Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/09/2024, 03:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe
Resource
win7-20240903-en
windows7-x64
28 signatures
120 seconds
Behavioral task
behavioral2
Sample
df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
28 signatures
120 seconds
General
-
Target
df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe
-
Size
148KB
-
MD5
e8fe656d60144a6e8292ec3dfb17bce0
-
SHA1
4cec6d4bad77820be8c7a08ca8fbda0fde1eddb0
-
SHA256
df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5
-
SHA512
249b98000575509adca25aeb0e566471edba5ea9a2587213ee991a5c6f2a82d4ba9eb67eada15b97cde2b1eeba85e9e61809355aba83609cc4d24851f8ddd581
-
SSDEEP
1536:tJo0IHgL2AHfb1mzaFXg+xsukl4Y17jsgS/jHagQNuXGpeVTV:bx6AHjYzaFXg+w17jsgS/jHagQg19V
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 20 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File created C:\Windows\SysWOW64\drivers\system32.exe df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe csrss.exe -
Executes dropped EXE 30 IoCs
pid Process 2720 smss.exe 568 smss.exe 2644 Gaara.exe 2144 smss.exe 1528 Gaara.exe 1644 csrss.exe 1340 smss.exe 2996 Gaara.exe 2452 csrss.exe 2484 Kazekage.exe 1048 smss.exe 1684 Gaara.exe 2004 csrss.exe 988 Kazekage.exe 2468 system32.exe 2040 smss.exe 1692 Gaara.exe 1720 csrss.exe 868 Kazekage.exe 2260 system32.exe 2012 system32.exe 2108 Kazekage.exe 2664 system32.exe 1908 csrss.exe 2100 Kazekage.exe 1220 system32.exe 1200 Gaara.exe 888 csrss.exe 2396 Kazekage.exe 2860 system32.exe -
Loads dropped DLL 64 IoCs
pid Process 2844 df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe 2844 df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe 2720 smss.exe 2720 smss.exe 568 smss.exe 2720 smss.exe 2720 smss.exe 2644 Gaara.exe 2644 Gaara.exe 2644 Gaara.exe 2144 smss.exe 2644 Gaara.exe 1528 Gaara.exe 2644 Gaara.exe 2644 Gaara.exe 1644 csrss.exe 1644 csrss.exe 1644 csrss.exe 1340 smss.exe 1644 csrss.exe 1644 csrss.exe 2996 Gaara.exe 1644 csrss.exe 2452 csrss.exe 1644 csrss.exe 1644 csrss.exe 2484 Kazekage.exe 2484 Kazekage.exe 1048 smss.exe 2484 Kazekage.exe 2484 Kazekage.exe 1684 Gaara.exe 2484 Kazekage.exe 2004 csrss.exe 2484 Kazekage.exe 2484 Kazekage.exe 2484 Kazekage.exe 2484 Kazekage.exe 2468 system32.exe 2040 smss.exe 2468 system32.exe 1692 Gaara.exe 2468 system32.exe 1720 csrss.exe 2468 system32.exe 2468 system32.exe 2468 system32.exe 2468 system32.exe 1644 csrss.exe 1644 csrss.exe 2644 Gaara.exe 2644 Gaara.exe 2644 Gaara.exe 2644 Gaara.exe 2720 smss.exe 1908 csrss.exe 2720 smss.exe 2720 smss.exe 2720 smss.exe 2720 smss.exe 2844 df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe 1200 Gaara.exe 2844 df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe 888 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 28 - 9 - 2024\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 28 - 9 - 2024\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 28 - 9 - 2024\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "28-9-2024.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "28-9-2024.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 28 - 9 - 2024\\smss.exe" df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 28 - 9 - 2024\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 28 - 9 - 2024\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 28 - 9 - 2024\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 28 - 9 - 2024\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 28 - 9 - 2024\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "28-9-2024.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "28-9-2024.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 28 - 9 - 2024\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 28 - 9 - 2024\\Gaara.exe" df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "28-9-2024.exe" df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "28-9-2024.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 28 - 9 - 2024\\smss.exe" Kazekage.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\G:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini Kazekage.exe File opened for modification \??\B:\Desktop.ini df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification \??\A:\Desktop.ini Kazekage.exe File opened for modification \??\L:\Desktop.ini system32.exe File opened for modification \??\B:\Desktop.ini smss.exe File opened for modification \??\Q:\Desktop.ini smss.exe File opened for modification \??\J:\Desktop.ini csrss.exe File opened for modification \??\H:\Desktop.ini Kazekage.exe File opened for modification \??\T:\Desktop.ini csrss.exe File opened for modification \??\P:\Desktop.ini Kazekage.exe File opened for modification \??\Z:\Desktop.ini system32.exe File opened for modification \??\T:\Desktop.ini df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification \??\E:\Desktop.ini smss.exe File opened for modification \??\L:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini Gaara.exe File opened for modification \??\B:\Desktop.ini Kazekage.exe File opened for modification \??\G:\Desktop.ini system32.exe File opened for modification \??\O:\Desktop.ini system32.exe File opened for modification C:\Desktop.ini smss.exe File opened for modification \??\E:\Desktop.ini Gaara.exe File opened for modification \??\V:\Desktop.ini csrss.exe File opened for modification \??\N:\Desktop.ini Kazekage.exe File opened for modification C:\Desktop.ini Gaara.exe File opened for modification \??\R:\Desktop.ini Gaara.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification \??\E:\Desktop.ini Kazekage.exe File opened for modification \??\O:\Desktop.ini df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification \??\A:\Desktop.ini csrss.exe File opened for modification \??\Y:\Desktop.ini csrss.exe File opened for modification \??\T:\Desktop.ini system32.exe File opened for modification \??\V:\Desktop.ini system32.exe File opened for modification \??\Q:\Desktop.ini df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification F:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini csrss.exe File opened for modification \??\Q:\Desktop.ini Kazekage.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification F:\Desktop.ini df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification \??\N:\Desktop.ini df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification \??\H:\Desktop.ini smss.exe File opened for modification \??\R:\Desktop.ini smss.exe File opened for modification \??\A:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini Gaara.exe File opened for modification \??\L:\Desktop.ini csrss.exe File opened for modification C:\Desktop.ini df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification \??\K:\Desktop.ini smss.exe File opened for modification \??\M:\Desktop.ini smss.exe File opened for modification \??\B:\Desktop.ini Gaara.exe File opened for modification \??\X:\Desktop.ini csrss.exe File opened for modification F:\Desktop.ini Kazekage.exe File opened for modification \??\S:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini system32.exe File opened for modification \??\V:\Desktop.ini df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification \??\I:\Desktop.ini Kazekage.exe File opened for modification F:\Desktop.ini system32.exe File opened for modification \??\V:\Desktop.ini smss.exe File opened for modification D:\Desktop.ini system32.exe File opened for modification \??\U:\Desktop.ini system32.exe File opened for modification \??\S:\Desktop.ini df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification \??\S:\Desktop.ini Gaara.exe File opened for modification \??\X:\Desktop.ini Kazekage.exe File opened for modification \??\Y:\Desktop.ini df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification \??\Y:\Desktop.ini smss.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: system32.exe File opened (read-only) \??\Z: df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\I: Gaara.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\X: Kazekage.exe File opened (read-only) \??\A: system32.exe File opened (read-only) \??\W: df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\H: df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\V: smss.exe File opened (read-only) \??\I: Kazekage.exe File opened (read-only) \??\T: Kazekage.exe File opened (read-only) \??\U: Kazekage.exe File opened (read-only) \??\A: csrss.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\G: Kazekage.exe File opened (read-only) \??