Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
86s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20/10/2024, 23:06
Static task
static1
Behavioral task
behavioral1
Sample
6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe
Resource
win10v2004-20241007-en
General
-
Target
6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe
-
Size
145KB
-
MD5
6e0a5bad73ddf8b05ea69aa6775df2a3
-
SHA1
7185cfa795b13bfca5213af466aacc0ff4145968
-
SHA256
6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34
-
SHA512
58646b0234fd5377b5942eef4430bb9ac2187e802cfdd156cdd258940dbcb5951b91dc5882062d5f108f6e0900f6a3c5fcd6352940b4fa41318a8c3f9833b83b
-
SSDEEP
1536:1Jo0IHgL2AHfb1mzaFXg+xsukl4Y17jsgS/jHagQNuXGpeVTVG:zx6AHjYzaFXg+w17jsgS/jHagQg19VG
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" csrss.exe -
Executes dropped EXE 30 IoCs
pid Process 2900 smss.exe 2600 smss.exe 1916 Gaara.exe 2680 smss.exe 2708 Gaara.exe 1304 csrss.exe 1488 smss.exe 1744 Gaara.exe 2192 csrss.exe 1840 Kazekage.exe 1580 smss.exe 1328 Gaara.exe 1768 csrss.exe 972 Kazekage.exe 2012 system32.exe 1756 smss.exe 1688 Gaara.exe 2016 csrss.exe 360 Kazekage.exe 1788 system32.exe 2228 system32.exe 2532 Kazekage.exe 3052 system32.exe 2280 csrss.exe 2216 Kazekage.exe 1028 system32.exe 2248 Gaara.exe 1552 csrss.exe 2772 Kazekage.exe 2628 system32.exe -
Loads dropped DLL 61 IoCs
pid Process 2768 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 2768 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 2900 smss.exe 2900 smss.exe 2600 smss.exe 2900 smss.exe 2900 smss.exe 1916 Gaara.exe 1916 Gaara.exe 2680 smss.exe 2708 Gaara.exe 1916 Gaara.exe 1916 Gaara.exe 1304 csrss.exe 1304 csrss.exe 1488 smss.exe 1304 csrss.exe 1744 Gaara.exe 2192 csrss.exe 1304 csrss.exe 1304 csrss.exe 1840 Kazekage.exe 1580 smss.exe 1840 Kazekage.exe 1328 Gaara.exe 1840 Kazekage.exe 1768 csrss.exe 1840 Kazekage.exe 1840 Kazekage.exe 1840 Kazekage.exe 1840 Kazekage.exe 2012 system32.exe 1756 smss.exe 2012 system32.exe 1688 Gaara.exe 2012 system32.exe 2016 csrss.exe 2012 system32.exe 2012 system32.exe 2012 system32.exe 2012 system32.exe 1304 csrss.exe 1304 csrss.exe 1916 Gaara.exe 1916 Gaara.exe 1916 Gaara.exe 1916 Gaara.exe 2900 smss.exe 2280 csrss.exe 2900 smss.exe 2900 smss.exe 2900 smss.exe 2900 smss.exe 2768 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 2248 Gaara.exe 2768 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 1552 csrss.exe 2768 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 2768 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 2768 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 2768 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\J:\Desktop.ini csrss.exe File opened for modification \??\H:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini Kazekage.exe File opened for modification \??\Y:\Desktop.ini system32.exe File opened for modification \??\J:\Desktop.ini smss.exe File opened for modification \??\R:\Desktop.ini Kazekage.exe File opened for modification \??\B:\Desktop.ini Gaara.exe File opened for modification \??\G:\Desktop.ini Gaara.exe File opened for modification \??\O:\Desktop.ini Gaara.exe File opened for modification \??\P:\Desktop.ini Gaara.exe File opened for modification \??\U:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\S:\Desktop.ini smss.exe File opened for modification \??\Z:\Desktop.ini smss.exe File opened for modification \??\S:\Desktop.ini Kazekage.exe File opened for modification \??\M:\Desktop.ini system32.exe File opened for modification \??\M:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\N:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\E:\Desktop.ini Kazekage.exe File opened for modification \??\G:\Desktop.ini Kazekage.exe File opened for modification F:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini system32.exe File opened for modification \??\Y:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\T:\Desktop.ini system32.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification \??\G:\Desktop.ini smss.exe File opened for modification \??\L:\Desktop.ini smss.exe File opened for modification \??\Y:\Desktop.ini csrss.exe File opened for modification \??\O:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini smss.exe File opened for modification \??\G:\Desktop.ini system32.exe File opened for modification \??\W:\Desktop.ini Gaara.exe File opened for modification \??\U:\Desktop.ini smss.exe File opened for modification \??\R:\Desktop.ini Gaara.exe File opened for modification \??