Malware Analysis Report

2025-01-03 08:33

Sample ID 240611-bht54axhqa
Target 9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226
SHA256 9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226
Tags
evasion persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226

Threat Level: Known bad

The file 9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226 was found to be: Known bad.

Malicious Activity Summary

evasion persistence ransomware trojan

Modifies visiblity of hidden/system files in Explorer

UAC bypass

Modifies visibility of file extensions in Explorer

Modifies WinLogon for persistence

Disables RegEdit via registry modification

Sets file execution options in registry

Disables use of System Restore points

Drops file in Drivers directory

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Checks whether UAC is enabled

Adds Run key to start application

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Drops file in System32 directory

Drops autorun.inf file

Drops file in Windows directory

Unsigned PE

Modifies Control Panel

Modifies registry class

Modifies Internet Explorer settings

Runs ping.exe

System policy modification

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 01:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 01:09

Reported

2024-06-11 01:11

Platform

win7-20231129-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A

Disables use of System Restore points

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 11 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 11 - 6 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 11 - 6 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 11 - 6 - 2024\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 11 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 11 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "11-6-2024.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 11 - 6 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 11 - 6 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "11-6-2024.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 11 - 6 - 2024\\smss.exe" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 11 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "11-6-2024.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "11-6-2024.exe" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "11-6-2024.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "11-6-2024.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 11 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 11 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification F:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification \??\B:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\J:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File created \??\N:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File created \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File created \??\U:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File created \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File created \??\P:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File created \??\U:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File created \??\I:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File created \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\Q:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File created \??\Z:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File created \??\N:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\E:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File created \??\V:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File created \??\O:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File created \??\L:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File created \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File created \??\P:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File created \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification D:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File created \??\V:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File created \??\N:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File created \??\R:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\11-6-2024.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\11-6-2024.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\11-6-2024.exe C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\SysWOW64\11-6-2024.exe C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\SysWOW64\11-6-2024.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\SysWOW64\11-6-2024.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\11-6-2024.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3044 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 3044 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 3044 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 3044 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 3032 wrote to memory of 2484 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 3032 wrote to memory of 2484 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 3032 wrote to memory of 2484 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 3032 wrote to memory of 2484 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 3032 wrote to memory of 2752 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe
PID 3032 wrote to memory of 2752 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe
PID 3032 wrote to memory of 2752 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe
PID 3032 wrote to memory of 2752 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe
PID 2752 wrote to memory of 2156 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 2752 wrote to memory of 2156 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 2752 wrote to memory of 2156 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 2752 wrote to memory of 2156 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 2752 wrote to memory of 936 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe
PID 2752 wrote to memory of 936 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe
PID 2752 wrote to memory of 936 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe
PID 2752 wrote to memory of 936 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe
PID 2752 wrote to memory of 2724 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe
PID 2752 wrote to memory of 2724 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe
PID 2752 wrote to memory of 2724 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe
PID 2752 wrote to memory of 2724 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe
PID 2724 wrote to memory of 1688 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 2724 wrote to memory of 1688 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 2724 wrote to memory of 1688 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 2724 wrote to memory of 1688 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 2724 wrote to memory of 1644 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe
PID 2724 wrote to memory of 1644 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe
PID 2724 wrote to memory of 1644 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe
PID 2724 wrote to memory of 1644 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe
PID 2724 wrote to memory of 2296 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe
PID 2724 wrote to memory of 2296 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe
PID 2724 wrote to memory of 2296 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe
PID 2724 wrote to memory of 2296 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe
PID 2724 wrote to memory of 2336 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2724 wrote to memory of 2336 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2724 wrote to memory of 2336 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2724 wrote to memory of 2336 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2336 wrote to memory of 752 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 2336 wrote to memory of 752 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 2336 wrote to memory of 752 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 2336 wrote to memory of 752 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 2336 wrote to memory of 1208 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe
PID 2336 wrote to memory of 1208 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe
PID 2336 wrote to memory of 1208 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe
PID 2336 wrote to memory of 1208 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe
PID 2336 wrote to memory of 1480 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe
PID 2336 wrote to memory of 1480 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe
PID 2336 wrote to memory of 1480 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe
PID 2336 wrote to memory of 1480 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe
PID 2336 wrote to memory of 588 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2336 wrote to memory of 588 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2336 wrote to memory of 588 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2336 wrote to memory of 588 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2336 wrote to memory of 2252 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2336 wrote to memory of 2252 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2336 wrote to memory of 2252 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2336 wrote to memory of 2252 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2252 wrote to memory of 1868 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 2252 wrote to memory of 1868 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 2252 wrote to memory of 1868 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 2252 wrote to memory of 1868 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe

