Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2024, 22:56
Static task
static1
Behavioral task
behavioral1
Sample
6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe
Resource
win10v2004-20241007-en
General
-
Target
6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe
-
Size
145KB
-
MD5
6e0a5bad73ddf8b05ea69aa6775df2a3
-
SHA1
7185cfa795b13bfca5213af466aacc0ff4145968
-
SHA256
6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34
-
SHA512
58646b0234fd5377b5942eef4430bb9ac2187e802cfdd156cdd258940dbcb5951b91dc5882062d5f108f6e0900f6a3c5fcd6352940b4fa41318a8c3f9833b83b
-
SSDEEP
1536:1Jo0IHgL2AHfb1mzaFXg+xsukl4Y17jsgS/jHagQNuXGpeVTVG:zx6AHjYzaFXg+w17jsgS/jHagQg19VG
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe -
Executes dropped EXE 30 IoCs
pid Process 116 smss.exe 1196 smss.exe 2076 Gaara.exe 2436 smss.exe 1936 Gaara.exe 2276 csrss.exe 5056 smss.exe 4216 Gaara.exe 1752 csrss.exe 756 Kazekage.exe 2228 smss.exe 4928 Gaara.exe 4944 csrss.exe 3232 Kazekage.exe 3608 system32.exe 2176 smss.exe 2308 Gaara.exe 4576 csrss.exe 1668 Kazekage.exe 4400 system32.exe 1896 system32.exe 1688 Kazekage.exe 956 system32.exe 1588 csrss.exe 3364 Kazekage.exe 1660 system32.exe 2432 Gaara.exe 1172 csrss.exe 2936 Kazekage.exe 3944 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 116 smss.exe 1196 smss.exe 2076 Gaara.exe 2436 smss.exe 1936 Gaara.exe 2276 csrss.exe 5056 smss.exe 4216 Gaara.exe 1752 csrss.exe 2228 smss.exe 4928 Gaara.exe 4944 csrss.exe 2176 smss.exe 2308 Gaara.exe 4576 csrss.exe 1588 csrss.exe 2432 Gaara.exe 1172 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" Kazekage.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification F:\Desktop.ini Gaara.exe File opened for modification \??\U:\Desktop.ini Gaara.exe File opened for modification F:\Desktop.ini system32.exe File opened for modification \??\X:\Desktop.ini system32.exe File opened for modification \??\L:\Desktop.ini smss.exe File opened for modification \??\I:\Desktop.ini Gaara.exe File opened for modification \??\R:\Desktop.ini csrss.exe File opened for modification \??\H:\Desktop.ini system32.exe File opened for modification \??\O:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\S:\Desktop.ini Gaara.exe File opened for modification D:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini csrss.exe File opened for modification \??\O:\Desktop.ini Kazekage.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\X:\Desktop.ini Gaara.exe File opened for modification \??\J:\Desktop.ini csrss.exe File opened for modification \??\V:\Desktop.ini csrss.exe File opened for modification \??\W:\Desktop.ini system32.exe File opened for modification \??\U:\Desktop.ini smss.exe File opened for modification \??\Z:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini smss.exe File opened for modification \??\L:\Desktop.ini Gaara.exe File opened for modification \??\N:\Desktop.ini Gaara.exe File opened for modification \??\A:\Desktop.ini csrss.exe File opened for modification \??\X:\Desktop.ini csrss.exe File opened for modification \??\Y:\Desktop.ini csrss.exe File opened for modification \??\G:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\R:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini Gaara.exe File opened for modification \??\P:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini Kazekage.exe File opened for modification \??\Y:\Desktop.ini smss.exe File opened for modification \??\Z:\Desktop.ini system32.exe File opened for modification \??\M:\Desktop.ini smss.exe File opened for modification \??\N:\Desktop.ini smss.exe File opened for modification C:\Desktop.ini csrss.exe File opened for modification \??\Y:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\E:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini smss.exe File opened for modification \??\E:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini system32.exe File opened for modification F:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\L:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\A:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\B:\Desktop.ini csrss.exe File opened for modification \??