exe 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened for modification C:\Windows\SysWOW64\19-9-2024.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\Fonts\Admin 19 - 9 - 2024\csrss.exe 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened for modification C:\Windows\Fonts\Admin 19 - 9 - 2024\msvbvm60.dll 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 19 - 9 - 2024\csrss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 19 - 9 - 2024\csrss.exe csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\ 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 19 - 9 - 2024\Gaara.exe 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File created C:\Windows\Fonts\Admin 19 - 9 - 2024\csrss.exe 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File created C:\Windows\Fonts\Admin 19 - 9 - 2024\smss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 19 - 9 - 2024\Gaara.exe Kazekage.exe File created C:\Windows\Fonts\Admin 19 - 9 - 2024\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 19 - 9 - 2024\csrss.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 19 - 9 - 2024\csrss.exe system32.exe File opened for modification C:\Windows\system\msvbvm60.dll 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File created C:\Windows\WBEM\msvbvm60.dll 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 19 - 9 - 2024\Gaara.exe Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 19 - 9 - 2024\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 19 - 9 - 2024\csrss.exe smss.exe File created C:\Windows\Fonts\Admin 19 - 9 - 2024\smss.exe 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File opened for modification C:\Windows\ Gaara.exe File opened for modification C:\Windows\ Kazekage.exe File opened for modification C:\Windows\ system32.exe File opened for modification C:\Windows\Fonts\Admin 19 - 9 - 2024\Gaara.exe smss.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 19 - 9 - 2024\smss.exe Gaara.exe File created C:\Windows\Fonts\Admin 19 - 9 - 2024\csrss.exe Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened for modification C:\Windows\msvbvm60.dll 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File created C:\Windows\Fonts\Admin 19 - 9 - 2024\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 19 - 9 - 2024\csrss.exe Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 19 - 9 - 2024\smss.exe csrss.exe File created C:\Windows\mscomctl.ocx 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened for modification C:\Windows\system\mscoree.dll 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File opened for modification C:\Windows\Fonts\Admin 19 - 9 - 2024\smss.exe smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File opened for modification C:\Windows\Fonts\Admin 19 - 9 - 2024\Gaara.exe Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File created C:\Windows\Fonts\The Kazekage.jpg 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File created C:\Windows\Fonts\Admin 19 - 9 - 2024\msvbvm60.dll 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 19 - 9 - 2024\Gaara.exe Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File created C:\Windows\msvbvm60.dll 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe File opened for modification C:\Windows\Fonts\Admin 19 - 9 - 2024\smss.exe system32.exe File created C:\Windows\Fonts\Admin 19 - 9 - 2024\msvbvm60.dll system32.exe File opened for modification C:\Windows\ smss.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe -
System Location Discovery: System Language Discovery 1 TTPs 53 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 22 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1628 ping.exe 3224 ping.exe 4940 ping.exe 3828 ping.exe 4476 ping.exe 3636 ping.exe 4204 ping.exe 4340 ping.exe 4680 ping.exe 3884 ping.exe 2128 ping.exe 3808 ping.exe 3800 ping.exe 4280 ping.exe 5092 ping.exe 4200 ping.exe 3536 ping.exe 4360 ping.exe 4352 ping.exe 4772 ping.exe 2268 ping.exe 2192 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee csrss.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee\Size = "72" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\WallpaperStyle = "2" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\Main 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\Main system32.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe -
Modifies registry class 51 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe -
Runs ping.exe 1 TTPs 22 IoCs
pid Process 2268 ping.exe 4352 ping.exe 2192 ping.exe 4280 ping.exe 3224 ping.exe 3536 ping.exe 4360 ping.exe 3808 ping.exe 4340 ping.exe 4680 ping.exe 3884 ping.exe 4772 ping.exe 4476 ping.exe 4204 ping.exe 1628 ping.exe 3800 ping.exe 2128 ping.exe 5092 ping.exe 4940 ping.exe 3828 ping.exe 3636 ping.exe 4200 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1780 Gaara.exe 1780 Gaara.exe 1780 Gaara.exe 1780 Gaara.exe 1780 Gaara.exe 1780 Gaara.exe 1780 Gaara.exe 1780 Gaara.exe 1780 Gaara.exe 1780 Gaara.exe 1780 Gaara.exe 1780 Gaara.exe 1780 Gaara.exe 1780 Gaara.exe 1780 Gaara.exe 1780 Gaara.exe 1780 Gaara.exe 1780 Gaara.exe 1780 Gaara.exe 1780 Gaara.exe 1780 Gaara.exe 1780 Gaara.exe 1780 Gaara.exe 1780 Gaara.exe 1700 csrss.exe 1700 csrss.exe 1700 csrss.exe 1700 csrss.exe 1700 csrss.exe 1700 csrss.exe 1700 csrss.exe 1700 csrss.exe 1700 csrss.exe 1700 csrss.exe 1700 csrss.exe 1700 csrss.exe 1700 csrss.exe 1700 csrss.exe 1700 csrss.exe 1700 csrss.exe 1700 csrss.exe 1700 csrss.exe 1700 csrss.exe 1700 csrss.exe 1700 csrss.exe 1700 csrss.exe 1700 csrss.exe 1700 csrss.exe 1936 Kazekage.exe 1936 Kazekage.exe 1936 Kazekage.exe 1936 Kazekage.exe 1936 Kazekage.exe 1936 Kazekage.exe 1936 Kazekage.exe 1936 Kazekage.exe 1936 Kazekage.exe 1936 Kazekage.exe 1936 Kazekage.exe 1936 Kazekage.exe 1936 Kazekage.exe 1936 Kazekage.exe 1936 Kazekage.exe 1936 Kazekage.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 3796 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe 1812 smss.exe 4984 smss.exe 1780 Gaara.exe 4184 smss.exe 3952 Gaara.exe 1700 csrss.exe 2896 smss.exe 3400 Gaara.exe 4368 csrss.exe 1936 Kazekage.exe 3908 smss.exe 2964 Gaara.exe 1212 csrss.exe 4884 Kazekage.exe 1068 system32.exe 2480 smss.exe 4772 Gaara.exe 4112 csrss.exe 1080 Kazekage.exe 3944 system32.exe 2892 system32.exe 2844 Kazekage.exe 2324 system32.exe 1476 csrss.exe 1916 Kazekage.exe 1108 system32.exe 4532 Gaara.exe 4340 csrss.exe 3616 Kazekage.exe 3344 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3796 wrote to memory of 1812 3796 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe 88 PID 3796 wrote to memory of 1812 3796 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe 88 PID 3796 wrote to memory of 1812 3796 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe 88 PID 1812 wrote to memory of 4984 1812 smss.exe 89 PID 1812 wrote to memory of 4984 1812 smss.exe 89 PID 1812 wrote to memory of 4984 1812 smss.exe 89 PID 1812 wrote to memory of 1780 1812 smss.exe 90 PID 1812 wrote to memory of 1780 1812 smss.exe 90 PID 1812 wrote to memory of 1780 1812 smss.exe 90 PID 1780 wrote to memory of 4184 1780 Gaara.exe 91 PID 1780 wrote to memory of 4184 1780 Gaara.exe 91 PID 1780 wrote to memory of 4184 1780 Gaara.exe 91 PID 1780 wrote to memory of 3952 1780 Gaara.exe 92 PID 1780 wrote to memory of 3952 1780 Gaara.exe 92 PID 1780 wrote to memory of 3952 1780 Gaara.exe 92 PID 1780 wrote to memory of 1700 1780 Gaara.exe 93 PID 1780 wrote to memory of 1700 1780 Gaara.exe 93 PID 1780 wrote to memory of 1700 1780 Gaara.exe 93 PID 1700 wrote to memory of 2896 1700 csrss.exe 94 PID 1700 wrote to memory of 2896 1700 csrss.exe 94 PID 1700 wrote to memory of 2896 1700 csrss.exe 94 PID 1700 wrote to memory of 3400 1700 csrss.exe 95 PID 1700 wrote to memory of 3400 1700 csrss.exe 95 PID 1700 wrote to memory of 3400 1700 csrss.exe 95 PID 1700 wrote to memory of 4368 1700 csrss.exe 96 PID 1700 wrote to memory of 4368 1700 csrss.exe 96 PID 1700 wrote to memory of 4368 1700 csrss.exe 96 PID 1700 wrote to memory of 1936 1700 csrss.exe 97 PID 1700 wrote to memory of 1936 1700 csrss.exe 97 PID 