"C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe"

C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe"

C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp

Files

memory/3044-0-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe

MD5 63ea11c2736083017e033b0b1229224e
SHA1 13406b8147a1ecf8e533d44bd4a69e11dea914bd
SHA256 9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226
SHA512 b637097253e65eda6b00c74f2d08b0d3652add954597300d89c3860f126eeb6c574eac7c0e9fa4ba8a8991e418bb66b519f249bea0660859806f2c07ddd66d32

C:\Windows\system\msvbvm60.dll

MD5 5343a19c618bc515ceb1695586c6c137
SHA1 4dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA256 2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512 708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe

MD5 3e4d30f6f78e6d66a667c3dd23977a10
SHA1 e94b81c0b9432cde6dc9185707fc3ad975db01b8
SHA256 471df56d00a0aba37f3c89513b8be0cda9301deed8f8c4a60a33525ddefb5507
SHA512 e2b85768318599462d330f8c4f69ac2ec176bfcf45166c0c002af3197ca6b9b3bc5268535701db3ec1138dd90f5ac28ed301aa98b80beaa1b140a25c9a9a2b0f

memory/3044-37-0x0000000000310000-0x0000000000335000-memory.dmp

memory/3044-36-0x0000000000310000-0x0000000000335000-memory.dmp

memory/3032-39-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3032-76-0x0000000000440000-0x0000000000465000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 67c4a030863a790e64bd86dfe4799d7a
SHA1 9bb23f493de530ae7e20301fdaaabb82aafabb0f
SHA256 ab716cfbb7ea5fc683373330c4b84e46c0b065683c1d64e90fc99cdbd20b5039
SHA512 b82c33909d83d9dfbf9b745ba310fa0ef25b3f3247e86aef10332b8870369d48264c30a899a9486827311b2e49ef132088c498a8dd6f24ab679e8197476b561c

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 b509bcd4a9e2bf5b76a4e75dd0ac1cdf
SHA1 b3e0eaad150c795b2f99f9e262f67811212f3c82
SHA256 b39f5a62ff7c0a647b78446ae6ae1aaf5f81898b40bcc4eaf10244457543aa5d
SHA512 5c211acea8644cd8febde6b1c161df9b62fcd8d71c2c4f043f9a8a44d1cd05c985dec10c054e591a546f3e46cc31aab019714f213a248099ed018ccbeb59869f

C:\Windows\SysWOW64\11-6-2024.exe

MD5 309058f320d692a0fb392b4333e3758e
SHA1 1b1b260413627554ac46bb4f937395863aae848d
SHA256 cdde956a0aedfd7dbee900c9500f967e233ca971a26113136b8e73aa9422115f
SHA512 f4420da103d2486adaf9694bef81f6762a9da4b9f3323d0ce65009fe8de4426fe77baa6a22e2cb99ecb29286d8e5e75e3322277c47c0609f2617cbee8ed490b6

C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe

MD5 5cfc98c48f89ab21b2f5b3113004db8f
SHA1 026b5e2de1736de26272d972b3acaec6868a646d
SHA256 4cd989843a7999c0b577aeaec2a757b0f374c3312d50d3c20ede5a1c520f8a2e
SHA512 1fecc5dc2fe2307958c04b9ef7c3dc03a4f088b2a0d9867bd0a2e0081c390a89cd549447791c12ca3c70563ee28c922928c9baf4add611d0082ae03cb117f659