\E:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification \??\O:\Desktop.ini system32.exe File opened for modification \??\A:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\S:\Desktop.ini system32.exe File opened for modification \??\B:\Desktop.ini smss.exe File opened for modification \??\X:\Desktop.ini csrss.exe File opened for modification \??\Z:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini Kazekage.exe File opened for modification \??\J:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Desktop.ini csrss.exe File opened for modification \??\A:\Desktop.ini smss.exe File opened for modification D:\Desktop.ini smss.exe File opened for modification \??\Q:\Desktop.ini Gaara.exe File opened for modification \??\U:\Desktop.ini system32.exe File opened for modification \??\P:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\S:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\M:\Desktop.ini smss.exe File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification C:\Desktop.ini Kazekage.exe File opened for modification \??\L:\Desktop.ini Kazekage.exe File opened for modification C:\Desktop.ini Gaara.exe File opened for modification \??\B:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\V:\Desktop.ini Gaara.exe File opened for modification \??\K:\Desktop.ini csrss.exe File opened for modification \??\P:\Desktop.ini csrss.exe File opened for modification \??\W:\Desktop.ini smss.exe File opened for modification \??\I:\Desktop.ini system32.exe File opened for modification \??\J:\Desktop.ini system32.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\J: Kazekage.exe File opened (read-only) \??\J: system32.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\R: system32.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\S: Kazekage.exe File opened (read-only) \??\G: system32.exe File opened (read-only) \??\L: system32.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\R: Gaara.exe File opened (read-only) \??\S: system32.exe File opened (read-only) \??\W: Gaara.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\N: system32.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\M: Gaara.exe File opened (read-only) \??\N: Gaara.exe File opened (read-only) \??\H: system32.exe File opened (read-only) \??\I: Gaara.exe File opened (read-only) \??\E: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\W: csrss.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\Q: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\H: Kazekage.exe File opened (read-only) \??\T: Kazekage.exe File opened (read-only) \??\S: Gaara.exe File opened (read-only) \??\E: Gaara.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\L: Kazekage.exe File opened (read-only) \??\P: Kazekage.exe File opened (read-only) \??\V: Kazekage.exe File opened (read-only) \??\L: csrss.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\U: system32.exe File opened (read-only) \??\I: Kazekage.exe File opened (read-only) \??\Y: Gaara.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\V: system32.exe File opened (read-only) \??\H: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\V: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\K: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\L: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\M: system32.exe File opened (read-only) \??\T: Gaara.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\B: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\X: Kazekage.exe File opened (read-only) \??\X: Gaara.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\M: csrss.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created \??\A:\Autorun.inf Kazekage.exe File opened for modification D:\Autorun.inf smss.exe File created D:\Autorun.inf Gaara.exe File opened for modification \??\N:\Autorun.inf Gaara.exe File opened for modification \??\R:\Autorun.inf Gaara.exe File opened for modification \??\W:\Autorun.inf Gaara.exe File opened for modification \??\X:\Autorun.inf csrss.exe File created \??\U:\Autorun.inf smss.exe File opened for modification \??\Z:\Autorun.inf smss.exe File opened for modification \??\S:\Autorun.inf csrss.exe File opened for modification \??\E:\Autorun.inf Kazekage.exe File opened for modification F:\Autorun.inf Kazekage.exe File opened for modification \??\H:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\M:\Autorun.inf csrss.exe File created \??\U:\Autorun.inf csrss.exe File opened for modification \??\L:\Autorun.inf system32.exe File opened for modification \??