\P: Kazekage.exe File opened (read-only) \??\S: system32.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\K: system32.exe File opened (read-only) \??\N: system32.exe File opened (read-only) \??\X: system32.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\L: Gaara.exe File opened (read-only) \??\R: Gaara.exe File opened (read-only) \??\J: Kazekage.exe File opened (read-only) \??\G: df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\V: system32.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\G: system32.exe File opened (read-only) \??\B: Gaara.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\M: Gaara.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\J: system32.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\E: system32.exe File opened (read-only) \??\U: df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\X: Gaara.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\B: Kazekage.exe File opened (read-only) \??\T: df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\E: Kazekage.exe File opened (read-only) \??\W: system32.exe File opened (read-only) \??\O: df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\N: Gaara.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\K: df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\Z: Kazekage.exe File opened (read-only) \??\B: system32.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created \??\B:\Autorun.inf Kazekage.exe File created \??\K:\Autorun.inf Kazekage.exe File created D:\Autorun.inf df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File created \??\J:\Autorun.inf df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification \??\S:\Autorun.inf df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification \??\I:\Autorun.inf csrss.exe File opened for modification \??\M:\Autorun.inf csrss.exe File opened for modification \??\X:\Autorun.inf csrss.exe File created \??\Y:\Autorun.inf Kazekage.exe File created \??\E:\Autorun.inf system32.exe File created \??\O:\Autorun.inf system32.exe File created \??\E:\Autorun.inf df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification \??\J:\Autorun.inf df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification \??\A:\Autorun.inf Kazekage.exe File opened for modification \??\T:\Autorun.inf Kazekage.exe File created \??\A:\Autorun.inf system32.exe File created \??\J:\Autorun.inf Kazekage.exe File opened for modification D:\Autorun.inf system32.exe File opened for modification \??\R:\Autorun.inf system32.exe File opened for modification \??\A:\Autorun.inf system32.exe File opened for modification \??\K:\Autorun.inf system32.exe File opened for modification \??\L:\Autorun.inf df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification \??\N:\Autorun.inf df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification \??\Z:\Autorun.inf df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File created \??\Z:\Autorun.inf df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File created \??\P:\Autorun.inf csrss.exe File created \??\Z:\Autorun.inf Kazekage.exe File created \??\K:\Autorun.inf system32.exe File opened for modification \??\X:\Autorun.inf system32.exe File created \??\Q:\Autorun.inf csrss.exe File opened for modification \??\H:\Autorun.inf Kazekage.exe File created \??\I:\Autorun.inf Kazekage.exe File opened for modification \??\M:\Autorun.inf Kazekage.exe File created \??\O:\Autorun.inf Kazekage.exe File opened for modification \??\P:\Autorun.inf system32.exe File opened for modification \??\S:\Autorun.inf Kazekage.exe File opened for modification F:\Autorun.inf df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification \??\X:\Autorun.inf df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File created \??\K:\Autorun.inf csrss.exe File opened for modification \??\E:\Autorun.inf Kazekage.exe File opened for modification \??\J:\Autorun.inf Kazekage.exe File opened for modification \??\N:\Autorun.inf Kazekage.exe File created F:\Autorun.inf df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File created \??\X:\Autorun.inf df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File created \??\U:\Autorun.inf csrss.exe File opened for modification \??