C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe

MD5 bf98eefa52dc73c500ac9a25e30a271f
SHA1 fc93bc311d49305561740c7e480f80a850715df2
SHA256 ced79bb69c91efd3706634f5444e07c1222db2d4728545ac9e00873737b75cb7
SHA512 745d6e6e6206a8a31593a2e7d48cbdc7e42800dfb9f45c69c6d8fe9073a07714aaedf11c7c432242d6f860ef9c38e70a80c9ffe060fb76fb0fba2f12a436e3cc

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

memory/2484-81-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2752-92-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3032-91-0x0000000000440000-0x0000000000465000-memory.dmp

memory/3032-90-0x0000000000440000-0x0000000000465000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 dd00fcec33f12838b8972b66d04a05db
SHA1 25fe89e03380e2057c9a33a2c0ce4cd19c7bffdd
SHA256 f4f4eab2fc90b012e9077678ef3677f5cf8cde7cd699217ed1f493f38bf4175f
SHA512 fcdb5e8601de58da23f9f3f61b17392d82fe1e44aa9c1f4e54694b7f20213d3f2f6983f60f3391e80f54460022d4f09d6d325f7f20e01eaba16c6107e639ba4e

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 9afa81b076001e9d8b59c5d880938bc9
SHA1 269d9b072ad236578ce262029b229d3da1d142e7
SHA256 6be66987effa5f4fb79733f3e3f1d115583e6ff5046801114b4a0691b860aee5
SHA512 b68baca4a3d4a2e83e2154b187916e79b967e5283a687c21d9935df3a89129652a5bc5e853558603df60d6f5f5ab04f342f61209103b0a3c9ac7152ca5048b6c

C:\Windows\SysWOW64\11-6-2024.exe

MD5 c7b8f1d8a7e4e586ac4507f6371b1011
SHA1 e04691861fe6c259073d3dcb8725c2a3190a3275
SHA256 6151be43fc52fb9f325a1b8aface96f29df6aeef718fb876aebbe172015d208e
SHA512 d77efbc500dada50828e46bb5435c4c4d97615f4fd43f0bc2f133953456817a76aed0d0751995a1aa595b9ca4968b7ace05cf404a974ebbd906ed3db0031efee

C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe

MD5 70c4aeef600893d77ef6afdb68869256
SHA1 03e686b5e1455f8d4c12e4a51c6657bc9d87086f
SHA256 38219a8305eb69987bc83735197b1b1e23c109eff57438e0f192237f894895b6
SHA512 86ff5292f8b09f810c692864023c0440dc2f32e19657a25f8e41d7d065d8780d441f4e4a42a7464ba27b5b9f854408e06653e0fab008a01f1a378498b4090fc4

memory/2752-125-0x0000000001D60000-0x0000000001D85000-memory.dmp

memory/2156-130-0x0000000000400000-0x0000000000425000-memory.dmp

memory/936-135-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2724-144-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\11-6-2024.exe

MD5 820e75f7c950bee5b0cc800eeb2ab73e
SHA1 d6695fe3157a5e6428e291a052023d354ec1e0c2
SHA256 cd6d752de9825d4a2bf29f751cc41815589565a30cd02c6e3dbb1eb0845fe33f
SHA512 2648faaab330a7039b1266c553c44829b052db2d51ce612a10fce8fc8d7008b6d285b34272b9691ed495a015cd639438ce32c36ace61413fbdb6ca42844ac1d3

C:\Windows\system\msvbvm60.dll

MD5 0b43130e69bc53cfab92f7392633b599
SHA1 7143451f2af45545c650e2aba670fdcfc659b8f6
SHA256 9c3762275823c5809a2c4789aca351642884b2a955979b7724decd00b9bddee5
SHA512 68525e3ff3102e7ab41eceac348eb036df4a91f03e827297eed83f5b9202201d83ad75ce13bfebfa8e38baaf4f27f393e2606e2ebf5e0818c9b630bd1a3f4be8

memory/1688-174-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2724-173-0x00000000025C0000-0x00000000025E5000-memory.dmp

memory/1688-178-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1644-185-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2296-186-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2296-191-0x0000000000400000-0x0000000000425000-memory.dmp