1700 wrote to memory of 1936 1700 csrss.exe 97 PID 1936 wrote to memory of 3908 1936 Kazekage.exe 98 PID 1936 wrote to memory of 3908 1936 Kazekage.exe 98 PID 1936 wrote to memory of 3908 1936 Kazekage.exe 98 PID 1936 wrote to memory of 2964 1936 Kazekage.exe 99 PID 1936 wrote to memory of 2964 1936 Kazekage.exe 99 PID 1936 wrote to memory of 2964 1936 Kazekage.exe 99 PID 1936 wrote to memory of 1212 1936 Kazekage.exe 100 PID 1936 wrote to memory of 1212 1936 Kazekage.exe 100 PID 1936 wrote to memory of 1212 1936 Kazekage.exe 100 PID 1936 wrote to memory of 4884 1936 Kazekage.exe 101 PID 1936 wrote to memory of 4884 1936 Kazekage.exe 101 PID 1936 wrote to memory of 4884 1936 Kazekage.exe 101 PID 1936 wrote to memory of 1068 1936 Kazekage.exe 102 PID 1936 wrote to memory of 1068 1936 Kazekage.exe 102 PID 1936 wrote to memory of 1068 1936 Kazekage.exe 102 PID 1068 wrote to memory of 2480 1068 system32.exe 103 PID 1068 wrote to memory of 2480 1068 system32.exe 103 PID 1068 wrote to memory of 2480 1068 system32.exe 103 PID 1068 wrote to memory of 4772 1068 system32.exe 104 PID 1068 wrote to memory of 4772 1068 system32.exe 104 PID 1068 wrote to memory of 4772 1068 system32.exe 104 PID 1068 wrote to memory of 4112 1068 system32.exe 107 PID 1068 wrote to memory of 4112 1068 system32.exe 107 PID 1068 wrote to memory of 4112 1068 system32.exe 107 PID 1068 wrote to memory of 1080 1068 system32.exe 108 PID 1068 wrote to memory of 1080 1068 system32.exe 108 PID 1068 wrote to memory of 1080 1068 system32.exe 108 PID 1068 wrote to memory of 3944 1068 system32.exe 109 PID 1068 wrote to memory of 3944 1068 system32.exe 109 PID 1068 wrote to memory of 3944 1068 system32.exe 109 PID 1700 wrote to memory of 2892 1700 csrss.exe 110 PID 1700 wrote to memory of 2892 1700 csrss.exe 110 PID 1700 wrote to memory of 2892 1700 csrss.exe 110 PID 1780 wrote to memory of 2844 1780 Gaara.exe 111 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe"C:\Users\Admin\AppData\Local\Temp\5bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cadN.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3796 -
C:\Windows\Fonts\Admin 19 - 9 - 2024\smss.exe"C:\Windows\Fonts\Admin 19 - 9 - 2024\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1812 -
C:\Windows\Fonts\Admin 19 - 9 - 2024\smss.exe"C:\Windows\Fonts\Admin 19 - 9 - 2024\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4984
-
-
C:\Windows\Fonts\Admin 19 - 9 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 19 - 9 - 2024\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1780 -
C:\Windows\Fonts\Admin 19 - 9 - 2024\smss.exe"C:\Windows\Fonts\Admin 19 - 9 - 2024\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4184
-
-
C:\Windows\Fonts\Admin 19 - 9 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 19 - 9 - 2024\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3952
-
-
C:\Windows\Fonts\Admin 19 - 9 - 2024\csrss.exe"C:\Windows\Fonts\Admin 19 - 9 - 2024\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1700 -
C:\Windows\Fonts\Admin 19 - 9 - 2024\smss.exe"C:\Windows\Fonts\Admin 19 - 9 - 2024\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2896
-
-
C:\Windows\Fonts\Admin 19 - 9 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 19 - 9 - 2024\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3400
-
-
C:\Windows\Fonts\Admin 19 - 9 - 2024\csrss.exe"C:\Windows\Fonts\Admin 19 - 9 - 2024\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4368
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1936 -
C:\Windows\Fonts\Admin 19 - 9 - 2024\smss.exe"C:\Windows\Fonts\Admin 19 - 9 - 2024\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3908
-
-
C:\Windows\Fonts\Admin 19 - 9 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 19 - 9 - 2024\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2964
-
-
C:\Windows\Fonts\Admin 19 - 9 - 2024\csrss.exe"C:\Windows\Fonts\Admin 19 - 9 - 2024\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1212
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4884