\U:\Autorun.inf Kazekage.exe File opened for modification \??\P:\Autorun.inf Kazekage.exe File created \??\W:\Autorun.inf Kazekage.exe File opened for modification \??\B:\Autorun.inf df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification D:\Autorun.inf df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File created \??\P:\Autorun.inf df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification \??\Y:\Autorun.inf df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification \??\E:\Autorun.inf csrss.exe File created \??\Z:\Autorun.inf csrss.exe File opened for modification \??\X:\Autorun.inf Kazekage.exe File opened for modification \??\G:\Autorun.inf df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification \??\R:\Autorun.inf df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification \??\U:\Autorun.inf csrss.exe File opened for modification \??\Y:\Autorun.inf csrss.exe File opened for modification \??\S:\Autorun.inf csrss.exe File opened for modification C:\Autorun.inf Kazekage.exe File opened for modification C:\Autorun.inf df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File created \??\I:\Autorun.inf df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification \??\B:\Autorun.inf csrss.exe -
Drops file in System32 directory 30 IoCs
description ioc Process File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification C:\Windows\SysWOW64\28-9-2024.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\28-9-2024.exe csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\28-9-2024.exe smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\28-9-2024.exe system32.exe File opened for modification C:\Windows\SysWOW64\ df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File created C:\Windows\SysWOW64\28-9-2024.exe df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification C:\Windows\SysWOW64\28-9-2024.exe df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File created C:\Windows\SysWOW64\Desktop.ini df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\28-9-2024.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\Admin 28 - 9 - 2024\csrss.exe df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File created C:\Windows\Fonts\Admin 28 - 9 - 2024\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File opened for modification C:\Windows\ system32.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File created C:\Windows\Fonts\Admin 28 - 9 - 2024\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 28 - 9 - 2024\Gaara.exe Kazekage.exe File created C:\Windows\Fonts\Admin 28 - 9 - 2024\msvbvm60.dll df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File created C:\Windows\system\msvbvm60.dll df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 28 - 9 - 2024\csrss.exe Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File opened for modification C:\Windows\Fonts\Admin 28 - 9 - 2024\msvbvm60.dll df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 28 - 9 - 2024\msvbvm60.dll csrss.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 28 - 9 - 2024\msvbvm60.dll smss.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 28 - 9 - 2024\Gaara.exe csrss.exe File created C:\Windows\Fonts\Admin 28 - 9 - 2024\csrss.exe Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 28 - 9 - 2024\Gaara.exe system32.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\Fonts\Admin 28 - 9 - 2024\Gaara.exe df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification C:\Windows\Fonts\Admin 28 - 9 - 2024\Gaara.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 28 - 9 - 2024\smss.exe Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 28 - 9 - 2024\msvbvm60.dll system32.exe File opened for modification C:\Windows\ Kazekage.exe File created C:\Windows\Fonts\Admin 28 - 9 - 2024\smss.exe smss.