\S:\Desktop.ini csrss.exe File opened for modification \??\P:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini csrss.exe File opened for modification \??\H:\Desktop.ini Kazekage.exe File opened for modification \??\E:\Desktop.ini system32.exe File opened for modification \??\J:\Desktop.ini system32.exe File opened for modification \??\K:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\G:\Desktop.ini csrss.exe File opened for modification \??\H:\Desktop.ini csrss.exe File opened for modification \??\M:\Desktop.ini Kazekage.exe File opened for modification \??\V:\Desktop.ini system32.exe File opened for modification C:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\A:\Desktop.ini Gaara.exe File opened for modification F:\Desktop.ini Kazekage.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification \??\E:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\H:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\X:\Desktop.ini smss.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: Gaara.exe File opened (read-only) \??\G: Gaara.exe File opened (read-only) \??\X: Gaara.exe File opened (read-only) \??\B: csrss.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\N: system32.exe File opened (read-only) \??\W: system32.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\P: Gaara.exe File opened (read-only) \??\Y: Gaara.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\B: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\J: Gaara.exe File opened (read-only) \??\W: Gaara.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\S: system32.exe File opened (read-only) \??\Y: system32.exe File opened (read-only) \??\P: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\G: Kazekage.exe File opened (read-only) \??\A: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\I: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\I: Gaara.exe File opened (read-only) \??\J: Kazekage.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\Q: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\X: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\R: Gaara.exe File opened (read-only) \??\P: system32.exe File opened (read-only) \??\W: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\T: Kazekage.exe File opened (read-only) \??\L: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\A: Kazekage.exe File opened (read-only) \??\V: Kazekage.exe File opened (read-only) \??\J: system32.exe File opened (read-only) \??\V: system32.exe File opened (read-only) \??\X: system32.exe File opened (read-only) \??\K: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\K: system32.exe File opened (read-only) \??\M: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\T: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\S: Kazekage.exe File opened (read-only) \??\X: Kazekage.exe File opened (read-only) \??\S: Gaara.exe File opened (read-only) \??\P: Kazekage.exe File opened (read-only) \??\L: system32.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\Q:\Autorun.inf Gaara.exe File created \??\Y:\Autorun.inf Gaara.exe File opened for modification \??\Z:\Autorun.inf Kazekage.exe File opened for modification \??\J:\Autorun.inf system32.exe File opened for modification \??\S:\Autorun.inf system32.exe File opened for modification C:\Autorun.inf Gaara.exe File opened for modification \??\K:\Autorun.inf Gaara.exe File created \??\K:\Autorun.inf csrss.exe File created \??\R:\Autorun.inf csrss.exe File opened for modification \??\L:\Autorun.inf Kazekage.exe File created \??\O:\Autorun.inf system32.exe File created \??\K:\Autorun.inf smss.exe File created \??\N:\Autorun.inf smss.exe File opened for modification C:\Autorun.inf csrss.exe File opened for modification \??\A:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\B:\Autorun.inf smss.exe File created \??\J:\Autorun.inf csrss.exe File opened for modification \??\Q:\Autorun.inf csrss.exe File created \??\B:\Autorun.inf Kazekage.exe File created \??\G:\Autorun.inf Kazekage.exe File created \??\V:\Autorun.inf Kazekage.exe File created \??\L:\Autorun.inf system32.exe File opened for modification \??