\Windows\SysWOW64\drivers\Kazekage.exe

MD5 c414685f0e36b618b8b4205a4a2af7c8
SHA1 c827c2d17802b3c72375dfda8c4f292f31a6d0b9
SHA256 bdbaf1c70b305fcba455f5b230ba71f20fc04494c6ae2afee0de9b4face728b3
SHA512 6e90455c96d1adfb8507e7921862a36a1ef402af8249ca8e588bdb40503971712e9e13be3ae81a48b2ae0a095926e4b51bf94503466d4a4f54b2653e24f310de

memory/2724-192-0x00000000025C0000-0x00000000025E5000-memory.dmp

memory/752-221-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1208-222-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1208-225-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1480-228-0x0000000000400000-0x0000000000425000-memory.dmp

memory/588-229-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2336-230-0x0000000000430000-0x0000000000455000-memory.dmp

memory/588-233-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 eb117b117d3d0271285134f7d487c905
SHA1 43052d33029308e83d57980738a55f178c6dc835
SHA256 23c4e481ed218c6bd87021e51ed48358cfe09db4359c5da5b241b99555323371
SHA512 9cd33e449a4a0eee74a4a71b11b2212a3e7134db27981675a866c1e7e711ff965901e1fb8089eb774db258d7a62e5107350093df6aebfb9ee8567c4902390147

memory/2252-240-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2252-251-0x0000000000370000-0x0000000000395000-memory.dmp

memory/1868-254-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1936-257-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2140-260-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1540-263-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1800-264-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1800-267-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1864-268-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1864-271-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1160-276-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1840-281-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1840-282-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3040-285-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2388-291-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1452-294-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1440-297-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1440-298-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1976-301-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

memory/3044-679-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3044-680-0x0000000000310000-0x0000000000335000-memory.dmp

memory/3044-681-0x0000000000310000-0x0000000000335000-memory.dmp

memory/3032-682-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2752-684-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3032-683-0x0000000000440000-0x0000000000465000-memory.dmp

memory/2752-685-0x0000000001D60000-0x0000000001D85000-memory.dmp

memory/2752-686-0x0000000001D60000-0x0000000001D85000-memory.dmp

memory/2724-687-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\mscomctl.ocx

MD5 4f7b3f0e6fbe639582c505848c041381
SHA1 b38498fea9491649288f34d2f1ccd51697fee537
SHA256 8e1325ca264a6e6ab63ebc85d3ff4d068d25ac26050ca6a68a0383acb1a54f33
SHA512 601069d87245090318fd415b06e28c8a806b257c3b21e42d9859ba86dc6d13a9ae776a901eb45717d0912fc81bb80feb01acfa7d0b7b45973c71c225e5394e78

C:\Admin Games\Kazekage.exe

MD5 ad2a34f2e6546a76ee6ee2714098ae09
SHA1 12fb798ed656a6a67e5f10e5b467ad6c87984a17
SHA256 9295104e23fe578fdd563062cd3073a32fd01b8844017ffb5f70fb5c1fc24426
SHA512 528bb2602fae604a7134540df157c59703ba5f439fde608e351c0fddf1a9834d6eb998599083bbf3df88571313bacaef033b142f09aaa9cd4b3589ccb65b09ff

C:\Windows\SysWOW64\MSCOMCTL.OCX

MD5 d7a596007113b24b294b87fd25a3dd70
SHA1 58179fd543954484a5e09f1413ae25ac39611409
SHA256 bf5689fb80a6e7c48ad2076b99617d88bef073aba817786816d7905885c9c282
SHA512 da6f1c6137052761b032dffe99ca9ae6223d931b2119b5bbe90a6253ceeaddb1fb562de0be6479daad302027312ca9cacb6fcbf3f9b96fb22c47af0db1e29943