\O:\Autorun.inf smss.exe File opened for modification \??\B:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created \??\G:\Autorun.inf csrss.exe File created \??\X:\Autorun.inf csrss.exe File opened for modification \??\Y:\Autorun.inf csrss.exe File opened for modification \??\T:\Autorun.inf system32.exe File opened for modification \??\J:\Autorun.inf system32.exe File opened for modification \??\A:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created \??\M:\Autorun.inf Gaara.exe File created \??\Z:\Autorun.inf Gaara.exe File created \??\W:\Autorun.inf csrss.exe File opened for modification \??\H:\Autorun.inf Kazekage.exe File created \??\I:\Autorun.inf Kazekage.exe File created \??\N:\Autorun.inf csrss.exe File opened for modification \??\E:\Autorun.inf system32.exe File created \??\E:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\M:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created \??\P:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\J:\Autorun.inf Gaara.exe File created \??\Y:\Autorun.inf Gaara.exe File opened for modification \??\I:\Autorun.inf csrss.exe File created \??\S:\Autorun.inf smss.exe File opened for modification \??\B:\Autorun.inf Kazekage.exe File created \??\B:\Autorun.inf Kazekage.exe File opened for modification \??\I:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created \??\N:\Autorun.inf smss.exe File opened for modification \??\S:\Autorun.inf Gaara.exe File created \??\O:\Autorun.inf Kazekage.exe File opened for modification \??\P:\Autorun.inf system32.exe File created \??\S:\Autorun.inf system32.exe File created \??\Q:\Autorun.inf smss.exe File opened for modification \??\K:\Autorun.inf csrss.exe File created \??\Z:\Autorun.inf csrss.exe File opened for modification D:\Autorun.inf Kazekage.exe File created D:\Autorun.inf Kazekage.exe File created \??\L:\Autorun.inf Kazekage.exe File opened for modification \??\N:\Autorun.inf smss.exe File created \??\H:\Autorun.inf Gaara.exe File opened for modification \??\G:\Autorun.inf system32.exe File opened for modification \??\I:\Autorun.inf system32.exe File opened for modification \??\S:\Autorun.inf system32.exe File opened for modification \??\V:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created \??\L:\Autorun.inf smss.exe File created \??\P:\Autorun.inf smss.exe File opened for modification \??\R:\Autorun.inf system32.exe File opened for modification C:\Autorun.inf smss.exe File created \??\T:\Autorun.inf smss.exe File opened for modification F:\Autorun.inf Gaara.exe -
Drops file in System32 directory 38 IoCs
description ioc Process File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\SysWOW64\msvbvm60.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File created C:\Windows\SysWOW64\20-10-2024.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\SysWOW64\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe smss.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe csrss.exe File opened for modification C:\Windows\SysWOW64\ 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe system32.exe File opened for modification C:\Windows\ 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\ Gaara.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe smss.exe File created C:\Windows\mscomctl.ocx 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe smss.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe Gaara.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe csrss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe smss.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe smss.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\ system32.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe Gaara.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe csrss.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\system\mscoree.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe csrss.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe system32.exe File created C:\Windows\system\msvbvm60.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\system\msvbvm60.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe smss.exe File created C:\Windows\msvbvm60.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\WBEM\msvbvm60.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe -
System Location Discovery: System Language Discovery 1 TTPs 45 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 30 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2504 ping.exe 1616 ping.exe 3060 ping.exe 2284 ping.exe 2224 ping.exe 2720 ping.exe 1712 ping.exe 2256 ping.exe 1492 ping.exe 1320 ping.exe 668 ping.exe 2444 ping.exe 2052 ping.exe 2220 ping.exe 2088 ping.exe 2800 ping.exe 2724 ping.exe 2436 ping.exe 2472 ping.exe 2888 ping.exe 2680 ping.exe 1008 ping.exe 3052 ping.exe 2260 ping.exe 2756 ping.exe 2280 ping.exe 1292 ping.exe 2044 ping.exe 2164 ping.exe 2144 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main system32.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe -
Modifies registry class 48 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe -
Runs ping.exe 1 TTPs 30 IoCs
pid Process 2280 ping.exe 2720 ping.exe 1616 ping.exe 2444 ping.exe 1492 ping.exe 2164 ping.exe 2144 ping.exe 2284 ping.exe 668 ping.exe 2756 ping.exe 2224 ping.exe 2504 ping.exe 1320 ping.exe 3052 ping.exe 2256 ping.exe 1292 ping.exe 2052 ping.exe 2724 ping.exe 2472 ping.exe 2044 ping.exe 2088 ping.exe 2680 ping.exe 1712 ping.exe 2260 ping.exe 3060 ping.exe 1008 ping.exe 2888 ping.exe 2800 ping.exe 2436 ping.exe 2220 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2900 smss.exe 2900 smss.exe 2900 smss.exe 2900 smss.exe 2900 smss.exe 2900 smss.exe 2900 smss.exe 2900 smss.exe 2900 smss.exe 2900 smss.exe 2900 smss.exe 2900 smss.exe 1304 csrss.exe 1304 csrss.exe 1304 csrss.exe 1304 csrss.exe 1304 csrss.exe 1304 csrss.exe 1304 csrss.exe 1304 csrss.exe 1304 csrss.exe 1304 csrss.exe 1304 csrss.exe 1304 csrss.exe 1840 Kazekage.exe 1840 Kazekage.exe 1840 Kazekage.exe 1840 Kazekage.exe 1840 Kazekage.exe 1840 Kazekage.exe 1840 Kazekage.exe 1840 Kazekage.exe 1840 Kazekage.exe 1840 Kazekage.exe 1840 Kazekage.exe 1840 Kazekage.exe 2012 system32.exe 2012 system32.exe 2012 system32.exe 2012 system32.exe 2012 system32.exe 2012 system32.exe 1916 Gaara.exe 2012 system32.exe 2012 system32.exe 1916 Gaara.exe 1916 Gaara.exe 2012 system32.exe 1916 Gaara.exe 1916 Gaara.exe 2012 system32.exe 1916 Gaara.exe 2012 system32.exe 1916 Gaara.exe 2012 system32.exe 1916 Gaara.exe 1916 Gaara.exe 1916 Gaara.exe 1916 Gaara.exe 1916 Gaara.exe 2900 smss.exe 2900 smss.exe 2900 smss.exe 2900 smss.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 2768 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 2900 smss.exe 2600 smss.exe 1916 Gaara.exe 2680 smss.exe 2708 Gaara.exe 1304 csrss.exe 1488 smss.exe 1744 Gaara.exe 2192 csrss.exe 1840 Kazekage.exe 1580 smss.exe 1328 Gaara.exe 1768 csrss.exe 972 Kazekage.exe 2012 system32.exe 1756 smss.exe 1688 Gaara.exe 2016 csrss.exe 360 Kazekage.exe 1788 system32.exe 2228 system32.exe 2532 Kazekage.exe 3052 system32.exe 2280 csrss.exe 2216 Kazekage.exe 1028 system32.exe 2248 Gaara.exe 1552 csrss.exe 2772 Kazekage.exe 2628 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2768 wrote to memory of 2900 2768 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 30 PID 2768 wrote to memory of 2900 2768 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 30 PID 2768 wrote to memory of 2900 2768 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 30 PID 2768 wrote to memory of 2900 2768 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 30 PID 2900 wrote to memory of 2600 2900 smss.exe 31 PID 2900 wrote to memory of 2600 2900 smss.exe 31 PID 2900 wrote to memory of 2600 2900 smss.exe 31 PID 2900 wrote to memory of 2600 2900 smss.exe 31 PID 2900 wrote to memory of 1916 2900 smss.exe 32 PID 2900 wrote to memory of 1916 2900 smss.exe 32 PID 2900 wrote to memory of 1916 2900 smss.exe 32 PID 2900 wrote to memory of 1916 2900 smss.exe 32 PID 1916 wrote to memory of 2680 1916 Gaara.exe 33 PID 1916 wrote to memory of 2680 1916 Gaara.exe 33 PID 1916 wrote to memory of 2680 1916 Gaara.exe 33 PID 1916 wrote to memory of 2680 1916 Gaara.exe 33 PID 1916 wrote to memory of 2708 1916 Gaara.exe 34 PID 1916 wrote to memory of 2708 1916 Gaara.exe 34 PID 1916 wrote to memory of 2708 1916 Gaara.exe 34 PID 1916 wrote to memory of 2708 1916 Gaara.exe 34 PID 1916 wrote to memory of 1304 1916 Gaara.exe 35 PID 1916 wrote to memory of 1304 1916 Gaara.exe 35 PID 1916 wrote to memory of 1304 1916 Gaara.exe 35 PID 1916 wrote to memory of 1304 1916 Gaara.exe 35 PID 1304 wrote to memory of 1488 1304 csrss.exe 36 PID 1304 wrote to memory of 1488 1304 csrss.exe 36 PID 1304 wrote to memory of 1488 1304 csrss.exe 36 PID 1304 wrote to memory of 1488 1304 csrss.exe 36 PID 1304 wrote to memory of 1744 1304 csrss.exe 37 PID 1304 wrote to memory of 1744 1304 csrss.exe 37 PID 1304 wrote to memory of 1744 1304 csrss.exe 37 PID 1304 wrote to memory of 1744 1304 csrss.exe 37 PID 1304 wrote to memory of 2192 1304 csrss.exe 38 