\E:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\P:\Autorun.inf system32.exe File opened for modification \??\S:\Autorun.inf smss.exe File created \??\P:\Autorun.inf csrss.exe File created \??\T:\Autorun.inf csrss.exe File created \??\Z:\Autorun.inf system32.exe File opened for modification C:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\Z:\Autorun.inf system32.exe File opened for modification \??\R:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\I:\Autorun.inf Gaara.exe File opened for modification \??\A:\Autorun.inf csrss.exe File created \??\S:\Autorun.inf Kazekage.exe File created \??\J:\Autorun.inf system32.exe File created \??\M:\Autorun.inf system32.exe File opened for modification \??\T:\Autorun.inf system32.exe File opened for modification F:\Autorun.inf smss.exe File created \??\T:\Autorun.inf smss.exe File opened for modification \??\S:\Autorun.inf Kazekage.exe File created \??\W:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\J:\Autorun.inf Gaara.exe File created \??\M:\Autorun.inf Gaara.exe File created \??\U:\Autorun.inf Gaara.exe File created \??\Z:\Autorun.inf Gaara.exe File created \??\Z:\Autorun.inf Kazekage.exe File created \??\U:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\T:\Autorun.inf Gaara.exe File opened for modification \??\H:\Autorun.inf csrss.exe File opened for modification \??\V:\Autorun.inf system32.exe File created \??\I:\Autorun.inf Gaara.exe File opened for modification \??\B:\Autorun.inf Kazekage.exe File created \??\Q:\Autorun.inf Kazekage.exe File created \??\X:\Autorun.inf Kazekage.exe File opened for modification D:\Autorun.inf system32.exe File opened for modification \??\Q:\Autorun.inf system32.exe File opened for modification \??\W:\Autorun.inf csrss.exe File created \??\Q:\Autorun.inf smss.exe File created \??\Y:\Autorun.inf csrss.exe File created \??\P:\Autorun.inf Kazekage.exe File opened for modification \??\G:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\Z:\Autorun.inf csrss.exe File created \??\H:\Autorun.inf csrss.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe csrss.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\SysWOW64\mscomctl.ocx 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File created C:\Windows\SysWOW64\20-10-2024.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe smss.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\ 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\The Kazekage.jpg 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\WBEM\msvbvm60.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File opened for modification C:\Windows\ 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\ Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe smss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe csrss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe system32.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe Gaara.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe csrss.exe File created C:\Windows\mscomctl.ocx 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe smss.exe File opened for modification C:\Windows\ smss.exe File opened for modification C:\Windows\ Gaara.exe File opened for modification C:\Windows\system\mscoree.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe system32.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe Gaara.exe File opened for modification C:\Windows\msvbvm60.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe Gaara.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe csrss.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll system32.exe File opened for modification C:\Windows\system\msvbvm60.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File created C:\Windows\system\msvbvm60.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe system32.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe system32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 34 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4228 ping.exe 4156 ping.exe 896 ping.exe 1588 ping.exe 5056 ping.exe 536 ping.exe 1996 ping.exe 2000 ping.exe 1584 ping.exe 4860 ping.exe 1920 ping.exe 1532 ping.exe 1532 ping.exe 944 ping.exe 4892 ping.exe 1988 ping.exe 2324 ping.exe 3744 ping.exe 1952 ping.exe 64 ping.exe 4296 ping.exe 1196 ping.exe 804 ping.exe 4228 ping.exe 3624 ping.exe 1336 ping.exe 2112 ping.exe 1848 ping.exe 1532 ping.exe 3052 ping.exe 2220 ping.exe 704 ping.exe 2636 ping.exe 2996 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\WallpaperStyle = "2" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop Gaara.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main smss.exe -