C:\Windows\SysWOW64\11-6-2024.exe

MD5 3bf4ddcb4ee238efbecbef21ab599e18
SHA1 bea2d2b3f7748d071154eadc35e22b9a7d2eeeb9
SHA256 50211119a2f708e15e4a4f404d72b7af9fc508d79bb61c1443c4b16550742aad
SHA512 33a85596f49fd49c1c2881d020b55fb2d3c6f7e53b324b84826bb90f7fcab568165cbf1cd3d711d0324024fc41f9b0283d206f712d6f5f1c5307078ba36e02b2

F:\Admin Games\Kazekage.exe

MD5 e2ca4134eccd501d891b90f2e7bac744
SHA1 70d16edf597d226a6a578c4c91d5c5b828264eeb
SHA256 f3ad6b7835597fdfbd205332b588a6ba2ec44767b00c87c93a8cbc42adc4573d
SHA512 f88f35aecad2449b7ddbce5b741a048e3e1dd25050cf2782d1e6087affded5c48364db268c585b1d9c2731f3572af7bb1632aa79d5dd5afd8489fef44ad11150

memory/2336-923-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2336-924-0x0000000000430000-0x0000000000455000-memory.dmp

memory/2252-925-0x0000000000400000-0x0000000000425000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 01:09

Reported

2024-06-11 01:11

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A

Disables use of System Restore points

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\SysWOW64\drivers\system32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 11 - 6 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 11 - 6 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 11 - 6 - 2024\\smss.exe" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "11-6-2024.exe" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 11 - 6 - 2024\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 11 - 6 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "11-6-2024.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 11 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 11 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 11 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 11 - 6 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 11 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 11 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "11-6-2024.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "11-6-2024.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "11-6-2024.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "11-6-2024.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 11 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\system32.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created \??\V:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File created \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\I:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File created \??\X:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification F:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File created \??\X:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File created D:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\J:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File created \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\A:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File created \??\G:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File created \??\A:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File created D:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File created \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File created \??\K:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File created \??\S:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\G:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File created \??\O:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File created \??\V:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\T:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification D:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File created \??\L:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\11-6-2024.exe C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\11-6-2024.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\11-6-2024.exe C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\11-6-2024.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\11-6-2024.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\11-6-2024.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\11-6-2024.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File created C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 11 - 6 - 2024\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File created C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1032 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 1032 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 1032 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 700 wrote to memory of 2336 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 700 wrote to memory of 2336 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 700 wrote to memory of 2336 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 700 wrote to memory of 4524 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe
PID 700 wrote to memory of 4524 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe
PID 700 wrote to memory of 4524 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe
PID 4524 wrote to memory of 3184 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 4524 wrote to memory of 3184 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 4524 wrote to memory of 3184 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 4524 wrote to memory of 2400 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe
PID 4524 wrote to memory of 2400 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe
PID 4524 wrote to memory of 2400 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe
PID 4524 wrote to memory of 5060 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe
PID 4524 wrote to memory of 5060 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe
PID 4524 wrote to memory of 5060 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe
PID 5060 wrote to memory of 2364 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 5060 wrote to memory of 2364 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 5060 wrote to memory of 2364 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 5060 wrote to memory of 4908 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe
PID 5060 wrote to memory of 4908 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe
PID 5060 wrote to memory of 4908 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe
PID 5060 wrote to memory of 8 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe
PID 5060 wrote to memory of 8 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe
PID 5060 wrote to memory of 8 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe
PID 5060 wrote to memory of 4768 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5060 wrote to memory of 4768 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5060 wrote to memory of 4768 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4768 wrote to memory of 452 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 4768 wrote to memory of 452 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 4768 wrote to memory of 452 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 4768 wrote to memory of 3484 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe
PID 4768 wrote to memory of 3484 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe
PID 4768 wrote to memory of 3484 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe
PID 4768 wrote to memory of 5044 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe
PID 4768 wrote to memory of 5044 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe
PID 4768 wrote to memory of 5044 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe
PID 4768 wrote to memory of 3512 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4768 wrote to memory of 3512 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4768 wrote to memory of 3512 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4768 wrote to memory of 628 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4768 wrote to memory of 628 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4768 wrote to memory of 628 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 628 wrote to memory of 2868 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 628 wrote to memory of 2868 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 628 wrote to memory of 2868 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe
PID 628 wrote to memory of 1644 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe
PID 628 wrote to memory of 1644 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe
PID 628 wrote to memory of 1644 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe
PID 628 wrote to memory of 4060 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe
PID 628 wrote to memory of 4060 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe
PID 628 wrote to memory of 4060 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe
PID 628 wrote to memory of 948 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 628 wrote to memory of 948 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 628 wrote to memory of 948 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 628 wrote to memory of 3212 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 628 wrote to memory of 3212 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 628 wrote to memory of 3212 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 5060 wrote to memory of 5100 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 5060 wrote to memory of 5100 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 5060 wrote to memory of 5100 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4524 wrote to memory of 3168 N/A C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe

"C:\Users\Admin\AppData\Local\Temp\9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226.exe"

C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe"

C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 56.110.63.41.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp

Files

memory/1032-0-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\System\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

C:\Windows\Fonts\Admin 11 - 6 - 2024\smss.exe

MD5 3cc3345d0e0fa624b567848bd0c4bda6
SHA1 9bf63f880feb91f87d59a60f153f346878dbe8f5
SHA256 b4beb1018317f651577cd736cfb3edeb102ad25fbc1faaf90745adde9731442c
SHA512 25d9e378925b60140d9284f6a3ea4a50120f50d97c0a64607c4565d956e7b5610d5d0e6e3bb2bef809d326120c3be7ceb9f65a32798fa314a09bc5f7b8c2e037

memory/700-32-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe

MD5 bc0f24d355b1e5a54eface2fad60000a
SHA1 d7f1d1af9b0df2f9ef63402e2ee6b0fd94d5b88e
SHA256 da71a1a11b3d533b735e0254a06e97a83627ac526370a2646e544c7ee52593ed
SHA512 a3ec5907f0d8d8c39cabc982c8b91c293eef7711fee8d1064d4a93ec77e7b9d031705406f958480cc92f5a6deb1be27f65b24254ecd4b28ecbaca59b8af13543

C:\Windows\Fonts\Admin 11 - 6 - 2024\Gaara.exe

MD5 fe9923766219965aa093fcc9a8fe2ff8
SHA1 ea0064dd79936fa4466a483772e092a90a1cdc0c
SHA256 30492ebd06833118356f707567f6b925f50a7be1cf7038685d49e64dc1697b6e
SHA512 ebbe64714dd5a86f55d0d42e5a0c25a5cbff05a71a8b5b74eae93f52cb8d690efd6dfcda98571d4cbe575a6daac5e5a36495f75ff1a711f80400771b7ee8d39f

C:\Windows\SysWOW64\11-6-2024.exe

MD5 437406e37e4640a999768dd1f1bbdf5b
SHA1 befbc6822fe1760b5311cf00e4afe7669b2d004f
SHA256 80e31d61778091afe36c492920df5c4d122fa38146dc7f5df3223567d8aaf0cd
SHA512 3942fb80a6344737f8128ec13b4a08cc22ddf29ddc2ab1c680d574da41d2557ec3ae5f3a1a9b50f492e65523cb8de69444a0fe2e9d1b0dc9a3c6a696c03ec14d

C:\Windows\SysWOW64\drivers\system32.exe

MD5 147ff40775e23ed38733f01eb8c4db8a
SHA1 76ddfb339f4922242d6cafd7964fa7407ccc192b
SHA256 9c5efd54724554ee5d61cc05f9f7ad99cdb19c5f93659d97d4dd6a206ebafc1e
SHA512 906a60e5ab8707911e19e331c742ddbd89f2cb6798522537ad1e6c30aa8a6521421023660808dbc9174c4101f539456190aec42b8bc470d8292960dbe36d59c4

memory/2336-70-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 c414685f0e36b618b8b4205a4a2af7c8
SHA1 c827c2d17802b3c72375dfda8c4f292f31a6d0b9
SHA256 bdbaf1c70b305fcba455f5b230ba71f20fc04494c6ae2afee0de9b4face728b3
SHA512 6e90455c96d1adfb8507e7921862a36a1ef402af8249ca8e588bdb40503971712e9e13be3ae81a48b2ae0a095926e4b51bf94503466d4a4f54b2653e24f310de

memory/2336-75-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4524-78-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\drivers\system32.exe