PID 1304 wrote to memory of 2192 1304 csrss.exe 38 PID 1304 wrote to memory of 2192 1304 csrss.exe 38 PID 1304 wrote to memory of 2192 1304 csrss.exe 38 PID 1304 wrote to memory of 1840 1304 csrss.exe 39 PID 1304 wrote to memory of 1840 1304 csrss.exe 39 PID 1304 wrote to memory of 1840 1304 csrss.exe 39 PID 1304 wrote to memory of 1840 1304 csrss.exe 39 PID 1840 wrote to memory of 1580 1840 Kazekage.exe 40 PID 1840 wrote to memory of 1580 1840 Kazekage.exe 40 PID 1840 wrote to memory of 1580 1840 Kazekage.exe 40 PID 1840 wrote to memory of 1580 1840 Kazekage.exe 40 PID 1840 wrote to memory of 1328 1840 Kazekage.exe 41 PID 1840 wrote to memory of 1328 1840 Kazekage.exe 41 PID 1840 wrote to memory of 1328 1840 Kazekage.exe 41 PID 1840 wrote to memory of 1328 1840 Kazekage.exe 41 PID 1840 wrote to memory of 1768 1840 Kazekage.exe 42 PID 1840 wrote to memory of 1768 1840 Kazekage.exe 42 PID 1840 wrote to memory of 1768 1840 Kazekage.exe 42 PID 1840 wrote to memory of 1768 1840 Kazekage.exe 42 PID 1840 wrote to memory of 972 1840 Kazekage.exe 43 PID 1840 wrote to memory of 972 1840 Kazekage.exe 43 PID 1840 wrote to memory of 972 1840 Kazekage.exe 43 PID 1840 wrote to memory of 972 1840 Kazekage.exe 43 PID 1840 wrote to memory of 2012 1840 Kazekage.exe 44 PID 1840 wrote to memory of 2012 1840 Kazekage.exe 44 PID 1840 wrote to memory of 2012 1840 Kazekage.exe 44 PID 1840 wrote to memory of 2012 1840 Kazekage.exe 44 PID 2012 wrote to memory of 1756 2012 system32.exe 45 PID 2012 wrote to memory of 1756 2012 system32.exe 45 PID 2012 wrote to memory of 1756 2012 system32.exe 45 PID 2012 wrote to memory of 1756 2012 system32.exe 45 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe"C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2768 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2900 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2600
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1916 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2680
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2708
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1304 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1488
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1744
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2192
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1840 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1580
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1328
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1768
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:972
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2012 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1756
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1688
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2016
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:360
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1788
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2800
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2756
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2472
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1292
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1008
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2720
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1320
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3052
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2256
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2260
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2228
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2504
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2284
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1712
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2280
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2052
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2220
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2532
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3052
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2164
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2144
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2724
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2436
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1492
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2088
-
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2280
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2216
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1028