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1068 -
C:\Windows\Fonts\Admin 19 - 9 - 2024\smss.exe"C:\Windows\Fonts\Admin 19 - 9 - 2024\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2480
-
-
C:\Windows\Fonts\Admin 19 - 9 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 19 - 9 - 2024\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4772
-
-
C:\Windows\Fonts\Admin 19 - 9 - 2024\csrss.exe"C:\Windows\Fonts\Admin 19 - 9 - 2024\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4112
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1080
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3944
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4940
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2268
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3636
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2128
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3224
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3536
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4476
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2192
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2892
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4680
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3884
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2844
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2324
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4200
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1628
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3800
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4340
-
-
-
C:\Windows\Fonts\Admin 19 - 9 - 2024\csrss.exe"C:\Windows\Fonts\Admin 19 - 9 - 2024\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1476
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1916
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1108
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4204
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5092
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3828
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3808
-
-
-
C:\Windows\Fonts\Admin 19 - 9 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 19 - 9 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4532
-
-
C:\Windows\Fonts\Admin 19 - 9 - 2024\csrss.exe"C:\Windows\Fonts\Admin 19 - 9 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4340
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3616
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3344
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4280
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4772
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4360
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4352
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
148KB
MD54a864b70ad0743841a9f08234d17a115
SHA1aadd7efd1e1037a9631f18d4c3a18b55f0353bbb
SHA25690a223aac0407aa3abac05ce007f012040a873f718909294ccad0a69f578fd9e
SHA5124586cf898ad0368fe2195f6f0b0e419e82b40f3efc813533730ed75e64c7879041c77608a65ae7e85523730b7a15eda9c8a7bfe5dac5b786d41ac41f4d4338ad
-
Filesize
148KB
MD557703a155f9702db14ee8a2b78fcf080
SHA196e38ed8c3717cda62e0d7ab2ae1f11462a359b8
SHA2565bafd79df47f5f307f726bd0830bb419666d89b2ae597b88ad5d21c5da458cad
SHA51257fd4db79ee156ed12d58fb508207d2d4c217e9bba7075f02e20537a74db83564988a0f4ce993f2b2c5cedfa370ece0f8c727bab6c389522404442092df95de0
-
Filesize
148KB
MD5f67639436482388b67ba741f4548c1cd
SHA1859e1110b78c3fd38620fc12561d939a8831a3cc
SHA25626df49ba7cbe10369b9c5082397988c51d4bf049abefefc6bfec5f40cdc5c2da
SHA512d5a9902ce6f4864dd879e6a0e4a7fd44b402470c93e50437a739acddfa2d607a01d18dd991e0ef0d808d2aebf6ad352eee802a22afcb8e0746a4433f3152b478
-
Filesize
148KB
MD52d3ffac629eb6c61fb6e5a83d5511d48
SHA1e7564e07801e69c4d7eb65fc51401a48d2dd23e2
SHA2564509288a9e316acbe255aaf276976c1df1b4b7cfa95ea800c7037d5bc8c0d74a
SHA512c34dd077fca548379a51728975999b5c7293a673f24c8c8a89fcb40a517080a08ec805a4aeb04f696744e1d161a2e223f7412c402e997215f727ff3c40636c58
-
Filesize
148KB
MD50b12547796494de8b3db2f82740c65ff