MD5 5b6a3270c6d25fc541d4e43ee004fd0f
SHA1 c370022b61b51bbfbc3943fe4d691f609c6353c3
SHA256 b15edf3bbb81ff0d382d5db01185d315204cf3c16ab491cb09bf030a468fe1c9
SHA512 ed070620d77c4eb51e65764fce72f098bf89e4cc309e02473bff6cda29f17bd221dd2c095f26a9387cd61479fb5b91e9afcd254f0548d9d968ae7d4052c97588

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 5e331cbcfa3b477785222605dc8bd95c
SHA1 6115e7172c1a11802b2397a96e6734527f092773
SHA256 a6321ba729fb2a206116f4d181e052f166da2c4fcd4dc65d7124cadbc1ee7d39
SHA512 9a757d28223a5b54bfddde93497bb19e92e50cdcf92237667f2ae90eefb097878d8570e9655dad483ef6367714f7678f08bf9e420ab59791bb3215160d090712

C:\Windows\SysWOW64\11-6-2024.exe

MD5 07d01bac4ffa26776f38d99c6f85753a
SHA1 609d694054d1f69121f04a9b1aa45708d98e98b0
SHA256 a8908e99215d5ff0afe9b88cccaba943cc5e4e3b887352bc7468da9e3e446a06
SHA512 3a86f932f869a4d2baa80376c9adb661cc41340f6b901ef44652338041e721b6c2616fb79dc836103930c925096aa325f9b70450126625fb4466476a51877c46

C:\Windows\Fonts\Admin 11 - 6 - 2024\csrss.exe

MD5 384077f800c243c3f2b8d77013ce22f7
SHA1 341a12c8f1c30fad50064c4809a2192c0d1c3a2b
SHA256 23f40dc57e109243d0bd9e42f337e288fc557a175db28c22017cf7a14eac1e8a
SHA512 5faebdcce284edc3e8b42c8d8a57136d4ff9badd2f39823719c212923430170034529aff7a8ce2be8ac223fcb465a4e33b8723c785a2e8a1470942e865f5d3d8

memory/3184-111-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3184-115-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2400-119-0x0000000000400000-0x0000000000425000-memory.dmp

memory/5060-121-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 c8c5d51758c10f02ce883871d3633044
SHA1 f38ff5d76548593dd360d3ac74841c017aabb1d1
SHA256 25ae377be5d51dd18721faeefe06ee5b4bff4e49e16b3305dc1dbe691c15b440
SHA512 2d0bf447512c0b1901e345c61a843d6bbf74a9bdcef0c40952f030cf31a2934ecec88b0e2848460e3a204fdcadbe2d0cfcd25bdda2e548274531b3b9658e596f

memory/2364-151-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 1819498a25f6209cef9b9ddb3918ccae
SHA1 b77e29496f46f0298fd04d10920441b0b2192412
SHA256 3f3fcadacc281f70fdc06f0dfe0de35359d6bbd0ca2576350f446d5c4d97c703
SHA512 4a5ca27975435cf88a6d36d318466712b4d7f3c9098c9459ee0ffd620dbc20cfaa14822e7dcef09ffc11870039a7ee58274f1a3c5b971bfec04ac8b19d9edcbc