Modifies registry class 51 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe -
Runs ping.exe 1 TTPs 34 IoCs
pid Process 2324 ping.exe 2112 ping.exe 4228 ping.exe 1588 ping.exe 1920 ping.exe 4860 ping.exe 4892 ping.exe 64 ping.exe 3744 ping.exe 1584 ping.exe 1952 ping.exe 2220 ping.exe 704 ping.exe 1996 ping.exe 1848 ping.exe 3052 ping.exe 896 ping.exe 4296 ping.exe 4228 ping.exe 4156 ping.exe 1336 ping.exe 1196 ping.exe 1532 ping.exe 944 ping.exe 2996 ping.exe 3624 ping.exe 2636 ping.exe 804 ping.exe 2000 ping.exe 1532 ping.exe 1532 ping.exe 1988 ping.exe 5056 ping.exe 536 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2076 Gaara.exe 2076 Gaara.exe 2076 Gaara.exe 2076 Gaara.exe 2076 Gaara.exe 2076 Gaara.exe 2076 Gaara.exe 2076 Gaara.exe 2076 Gaara.exe 2076 Gaara.exe 2076 Gaara.exe 2076 Gaara.exe 2076 Gaara.exe 2076 Gaara.exe 2076 Gaara.exe 2076 Gaara.exe 2076 Gaara.exe 2076 Gaara.exe 2076 Gaara.exe 2076 Gaara.exe 2076 Gaara.exe 2076 Gaara.exe 2076 Gaara.exe 2076 Gaara.exe 2276 csrss.exe 2276 csrss.exe 2276 csrss.exe 2276 csrss.exe 2276 csrss.exe 2276 csrss.exe 2276 csrss.exe 2276 csrss.exe 2276 csrss.exe 2276 csrss.exe 2276 csrss.exe 2276 csrss.exe 2276 csrss.exe 2276 csrss.exe 2276 csrss.exe 2276 csrss.exe 2276 csrss.exe 2276 csrss.exe 2276 csrss.exe 2276 csrss.exe 2276 csrss.exe 2276 csrss.exe 2276 csrss.exe 2276 csrss.exe 756 Kazekage.exe 756 Kazekage.exe 756 Kazekage.exe 756 Kazekage.exe 756 Kazekage.exe 756 Kazekage.exe 756 Kazekage.exe 756 Kazekage.exe 756 Kazekage.exe 756 Kazekage.exe 756 Kazekage.exe 756 Kazekage.exe 756 Kazekage.exe 756 Kazekage.exe 756 Kazekage.exe 756 Kazekage.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 2988 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 116 smss.exe 1196 smss.exe 2076 Gaara.exe 2436 smss.exe 1936 Gaara.exe 2276 csrss.exe 5056 smss.exe 4216 Gaara.exe 1752 csrss.exe 756 Kazekage.exe 2228 smss.exe 4928 Gaara.exe 4944 csrss.exe 3232 Kazekage.exe 3608 system32.exe 2176 smss.exe 2308 Gaara.exe 4576 csrss.exe 1668 Kazekage.exe 4400 system32.exe 1896 system32.exe 1688 Kazekage.exe 956 system32.exe 1588 csrss.exe 3364 Kazekage.exe 1660 system32.exe 2432 Gaara.exe 1172 csrss.exe 2936 Kazekage.exe 3944 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2988 wrote to memory of 116 2988 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 84 PID 2988 wrote to memory of 116 2988 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 84 PID 2988 wrote to memory of 116 2988 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 84 PID 116 wrote to memory of 1196 116 smss.exe 86 PID 116 wrote to memory of 1196 116 smss.exe 86 PID 116 wrote to memory of 1196 116 smss.exe 86 PID 116 wrote to memory of 2076 116 smss.exe 88 PID 116 wrote to memory of 2076 116 smss.exe 88 PID 116 wrote to memory of 2076 116 smss.exe 88 PID 2076 wrote to memory of 2436 2076 Gaara.exe 89 PID 2076 wrote to memory of 2436 2076 Gaara.exe 89 PID 2076 wrote to memory of 2436 2076 Gaara.exe 89 PID 2076 wrote to memory of 1936 2076 Gaara.exe 90 PID 2076 wrote to memory of 1936 2076 Gaara.exe 90 PID 2076 wrote to memory of 1936 2076 Gaara.exe 90 PID 2076 wrote to memory of 2276 2076 Gaara.exe 92 PID 2076 wrote to memory of 2276 2076 Gaara.exe 92 PID 2076 wrote to memory of 2276 2076 Gaara.exe 92 PID 2276 wrote to memory of 5056 2276 csrss.exe 93 PID 2276 wrote to memory of 5056 2276 csrss.exe 93 PID 2276 wrote to memory of 5056 2276 csrss.exe 93 PID 2276 wrote to memory of 4216 2276 csrss.exe 94 PID 2276 wrote to memory of 4216 2276 csrss.exe 94 PID 2276 wrote to memory of 4216 2276 csrss.exe 94 PID 2276 wrote to memory of 1752 2276 csrss.exe 95 PID 2276 