SHA1a906fd9876703c7726c9074db21aeb4f33e543b3
SHA2568bf39dfc025045c0d329021034836d0ed569e91287d755bc14f6b4b040060fdb
SHA512c7008e23331200a7ac616593c404db3c09d23217a4559d72f1ec5eb2673a7a6451ca3c427a8c841150684a9ac3bff201b4cafcf4b5e8da4afa81eeb2cfeb43b3
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
148KB
MD52d2113ecf6fc7eccc32ccdb5149a6ba9
SHA1eb496930a4827922b4e0fd758d7479d95678c320
SHA2564e3fbbf6c2b15a0f6fb15e6ddab27347253c465a7f4a915779ef2563074f2430
SHA512f3c973a3c81bdbb1430125187d262513e199f351f926ad862f571b042b3fbd77b7952088f1c8e8c4a609cbf396235dcceb63415008252dc2fd63b15304387cfc
-
Filesize
148KB
MD59a87cf432672f36e894ac04f904515c2
SHA10d3d9324b0f663fb241ab9df20b7d640ec30d689
SHA256e75e36758db67e0a38c406d5a1127ef083ebe73e59efc27bc7551cb06b9bc673
SHA5126e6a9f4204482cbad3c3a61bca17c9299aee10bb573ea45ef408e286715a36f92f2bb5c8b43519a0ad7ca50617fd427b48b13d714d483efdff494b5068e4afe8
-
Filesize
148KB
MD534d1c7ea1f92e935fb9bca237b3c61ff
SHA12be14b7ed11f030df81d30af86b8656c3a6a67c8
SHA25678c08ef9ba127fbd1bc0dbe731d447e0f7b9c5008352bf1bddc6b5babb6917a8
SHA512afc765f93e85e6c059da43f1c50b683e58ebc700860f2f369231559e8b718e74361e5c545a8a12b02d88905991fbf2fe2b7f7cf3fea6b4147a56359be47504c9
-
Filesize
148KB
MD56c392b2c2f8372fb95e2e60a775eb60b
SHA1bfeb6bd23da4665b68940358dade1b3a15c5c560
SHA2565901192858d35da5eb3a4704405e59d804cea651bc5e2bd563e2949a3e0521e4
SHA5120e3395b963fd706979ec413dbc03d04b57b530738107151410fb0f76f4dd780e4c57490bd5fafaa4a2ed4a443a9040e396c0eac8b17700a548d2ca9afb648749
-
Filesize
148KB
MD571b5d8e9a4c10dac24900fc4bf40d013
SHA1fca2ee48dbf99e1f970b957c9194303f05bb8a8c
SHA256e91c74874fb90ee95dab5de9dfd205949e78ff8405d346a3213ef56dd469083e
SHA51226617df37c2600682e985123b85a2c3379e83d3e2e63787433fe134936e55ca5bd4bfef9e6942cb8fb103845e07147718aa51ca7fc56f24c1ecfcced85f14230
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
148KB
MD5c62f59c9fb5541b827b6acceeb303c5f
SHA1e02e32e3ea93146a4f7010d62743ab2eaa3bc1b3
SHA256e0f2d5369ba6e018718835435976510aeb2b3b0ca5ea68f0091b6b73d7555dfc
SHA512019e7c27205243cb3d566cdda7c379f81df307734b38ecbfecfed707cb2e6612cd0a7a9534607e3f5ec5ec361a6f730cca8316a86b111feb5811c19936dad3f0
-
Filesize
148KB
MD5880ad70f2c634630e140ac25658d3ff1
SHA1fecbcbf199c7296b2d47903a09ee0a5cd2a082c1
SHA2563ea97eb162970043fcbee4fac4761306d19fe04d558d5900b660bb947aa6bf1c
SHA51275691f70626a3b3b37129a5bd1272c95ea04bb440bed55e0bc24a41c5d8fd995f2eb4cd0ac5a933eab83040cf06a45eaa5f36121163813fbdcc73c8eb9864d2a
-
Filesize
148KB
MD53e1d2f5ee074df0b814cd3b4e3d00bb2
SHA16c0692b0ee7680ab51ea299546a6e6758e8fcca0
SHA256849bb34944bc29eff50de5a1da238235058215ca7607f5c9af3fec4dd8c8f19b
SHA512a7c6cdc904b889915cd91ca7f07a0d0d5a86b58fcb8740d8bee65a4df7e3fcd2e15af3ab831d7be9e246a2d45f577611adae798f4dabc942802e04b1d2a97be0
-
Filesize
148KB
MD5c7a1091f5c757c088892438d8ad33786
SHA1a3327fdcf7e57483979c2a7b37932d86b4c16e5c
SHA256e5fba969b45a160be6fc198aa5dd446049c1e4ff4b78a25d91ca383101a4fc98
SHA512eac8b32cef083b30c0e9db2c435786ccb42232bde6876acc5823d18f2cb380bb767d444c150214d94f5847a255daeb330f1683251a42f3942e5b3b0e8c299d02
-
Filesize
148KB
MD513f69b79881f57b4ce2aa38eb51e702c
SHA120263969cec9225e032907f0a6e9f66ab7fbdc82
SHA2564cfc5ef3d39c98ecae9a3c0242e83e2f79db121ecffafcd37567e1b81b4fba6d
SHA51273adfe38e31c175bade04cf530f37d8c9bb5b6a953dff1f7a40f5e2a42752189d1e4527f32eea3b62bbb0ec24ced21513abec56a8ac27e4a936873d504e4387b
-
Filesize
148KB
MD5668f3761580b883e7e41ac2490c0e789
SHA1c28b1183561b1c5b6f2d1febfb74703609f45c71
SHA2569e8825727f0567e90bd502fd6742cb4552acbe7b996320597a9efc06c3e2b390
SHA512a080551838f3cd910211cf9a859bf1548163ad389b26d0e02bd393512c72c57fd62c03ed6f51007c9cd2932f108b48ec2eb1800b8799b79689a8c1c442abf354
-
Filesize
148KB
MD5f917968c4727008e9886c2bc46ced18f
SHA17b932b4b60c17f1f69af5243211166a9fb3826ae
SHA256fd3dc32b18f5e8ad8673f05e94a94322a2bd502c4b671573dff9fdffe1908e4e
SHA512665a8d28155a4b84bf84d2c677b35bae003fcc31c063800a81673b0c8bea748b98acfab71714144711b3716a6e8b33ac9d0a497b95a4ebe18f179c9b0c9879a0
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