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3060
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2680
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:668
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1616
-
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2248
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1552
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2772
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2628
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2888
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2224
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2044
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2444
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
145KB
MD5f87349a8c0f8a259fff33cb5c8ce481c
SHA1a916c27bf93a378f69852cd9cb7d60b2324a568c
SHA2562d417ce16825fb5709a610d2c60568184836506018ed523bf17fa10e8ddf82c2
SHA512a0db1085f1eafb368e5630106d6c95dad67fb67c46754775313584b3c163663b9721439c86f6d76ac01c2b9faae0c324104800706b380ac5d460eddae0312229
-
Filesize
145KB
MD56e0a5bad73ddf8b05ea69aa6775df2a3
SHA17185cfa795b13bfca5213af466aacc0ff4145968
SHA2566902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34
SHA51258646b0234fd5377b5942eef4430bb9ac2187e802cfdd156cdd258940dbcb5951b91dc5882062d5f108f6e0900f6a3c5fcd6352940b4fa41318a8c3f9833b83b
-
Filesize
145KB
MD5fd215c7833a4193f7457a2382434d53b
SHA197682ac9428effc6c2e5136e054299a53a1aaf32
SHA256c7628c37e3c3d4a59e40b94e8b912d1e376766c2977ff9159150bacec821d669
SHA512cc8cb4d3aa3108f9b5c471cc1e2d6fb0d674e83c9d42820aed2b635975a6261bde61076b2a2d8e3403b0fba8777b3df9eac68230d53a1b04d65f356c28283d26
-
Filesize
192KB
MD5ca8609f3eb4c6e461d3582ff9234b309
SHA1702ccf95aaa1a5de3982d3d8a2d58d95fea3e7a5
SHA256277d5e607db233f135fd637900124c7f315dc0ce4a86fe5b65ca9d03040e41f3
SHA51254432d2b7abffbac97d8a1768d081c874120ea86c3e2335e880acf54280f5ec7bca38016e6c51d4dc3115270edb9680c29487895a4d236ee140d8bd73836201d
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
145KB
MD5f7aa242a6911a1a03df41e741a5dda3c
SHA1e24478a02745472be2a5530f4f76da2cdcbc15c4
SHA2569904e0baa3094494dcb67df4b9a2fafd9450d7147eba0a4eeaa3003fcbe27ee3
SHA51256c1043638ecd7df7398a45e429babc74a0d0e9f9b48b9bd65f971b261240918c51a68cfd9fe79c7b3f02ad9b66c78c6e4d3d53d8f53fc119f7fd01b34cee788
-
Filesize
145KB
MD5a005d41c944a073ab6e676eed606040a
SHA1066c85400252a2141da31f3c9bfe87ad335673d8
SHA256fb6327ddef45ff6f8385af982105a7966576966604243d5c7c65fc58c5d0f14c
SHA5123c83a35a5de0f92b1c6ed07e4f348d56c80d362318a6292479f8f918da096df9d2a9248108eeec37e67e9833806b9d08969934ed6d7610c065803b6773c87be6
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
145KB
MD522f869b912e9faf53f6e99d411ba49ac
SHA1493f524389c315edcc8fa369c9cf1ed8e8af7f95
SHA256afc17587a442f8bac6247ef6b4e99eed21f31603a25ca23fab3684e178c2a95d
SHA51226b489d7d4b6c55a6b2dce92c5c08527f50d50638bc646c3a99430ad93d955fcd9472836bfc5afa85a0c9ff3224f0c92deae4a9dabf1860a0d2f516fdc98f331
-
Filesize
145KB
MD55dcda7a5489d6ece3bea4dadaed85e20
SHA1ba58c5a2e0559feb7ad27d709beb9f0409bee4dd
SHA256de1a216f27111a148a492157c3e948cfed933cb24fbeec58cc5f76742c2d3cfb
SHA51244860e2f1942b8f8fd46a0f1ad8fc4e040902f350ec10df80c4b3e55cea08dc9c9bdd5c03c9ee52fe8d7e765ccb134afbec9d9d16d9c1702c8b7182d865f1f99
-
Filesize
145KB
MD58ef6f05d4993334f64a4021ae1783d61
SHA1c5226caa6724a64fc976ddba87a53764d1fd5f0c
SHA256b3af573b68251cb26a8b125c17914935fadb078229204d0a5d363a8de71c66dc
SHA5122f9c2e291aa0370af8dc0f10d55983d6ddc76a17678041679cac23eaee797a0216c9200afa459e17a0beab3f2f4afaf7f5a92cf7a0f3b45d63b644242c18d43f
-
Filesize
145KB
MD563c8e298b333d4ae0193516c97ced36d
SHA10693ca946e1cfe864357ea3b181fc17d90aad172
SHA256bb2dafe896dd8997843eaa360bf200546bc093312bf655a87604112d3182953d
SHA51280f22056320defe3409f989c7abee695f746c0c57611b1e52c3b93a6849bb248c95e13cc096791384de286dc2e6beaedf24c7a033bc8d628c630decf2208ff9b
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
145KB
MD567d9ead8124ddadb319f31a1f3fe0025
SHA1c2cb3be7f47cfcee9a9674f2714bcf7030a4f257
SHA2562004c1df2ccc7414bbfbbfafe49022cffa3b91435b5858c306a6cefe42d4c3c5
SHA5126793afeef95f9f7290cc75f61906c3c9dfba2840ee76c46f9a77192de9c4910420ec4d539d5f2bb8ae863a3e9e10e195b2cd58144bbaca35cb56137883a4c31d
-
Filesize
145KB
MD5f4fbd6e6719093d10850aa00a18ebff1
SHA1b6a323bc539a0c4ed21c2af1fc99074c6b38383b
SHA2568fa7378162232464adc723b3184ca558ccdb65c6cea1ccae90c5407f3db55752
SHA512a102696d5482cac94d469475e85db35fc35589a4028ec971c1306f62bc9dceef7a03289393d30cc11d4acc7e3cc196a966b72a5c975b30cfd7cba9a9392f7108