wrote to memory of 1752 2276 csrss.exe 95 PID 2276 wrote to memory of 1752 2276 csrss.exe 95 PID 2276 wrote to memory of 756 2276 csrss.exe 96 PID 2276 wrote to memory of 756 2276 csrss.exe 96 PID 2276 wrote to memory of 756 2276 csrss.exe 96 PID 756 wrote to memory of 2228 756 Kazekage.exe 97 PID 756 wrote to memory of 2228 756 Kazekage.exe 97 PID 756 wrote to memory of 2228 756 Kazekage.exe 97 PID 756 wrote to memory of 4928 756 Kazekage.exe 98 PID 756 wrote to memory of 4928 756 Kazekage.exe 98 PID 756 wrote to memory of 4928 756 Kazekage.exe 98 PID 756 wrote to memory of 4944 756 Kazekage.exe 99 PID 756 wrote to memory of 4944 756 Kazekage.exe 99 PID 756 wrote to memory of 4944 756 Kazekage.exe 99 PID 756 wrote to memory of 3232 756 Kazekage.exe 100 PID 756 wrote to memory of 3232 756 Kazekage.exe 100 PID 756 wrote to memory of 3232 756 Kazekage.exe 100 PID 756 wrote to memory of 3608 756 Kazekage.exe 103 PID 756 wrote to memory of 3608 756 Kazekage.exe 103 PID 756 wrote to memory of 3608 756 Kazekage.exe 103 PID 3608 wrote to memory of 2176 3608 system32.exe 104 PID 3608 wrote to memory of 2176 3608 system32.exe 104 PID 3608 wrote to memory of 2176 3608 system32.exe 104 PID 3608 wrote to memory of 2308 3608 system32.exe 105 PID 3608 wrote to memory of 2308 3608 system32.exe 105 PID 3608 wrote to memory of 2308 3608 system32.exe 105 PID 3608 wrote to memory of 4576 3608 system32.exe 106 PID 3608 wrote to memory of 4576 3608 system32.exe 106 PID 3608 wrote to memory of 4576 3608 system32.exe 106 PID 3608 wrote to memory of 1668 3608 system32.exe 107 PID 3608 wrote to memory of 1668 3608 system32.exe 107 PID 3608 wrote to memory of 1668 3608 system32.exe 107 PID 3608 wrote to memory of 4400 3608 system32.exe 108 PID 3608 wrote to memory of 4400 3608 system32.exe 108 PID 3608 wrote to memory of 4400 3608 system32.exe 108 PID 2276 wrote to memory of 1896 2276 csrss.exe 109 PID 2276 wrote to memory of 1896 2276 csrss.exe 109 PID 2276 wrote to memory of 1896 2276 csrss.exe 109 PID 2076 wrote to memory of 1688 2076 Gaara.exe 111 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe"C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2988 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:116 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1196
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2076 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2436
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1936
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2276 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5056
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4216
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1752
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:756 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2228
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4928
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4944
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3232
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3608 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2176
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2308
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4576
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1668
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4400
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4296
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3744
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:804
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4228
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3624
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1532
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1336
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:896
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1196
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1532
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2996
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4860
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1896
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:64