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification C:\Windows\system\mscoree.dll df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification C:\Windows\Fonts\Admin 28 - 9 - 2024\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 28 - 9 - 2024\smss.exe system32.exe File created C:\Windows\Fonts\Admin 28 - 9 - 2024\Gaara.exe system32.exe File created C:\Windows\Fonts\Admin 28 - 9 - 2024\csrss.exe df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File created C:\Windows\Fonts\Admin 28 - 9 - 2024\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 28 - 9 - 2024\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 28 - 9 - 2024\csrss.exe csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File opened for modification C:\Windows\ df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File created C:\Windows\Fonts\Admin 28 - 9 - 2024\smss.exe df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification C:\Windows\Fonts\Admin 28 - 9 - 2024\Gaara.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 28 - 9 - 2024\csrss.exe Gaara.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File created C:\Windows\Fonts\Admin 28 - 9 - 2024\csrss.exe system32.exe File created C:\Windows\Fonts\Admin 28 - 9 - 2024\Gaara.exe df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification C:\Windows\msvbvm60.dll df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe File opened for modification C:\Windows\Fonts\Admin 28 - 9 - 2024\csrss.exe smss.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 28 - 9 - 2024\smss.exe Gaara.exe File created C:\Windows\Fonts\Admin 28 - 9 - 2024\Gaara.exe Gaara.exe -
System Location Discovery: System Language Discovery 1 TTPs 47 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 16 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2012 ping.exe 568 ping.exe 1632 ping.exe 1508 ping.exe 1528 ping.exe 1824 ping.exe 2244 ping.exe 2440 ping.exe 1020 ping.exe 2924 ping.exe 752 ping.exe 3056 ping.exe 2120 ping.exe 1712 ping.exe 764 ping.exe 1496 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Speed = "4" df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\WallpaperStyle = "2" df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Size = "72" df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main system32.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe -
Modifies registry class 48 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe -
Runs ping.exe 1 TTPs 16 IoCs
pid Process 1824 ping.exe 1528 ping.exe 2244 ping.exe 1632 ping.exe 2120 ping.exe 2440 ping.exe 1020 ping.exe 2924 ping.exe 1508 ping.exe 1496 ping.exe 752 ping.exe 568 ping.exe 3056 ping.exe 1712 ping.exe 764 ping.exe 2012 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2844 df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe 2844 df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe 2844 df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe 2844 df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe 2844 df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe 2844 df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe 2844 df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe 2844 df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe 2844 df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe 2844 df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe 2844 df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe 2844 df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe 2720 smss.exe 2720 smss.exe 2720 smss.exe 2720 smss.exe 2720 smss.exe 2720 smss.exe 2720 smss.exe 2720 smss.exe 2720 smss.exe 2720 smss.exe 2720 smss.exe 2720 smss.exe 2644 Gaara.exe 2644 Gaara.exe 2644 Gaara.exe 2644 Gaara.exe 2644 Gaara.exe 2644 Gaara.exe 2644 Gaara.exe 2644 Gaara.exe 2644 Gaara.exe 2644 Gaara.exe 2644 Gaara.exe 2644 Gaara.exe 1644 csrss.exe 1644 csrss.exe 1644 csrss.exe 1644 csrss.exe 1644 csrss.exe 1644 csrss.exe 1644 csrss.exe 1644 csrss.exe 1644 csrss.exe 1644 csrss.exe 1644 csrss.exe 1644 csrss.exe 2484 Kazekage.exe 2484 Kazekage.exe 2484 Kazekage.exe 2484 Kazekage.exe 2484 Kazekage.exe 2484 Kazekage.exe 2484 Kazekage.exe 2484 Kazekage.exe 2484 Kazekage.exe 2484 Kazekage.exe 2484 Kazekage.exe 2484 Kazekage.exe 2468 system32.exe 2468 system32.exe 2468 system32.exe 2468 system32.