C:\Windows\SysWOW64\11-6-2024.exe

MD5 d4b922a407773c1357002481649cb0a8
SHA1 66392e09eeb61c7d25ecfce205bab3e37f71314c
SHA256 203bf9dbba89a24b45dd5b0b5a5e9dc0a171c2c6e730c51abeca7adeec781ef7
SHA512 91dfad3ed35c8fc182beb8e815cf6b2b447c82e8ba711b15418d77a148ed58ce4455baea625a450bf259fe65d9d893ff8edb76823d99d3058a95d12dca1cf778

memory/2364-154-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4908-159-0x0000000000400000-0x0000000000425000-memory.dmp

memory/8-160-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4768-167-0x0000000000400000-0x0000000000425000-memory.dmp

memory/8-166-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 39f79bb9bde0ce5a8e10f200d947be82
SHA1 ca9c386f064ca1ed15b1dd68c51f0ecfd6342e6d
SHA256 2f1e8342eb4b9a7a44c95bb730fafd4edafb36eeb8b81a2201ef509ab5d0ee2b
SHA512 d69b3f8a4f11ad9c5ddcb5633195cccc5c9f303531e0ec97ca7c78b47bf2413e00b2f4e72f49b9265e828d4d5d3582573b169876148b5af72f6cfd6783e3e7f8

C:\Windows\SysWOW64\drivers\system32.exe

MD5 fb6a0d8e9265180db1b9b4900c65d019
SHA1 d559fbd2139af7cf29d249592fc4f10f3bfecc93
SHA256 caf31f8d29e87e9880b14e984f5a58c70c537d5f43a407a48af325f5f2bcc174
SHA512 d6a7bc5523c423167f9ebddd10bfa764e954a221898b509287a6e590b965b26326ff22e75d4f524aa5fd6e691c588ec2f92e08889f4bab2bd4fa0bba9fa7c9b6

C:\Windows\SysWOW64\11-6-2024.exe

MD5 d158978eaeb032193222aec8b583cf51
SHA1 3edf94f423157d4a1621afe04d06485472b17992
SHA256 35e979922ea1582798089dbdc6a5bab9fc132246bfd6bf69e790e9db820504b7
SHA512 615741009c83f3d3a434b233f2f1f1b222b39fd9295e97db481cbd4ddd69684974538a5a4f661e861ba8ac1fc7153d9cde5e84d9693604e6ede1c7bdb600cd8b

memory/3484-193-0x0000000000400000-0x0000000000425000-memory.dmp

memory/452-195-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3484-201-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3512-204-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3512-207-0x0000000000400000-0x0000000000425000-memory.dmp

memory/628-211-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2868-231-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1644-234-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4060-237-0x0000000000400000-0x0000000000425000-memory.dmp

memory/948-240-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3212-241-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3212-244-0x0000000000400000-0x0000000000425000-memory.dmp

memory/5100-247-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3168-253-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4208-256-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3720-261-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2292-264-0x0000000000400000-0x0000000000425000-memory.dmp

memory/5004-267-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4596-270-0x0000000000400000-0x0000000000425000-memory.dmp

memory/400-274-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1408-276-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Gaara.exe

MD5 63ea11c2736083017e033b0b1229224e
SHA1 13406b8147a1ecf8e533d44bd4a69e11dea914bd
SHA256 9d50365c02d24971487ff41de60c2f82af174b9767b47f5a82d297752c127226
SHA512 b637097253e65eda6b00c74f2d08b0d3652add954597300d89c3860f126eeb6c574eac7c0e9fa4ba8a8991e418bb66b519f249bea0660859806f2c07ddd66d32

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

C:\Windows\SysWOW64\mscomctl.ocx

MD5 0e4b7f3c1e4f6a3dd82496e573f4a522
SHA1 c230efcdc7bffa9c2ca9dda7919dee6fc4443266
SHA256 09b32472497649321a0535557e6c0e32b506834c0a5ffe7d533e8e651f70f816
SHA512 ed38ffe50bd62f6b6b21ba46b9db1f723f0546fb64e5ec87e13e7edf36fd710f2499483d6a37a0d90c2aef7504a3637d45314633d0417e77789f52229beff6c0

memory/1032-982-0x0000000000400000-0x0000000000425000-memory.dmp

memory/700-1024-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4524-1025-0x0000000000400000-0x0000000000425000-memory.dmp

memory/5060-1026-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4768-1027-0x0000000000400000-0x0000000000425000-memory.dmp