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:704
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1920
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1996
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4156
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1952
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1688
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:956
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3052
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2324
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1848
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2636
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1584
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4228
-
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1588
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3364
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1660
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2220
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1988
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:536
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5056
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1532
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2000
-
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2432
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1172
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2936
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3944
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:944
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4892
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2112
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1588
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
145KB
MD56e0a5bad73ddf8b05ea69aa6775df2a3
SHA17185cfa795b13bfca5213af466aacc0ff4145968
SHA2566902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34
SHA51258646b0234fd5377b5942eef4430bb9ac2187e802cfdd156cdd258940dbcb5951b91dc5882062d5f108f6e0900f6a3c5fcd6352940b4fa41318a8c3f9833b83b
-
Filesize
145KB
MD5a29f5849837c5cf16d9bc7b9b6c2c6d1
SHA1a483837302f64b8d9df42981c60ee8ce0cdba2de
SHA25644ac7c7db112c899b9921d67036ec2ae63f36b8d1d456f354fa6d3d75472e62f
SHA512ed87234170801357f9b6e3c4b5770418b7b51237ff7ac0e18a8ceed545047e1d44cabd30da05ba63b3c7159e5fe1e8c7fde4330e53dc74eb986b845286b87cc2
-
Filesize
145KB
MD5e2e24b204e58e16848e4678218173efc
SHA16e952126c7f84599f9a7014d979b6d24413c5ace
SHA2567dfa145b92874212c8de21f5140a0b7924798874deafd1b2a19baaa344e9a164
SHA512469b7a73638c4d2adfe4193666a70db9c42011572eb728a098829a489c7734750aa71e3c473b107460b91286ff6370044fc44d11d366b0f311746ebbd9d0854e
-
Filesize
145KB
MD5844864ae07faca0a236ff2fc17e60ab8
SHA1522a58c1af85a478fa8b6964fc24dae9f5a15f66
SHA256791aae2fc70654086f4cb7f31ecde14ac8b1d57ac2f2fc918b2b96518dad84a5
SHA5126a2e5c9a5bafa5cc79ab28a10cebbcb905ab71b2d2ff9396da7dfc5e3f0b439ec81f5bf019dcd7c11de776a71220fd18960d631caeb2388b59094f6897abd0b7
-
Filesize
145KB
MD5d366728f3533311010818fd568d5a037
SHA16d6cf2109bdc0c8aaadd70714ece3370cdec49d7
SHA256452c0412462dafc7240d94d015b4f95cb9fae3c58c0df2632ff8449c462953b4
SHA512584c09353e799142d832ec6ee3d1175b76c509595b51f9e43e025bd78defdc7fcb7dfbc48e8feaaefdc2e74a725b5ee93cd118fef1aad3802b2f30f880487c55
-
Filesize
128KB
MD502770ec1a321e19ddd06cdb29d69ffe3
SHA1d51b0b4d5de7a3c64dd320cfddd06614a2ab7af2
SHA25672424cc8831eccd132639f5a2b6541c9bb2d638baf4397186a984bc353b7b579
SHA512d816faa1abdee5c0879a4240b30abd156962a5dabb6d072bfcb84aae1d69d8c50ad8f8519db1db9a6fbdeee8a10c643f110800aed1c84957573501bcae178d4f
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
145KB
MD5c9507bc981d027da82011957485749bd
SHA12bc0b5a4948039fa6ed5b85f1d3700396f0ac4db
SHA256841207a3b710c1413bba975b183878053841e5f2ea64f33d622460549ef4360b
SHA512b9c2c4bdad1fc482d81eafea8dc0ef713471ab968dad569084ab70a07d34bbdd41662bd70479663b3b27d000185989f1d48627ba194acacc5a1ef04f8d6870fc
-
Filesize
145KB
MD55a38cc5306fd2f6c6bb566f4c48bf4a0
SHA1f8b31c96b1bc8ac0be33b6cb9cda26d6b034f165
SHA256aff3aa590488cbe8f966fe484a0dbe5dd37241a142f12364bd50b86c1713e3c7