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 2844 df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe 2720 smss.exe 568 smss.exe 2644 Gaara.exe 2144 smss.exe 1528 Gaara.exe 1644 csrss.exe 1340 smss.exe 2996 Gaara.exe 2452 csrss.exe 2484 Kazekage.exe 1048 smss.exe 1684 Gaara.exe 2004 csrss.exe 988 Kazekage.exe 2468 system32.exe 2040 smss.exe 1692 Gaara.exe 1720 csrss.exe 868 Kazekage.exe 2260 system32.exe 2012 system32.exe 2108 Kazekage.exe 2664 system32.exe 1908 csrss.exe 2100 Kazekage.exe 1220 system32.exe 1200 Gaara.exe 888 csrss.exe 2396 Kazekage.exe 2860 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2844 wrote to memory of 2720 2844 df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe 30 PID 2844 wrote to memory of 2720 2844 df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe 30 PID 2844 wrote to memory of 2720 2844 df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe 30 PID 2844 wrote to memory of 2720 2844 df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe 30 PID 2720 wrote to memory of 568 2720 smss.exe 31 PID 2720 wrote to memory of 568 2720 smss.exe 31 PID 2720 wrote to memory of 568 2720 smss.exe 31 PID 2720 wrote to memory of 568 2720 smss.exe 31 PID 2720 wrote to memory of 2644 2720 smss.exe 32 PID 2720 wrote to memory of 2644 2720 smss.exe 32 PID 2720 wrote to memory of 2644 2720 smss.exe 32 PID 2720 wrote to memory of 2644 2720 smss.exe 32 PID 2644 wrote to memory of 2144 2644 Gaara.exe 33 PID 2644 wrote to memory of 2144 2644 Gaara.exe 33 PID 2644 wrote to memory of 2144 2644 Gaara.exe 33 PID 2644 wrote to memory of 2144 2644 Gaara.exe 33 PID 2644 wrote to memory of 1528 2644 Gaara.exe 34 PID 2644 wrote to memory of 1528 2644 Gaara.exe 34 PID 2644 wrote to memory of 1528 2644 Gaara.exe 34 PID 2644 wrote to memory of 1528 2644 Gaara.exe 34 PID 2644 wrote to memory of 1644 2644 Gaara.exe 35 PID 2644 wrote to memory of 1644 2644 Gaara.exe 35 PID 2644 wrote to memory of 1644 2644 Gaara.exe 35 PID 2644 wrote to memory of 1644 2644 Gaara.exe 35 PID 1644 wrote to memory of 1340 1644 csrss.exe 36 PID 1644 wrote to memory of 1340 1644 csrss.exe 36 PID 1644 wrote to memory of 1340 1644 csrss.exe 36 PID 1644 wrote to memory of 1340 1644 csrss.exe 36 PID 1644 wrote to memory of 2996 1644 csrss.exe 37 PID 1644 wrote to memory of 2996 1644 csrss.exe 37 PID 1644 wrote to memory of 2996 1644 csrss.exe 37 PID 1644 wrote to memory of 2996 1644 csrss.exe 37 PID 1644 wrote to memory of 2452 1644 csrss.exe 38 PID 1644 wrote to memory of 2452 1644 csrss.exe 38 PID 1644 wrote to memory of 2452 1644 csrss.exe 38 PID 1644 wrote to memory of 2452 1644 csrss.exe 38 PID 1644 wrote to memory of 2484 1644 csrss.exe 39 PID 1644 wrote to memory of 2484 1644 csrss.exe 39 PID 1644 wrote to memory of 2484 1644 csrss.exe 39 PID 1644 wrote to memory of 2484 1644 csrss.exe 39 PID 2484 wrote to memory of 1048 2484 Kazekage.exe 40 PID 2484 wrote to memory of 1048 2484 Kazekage.exe 40 PID 2484 wrote to memory of 1048 2484 Kazekage.exe 40 PID 2484 wrote to memory of 1048 2484 Kazekage.exe 40 PID 2484 wrote to memory of 1684 2484 Kazekage.exe 41 PID 2484 wrote to memory of 1684 2484 Kazekage.exe 41 PID 2484 wrote to memory of 1684 2484 Kazekage.exe 41 PID 2484 wrote to memory of 1684 2484 Kazekage.exe 41 PID 2484 wrote to memory of 2004 2484 Kazekage.exe 42 PID 2484 wrote to memory of 2004 2484 Kazekage.exe 42 PID 2484 wrote to memory of 2004 2484 Kazekage.exe 42 PID 2484 wrote to memory of 2004 2484 Kazekage.exe 42 PID 2484 wrote to memory of 988 2484 Kazekage.exe 43 PID 2484 wrote to memory of 988 2484 Kazekage.exe 43 PID 2484 wrote to memory of 988 2484 Kazekage.exe 43 PID 2484 wrote to memory of 988 2484 Kazekage.exe 43 PID 2484 wrote to memory of 2468 2484 Kazekage.exe 44 PID 2484 wrote to memory of 2468 2484 Kazekage.exe 44 PID 2484 wrote to memory of 2468 2484 Kazekage.exe 44 PID 2484 wrote to memory of 2468 2484 Kazekage.exe 44 PID 2468 wrote to memory of 2040 2468 system32.exe 45 PID 2468 wrote to memory of 2040 2468 system32.exe 45 PID 2468 wrote to memory of 2040 2468 system32.exe 45 PID 2468 wrote to memory of 2040 2468 system32.exe 45 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe"C:\Users\Admin\AppData\Local\Temp\df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5N.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2844 -
C:\Windows\Fonts\Admin 28 - 9 - 2024\smss.exe"C:\Windows\Fonts\Admin 28 - 9 - 2024\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2720 -
C:\Windows\Fonts\Admin 28 - 9 - 2024\smss.exe"C:\Windows\Fonts\Admin 28 - 9 - 2024\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:568