SHA5127e7ce6de1f14cfc2b4912dfabc1c280985111229b278e05a75c8ca0f6d9457b02eb02710853479e7566bb45a66003a7d55df24d1a8c3a59aff83695bf09bdb56
-
Filesize
145KB
MD5c824619f34e794bb0775397576b58737
SHA191ef27688e4943faf219a5a597535b9f35268a4d
SHA25623f4fdc8a856203bf13c721e704c8afc0f65458fdfd890d20aa755d4af5c9037
SHA512b79856f6d6465610c6bad096cf24d69f8186f1fd7551538296a0be7aa4ef69c7755fc9aa7a77048c147e8f9037de4e071930e134794956ae7b5baaeca9010b1e
-
Filesize
145KB
MD5e59d46ad56d9bc203ff9f513bd933631
SHA1d79423bd7d5bc18aa89ebc8eefc8bc942f2176b2
SHA2568da15410ad5e8f8d96306ae069be3a58f3e7a5cbe2c7886ff075b60d71c7fb1a
SHA5128c1c7d3c10e3b68392c917be9c5ff4fbebef17973b9560530efdff7b42c7fd20639fbd9980f8f4d9f7bb94d87f54c9373fe99332dccb57a65d0ee84c86573b39
-
Filesize
145KB
MD57293de8d455547acf064895c2ae3f6a0
SHA1ceafaf5cd50c38beda48e33806d021e9e3cde8cc
SHA256dd3fabc24c407b50fb49f60b224927809848d4328db567c1d37d016593e6447f
SHA5124b741fd0dd94a32e30da7b5ccdb391fbe72a093bdca60efcace1a69b0be09b5d050628eaa5fbdbcb5107fa83901c1f7c9e49a5c1d4f4c13d7594ca1b7b0a4508
-
Filesize
145KB
MD56b9438734a95bb6015bcdd55f10823bf
SHA1ea7beadef020b13106a563776f69bb9649d52162
SHA256f15e4d241a0561cf731aefdad0748839ce70eb795afb9a5be186a2ebe471dd83
SHA512cd965d4f83b0172d61d9ec8a045d0d2bd17558206860a9c8b39607e24a1d36f9dba27b6a4514c1ddec94a2c04e9ada9e71200a158d19e75365178659e6329b5c
-
Filesize
145KB
MD5f87361bce6160b18368208e13a7b0faa
SHA15905a2c4d1cca58ce4d9f121d9753cdde4dde174
SHA25671c828fbc172ab3fa5c2aae65896dbd20096f9c6c1942890bc12f8be5cf494a9
SHA512787a1b65f0cd5f6aafbc3649561d1475d00027d950a344369064aa4a19199a257a40f9251d750caa59cdd3ed213085fd166c958abee8e5f6e46db758003682cc
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
145KB
MD57d6c6e4b4f05c5df7686c20deb07e8e7
SHA155b9382d83b12dbef782ada33ec1ea981f298419
SHA25672fec5c7d15b13c32c5cc1de3baffa28e2b23251fa9cdfddfe0d811b529c1cd4
SHA512cc3ba46e7beac4497fe5ed49959a4524e3cc4e67f54d367e9eff649fcac72ca0770e142d0eedd2d9d9e1e2307ebc78c4d33392284c6df9518313248bc2304bee
-
Filesize
145KB
MD5b4b0b145dd8143af911d7fb35524a6cb
SHA1cdf3b65281a22165ce240fe7475119d082facb89
SHA256924ead6b4f68259243dbed55b80e6ff627cdd2d87461478f3307fb07aad6fc78
SHA51257cf7678b50a236eb0f89549d162b42ade6985aedf2d7c5eef7cf1d01336447e77e82aed4f4851393555acfa99c68833a80ec1f02d716f2259547ee6b723891e
-
Filesize
145KB
MD54b5538130b031062f82947403b9cb9d3
SHA1ca29a91fb5ddf4414f34469a359523f9d8715fe7
SHA25606fd06548b9f40a582a01e63e1cb4aa4f712247fb2887c344553828ae6e9d83d
SHA512a8106ac10d6a69e89ce0fd88800b7b8b41f95f995e28b24d009e9231dd405b5e795d28a19b60151c63e150ba36a859827f3658d800c29403d3c5a3261d7718f9
-
Filesize
145KB
MD5163a4e40fe2fbbef5c322cbfd26aa0bf
SHA1a48278bba568f025164eb7632eede4ebe15681ed
SHA2567beb1cf4ae9e7b360af6a5cb4ab68fa0d725c4783460b4d99bb8c5fb357c66b0
SHA51289a4048307ae5b7d2b3684a1542952f65c5031830c0a53a17e9c43015eb195be626d04f0b295cfefc4845d58c4c038a6a256b45da1d99cbdecf983be66d73c7f
-
Filesize
145KB
MD5a2c1369c97dc52cc118434b3e077f5b4
SHA1f66e9efe96a59a1956eefb151a8b1ee467e5fe7b
SHA2567b1505c50d3453c18c381b505fe5cfd861d906fd1b1609b6a89f826035f662f3
SHA512da6b4abc636ef4e5ca967ab0d393463a80b092f39554dd6e54019b2c433de09da3d7122d06dee8961647af09052e8abd0acdf6e3f082e850591acac3d7581023
-
Filesize
145KB
MD521b0e664fdf04122801e4ff76652ec77
SHA12027555262ae351f1ec7863e6b05e239441a23ba
SHA256143c54b89586a08ac734dd66ea449b180aa3089fba1cf5cf0acbfdb2739a0ffa
SHA51296bdb1038b32236de71b700024ce0d8c6e334c0f98848f9292fcc1e18e3c94bffd192e801d403499bdb2689aa3b0a17d80ec11164ad920d52890e29a7fb83af2
-
Filesize
145KB
MD52fd5b59c2ef085d3a83cb24371360fd2
SHA112fa8fe4474e063eb5dc8bea2cd74f591eefe87b
SHA2568017052e03410378ae138abfe646da642cb433119207f78ad6e8fb36f24a621b
SHA5121fc4a0f45c5bbeb9b61b34ffb59b0224f28bda969652b2d22107f5bb24e8a574bdcaa54d3192358b5b713f91cf070c66f3b61512f6c7ff238b6413158b2362a9
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
145KB
MD58bcd1688202333e3f0708c8330394e78
SHA1b00916f676da65ed698aa5a66fc74023baaadda0
SHA2568197ceb951644b233a7b0ba93c1c9ece36e17f305e5aed568cb287f89b24f649
SHA51246b75a316f1a124720649c7819b1c9cd4346e3e93f63d37104afebfed48464346324bac015d566653d81e6b2af665767a972969b6e7e237dfe40ee09e30a94ed