-
-
C:\Windows\Fonts\Admin 28 - 9 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 28 - 9 - 2024\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2644 -
C:\Windows\Fonts\Admin 28 - 9 - 2024\smss.exe"C:\Windows\Fonts\Admin 28 - 9 - 2024\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2144
-
-
C:\Windows\Fonts\Admin 28 - 9 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 28 - 9 - 2024\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1528
-
-
C:\Windows\Fonts\Admin 28 - 9 - 2024\csrss.exe"C:\Windows\Fonts\Admin 28 - 9 - 2024\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1644 -
C:\Windows\Fonts\Admin 28 - 9 - 2024\smss.exe"C:\Windows\Fonts\Admin 28 - 9 - 2024\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1340
-
-
C:\Windows\Fonts\Admin 28 - 9 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 28 - 9 - 2024\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2996
-
-
C:\Windows\Fonts\Admin 28 - 9 - 2024\csrss.exe"C:\Windows\Fonts\Admin 28 - 9 - 2024\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2452
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2484 -
C:\Windows\Fonts\Admin 28 - 9 - 2024\smss.exe"C:\Windows\Fonts\Admin 28 - 9 - 2024\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1048
-
-
C:\Windows\Fonts\Admin 28 - 9 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 28 - 9 - 2024\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1684
-
-
C:\Windows\Fonts\Admin 28 - 9 - 2024\csrss.exe"C:\Windows\Fonts\Admin 28 - 9 - 2024\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2004
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:988
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2468 -
C:\Windows\Fonts\Admin 28 - 9 - 2024\smss.exe"C:\Windows\Fonts\Admin 28 - 9 - 2024\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2040
-
-
C:\Windows\Fonts\Admin 28 - 9 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 28 - 9 - 2024\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1692
-
-
C:\Windows\Fonts\Admin 28 - 9 - 2024\csrss.exe"C:\Windows\Fonts\Admin 28 - 9 - 2024\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1720
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:868
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2260
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1632
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1712
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1496
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1508
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2244
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2440
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2012
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:752
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2012
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1824
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2120
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2924
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1528
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2108
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2664
-
-
-
C:\Windows\Fonts\Admin 28 - 9 - 2024\csrss.exe"C:\Windows\Fonts\Admin 28 - 9 - 2024\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1908
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2100
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1220
-
-
-
C:\Windows\Fonts\Admin 28 - 9 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 28 - 9 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1200
-
-
C:\Windows\Fonts\Admin 28 - 9 - 2024\csrss.exe"C:\Windows\Fonts\Admin 28 - 9 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:888
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2396
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2860
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:568
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3056
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:764
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1020
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
148KB
MD576b5f532f310cce0ab71b982723495bf
SHA118cad7bec2c278d6661491d89f7201b092b02874
SHA256600cb1fb8b6065e9e06c4e673e7b3c1a3ff424a20d62c1758e9ec24b0a8ca8a6
SHA51258d2fb13b2bf8f9f0c433de09a3bb7ff83dbc7d3dbe32632ad70f5f1977c8235cc3c7b19a42d138f0e63c4d819da88a98c40b2fb32dba4876a1d21987f27f327
-
Filesize
148KB
MD5be63e213eba6bdfdca9d3afda95caff1
SHA175df61bb3bd8911cfd96ab958359c5a60f8829f6
SHA256e26ad723e4cb97e6033d08cec2ac4b14667fe7ac79e8cbae8ea559d30d1f9b2b
SHA5128a3b5bcdc51e2b9744c86541a13fcd304732fe5a562e593b4bdf2de0eb41a70f24e0643996e3f143beb422ef1e16b17c2cb3cb1604be4076f55dc5d420c397e5
-
Filesize
148KB
MD59af41cb351f5d25f12a2db8118026320
SHA1fde46d480d6bd65973709789bc8cb94cde233e0e
SHA256c132bc9731733dc915f39cf6410d5569a0a13d9b3e941a00dedd64752192ff54
SHA512a24bea53e5962d41d97e4375ec0bd081fe76acbc5e474d7002c449c7336ebc47d4ea90be500e61225560eafc4636c3191b31634423a9518c08e4f210b604d1d1
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
148KB
MD5c25ef00c34053e5d397488785a191c05
SHA1f81358f8c11e98c85873bc166ed74dbc2eafd89e
SHA25631014bc2fca5f08070d9ca1af907d176bc54055048517e6124938231e750a683
SHA512c7323b4acbc91ebf815ac147fd53292ecc56d0657bee9f0293f6490aa99afee59f1f4dca2b39cf9e8d759018aa2f825b58bc121c857bc518bf47937ef7d68453
-
Filesize
148KB
MD59ec71d6ac94950f9c056ddbe52a977a7
SHA146dd9229323b708d0ca5bebb7ccb129a51023a1c
SHA2565e2697e8951fe96fa6c3b4399d7106ea5384e0079bc68c8f9881bb7b57a66189
SHA5122866e17eb4f39293b77e1e48c45f3dc66b7104a1ed05fc5e818c2bc0fd5622151cd82d0067e6c590fab0f9515edfbb39128a84facb36b99594d6af1ac3f995e2
-
Filesize
148KB
MD5decb4a5f6be959e7a176a7cdf917df54
SHA1fe6437e5f54da3e2025c3e8876ae32b6311ed59c
SHA2569afc605b925399aff9f5e938c1afd88052a30c327474c10e3ddbc22e9da5eb80
SHA512eeb01e845180d1d455d65d29f3364506e577da4d296b8f09c96fb0726f35c3f9e5384f90b27c93ede5e6317b493402a228133cfa44c48a36b657ada42fd5dbcc
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
148KB
MD5c04441b13a723e0086594ad86dcd9288
SHA15b63eb5e68305de4ff68dfbad77ee7425f9c8776
SHA256b1f45a1b9bb0577ca7183cfe63d46ddeba154dbe60309fffb6721c6696f1ab33
SHA51290895ca20e4bbc8ebe5ed687057dfee0408e91eef3b80315d5dad30d3fd39e3b90a3d08d5b696033baffcf5e2c8d9d20e70b4d0f90296c14f421c13132055d53
-
Filesize
148KB
MD501f1e1141514563a2c794c03980056cc
SHA13e7535e531cc6ab29ff1d00b4e8b16d7ee40a2b6
SHA256a79683f27d64b253e144c85ad427710aa519601a0741509067d62c58231c4db4
SHA512f6dfd8dd4df79f1f682b695df37ebeae67b22df39428493e0e53a606fed7ac62ee25a63f2062e0a875e4627195eddb99e944e799df8042cc92e9f476e227d0d8
-
Filesize
148KB
MD535e48ddc90c77d1ef7e69fb98a9be71a
SHA12daca406a72d94b43cdec16fc2db5ba43ff451f9
SHA25665628d15fb977c45d68b086429fc31077f1d143fd103bbccfb1a082e9deabae0
SHA512f1fcfa0de7d4c917ea117a3b7112f9ffd8b7bded3f9b87386bf02b3fa147790a40aa87fca7902f68e39a7fd4c8dfa285dec467f3c0ea47cebacbaed1a800b6ee
-
Filesize
148KB
MD55a7e4a05efff157761efb02d671db1a6
SHA1d168970543cf044cff75344489c405fc89f5958d
SHA256bfbabf9822a1e125ef191042efcc3062e0051b8f91f6ded186b0bace7942e5b6
SHA51241f4ce5dec8256477e21ee3e1ea5d8f8f393cedda66146ac1612c586e6983fed566fc394c6990935774f354dfcbf4b40c1a3bb5e4ccf0915673517969674d042
-
Filesize
148KB
MD52cc6b6707710e411941198d455ab8a52
SHA1e1709048665f98a4d10c937d0a9eefb6e30a2675
SHA25645bb40c4b199b2845d5f0cbbc03356b715f42cd9196b87dd570f8aaa7e90f023
SHA512ec884ce43dfacef5ca04399bda769c8af7af7e84e951edbecb242151f412fd0c34383c130e5495099051d5001d5f6f04e56a0c9c0b88ec3972c48cfd62cad3e6
-
Filesize
148KB
MD551cf7060d33d454f39fe7f40b4876413
SHA13a6fb6b5b6a3701134b6898b0fe4bc237631123c
SHA256ab57a992feb44c1df1389ef4eebbe901f32e2223d9de9d3d334fda17ee014fa6
SHA51210ea1a9bc72573dce43d327177c54535be6c5fd99fd7020e8609c7dfe0555467a10a2e0281c9d4379d841383b9a358ff14861315d9ab4f4c4da6830439170872
-
Filesize
148KB
MD550cc521d6f877e60429382b00dfb7b59
SHA1fdbd7140079a3ffe052c7da93789e89e53fa514b
SHA256b8afb891a2c8f7d5177b015054a3c89ede0393dad3ed9a9149c8eb102002e68b
SHA512111c6660e13e2b9398a0613afe130b1a7bb158852a8e0b21cfa9de2ec715ef5adb650c17bcf23e66d9ba38a8f755eff64578dbc40c7bdc513ffa189587babac2
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
148KB
MD5e8fe656d60144a6e8292ec3dfb17bce0
SHA14cec6d4bad77820be8c7a08ca8fbda0fde1eddb0
SHA256df1f62e015a7c982533a5f465be7cbee8106eff77cad5cf6f28dedda80962dc5
SHA512249b98000575509adca25aeb0e566471edba5ea9a2587213ee991a5c6f2a82d4ba9eb67eada15b97cde2b1eeba85e9e61809355aba83609cc4d24851f8ddd581
