Malware Analysis Report

2024-09-23 04:45

Sample ID 240614-ay3lqs1gpn
Target 7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c
SHA256 7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c
Tags
evasion persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c

Threat Level: Known bad

The file 7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c was found to be: Known bad.

Malicious Activity Summary

evasion persistence ransomware trojan

Modifies visibility of file extensions in Explorer

UAC bypass

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Disables use of System Restore points

Sets file execution options in registry

Drops file in Drivers directory

Executes dropped EXE

Loads dropped DLL

Drops desktop.ini file(s)

Enumerates connected drives

Adds Run key to start application

Checks whether UAC is enabled

Drops file in System32 directory

Sets desktop wallpaper using registry

Drops autorun.inf file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Modifies Control Panel

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Runs ping.exe

System policy modification

Modifies registry class

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 00:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 00:38

Reported

2024-06-14 00:40

Platform

win7-20240419-en

Max time kernel

149s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A

Disables use of System Restore points

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\SysWOW64\drivers\system32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 6 - 2024\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-6-2024.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 6 - 2024\\smss.exe" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 6 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 6 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-6-2024.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-6-2024.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-6-2024.exe" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-6-2024.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 6 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 6 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-6-2024.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification F:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification \??\A:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created \??\B:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created D:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\X:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created D:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created D:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created D:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created \??\V:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Z:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File created \??\I:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created \??\M:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created \??\V:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created \??\A:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\P:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\A:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created \??\M:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created \??\R:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created \??\W:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\R:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File created \??\L:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File created \??\U:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\14-6-2024.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\14-6-2024.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\14-6-2024.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\14-6-2024.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\14-6-2024.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\14-6-2024.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\14-6-2024.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2288 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 2288 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 2288 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 2288 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 2640 wrote to memory of 2584 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 2640 wrote to memory of 2584 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 2640 wrote to memory of 2584 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 2640 wrote to memory of 2584 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 2640 wrote to memory of 2548 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 2640 wrote to memory of 2548 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 2640 wrote to memory of 2548 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 2640 wrote to memory of 2548 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 2548 wrote to memory of 2876 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 2548 wrote to memory of 2876 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 2548 wrote to memory of 2876 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 2548 wrote to memory of 2876 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 2548 wrote to memory of 3000 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 2548 wrote to memory of 3000 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 2548 wrote to memory of 3000 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 2548 wrote to memory of 3000 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 2548 wrote to memory of 3020 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 2548 wrote to memory of 3020 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 2548 wrote to memory of 3020 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 2548 wrote to memory of 3020 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 3020 wrote to memory of 2596 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 3020 wrote to memory of 2596 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 3020 wrote to memory of 2596 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 3020 wrote to memory of 2596 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 3020 wrote to memory of 2216 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 3020 wrote to memory of 2216 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 3020 wrote to memory of 2216 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 3020 wrote to memory of 2216 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 3020 wrote to memory of 1592 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 3020 wrote to memory of 1592 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 3020 wrote to memory of 1592 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 3020 wrote to memory of 1592 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 3020 wrote to memory of 2100 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3020 wrote to memory of 2100 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3020 wrote to memory of 2100 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3020 wrote to memory of 2100 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2100 wrote to memory of 2372 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 2100 wrote to memory of 2372 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 2100 wrote to memory of 2372 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 2100 wrote to memory of 2372 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 2100 wrote to memory of 1264 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 2100 wrote to memory of 1264 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 2100 wrote to memory of 1264 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 2100 wrote to memory of 1264 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 2100 wrote to memory of 536 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 2100 wrote to memory of 536 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 2100 wrote to memory of 536 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 2100 wrote to memory of 536 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 2100 wrote to memory of 600 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2100 wrote to memory of 600 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2100 wrote to memory of 600 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2100 wrote to memory of 600 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2100 wrote to memory of 1268 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2100 wrote to memory of 1268 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2100 wrote to memory of 1268 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2100 wrote to memory of 1268 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1268 wrote to memory of 556 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 1268 wrote to memory of 556 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 1268 wrote to memory of 556 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 1268 wrote to memory of 556 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe

"C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp

Files

memory/2288-0-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe

MD5 ff2c6a98dd5f397a4368f02de40f5f7a
SHA1 8c2b7c89348b75aff003181945b267d37e03b149
SHA256 7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c
SHA512 2c18575aa2a1fc5d23729d7a49a601d1969451b26b52199ed0e064471a05d29470102906504db69f9b0e23eb510624cda2a709c745956ee870d2715d5feda851

C:\Windows\system\msvbvm60.dll

MD5 5343a19c618bc515ceb1695586c6c137
SHA1 4dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA256 2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512 708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe

MD5 ed6b1e5928298b2724711ab9381f0bbb
SHA1 24176bebf2ce8b7c4d3151509738fe736d18c154
SHA256 93b63dbe3ef609f1d0357f9a713e0a37dea831a42f39180952d5f0fcb06af8a6
SHA512 9473fe8b3c3c6522c9ed21c97a311bbe4d03f7ded4cdca6795a5bddbb92564c8f75b70b95bc024cf3af796c26597b13e85ba270b34f0e97a92b7c0dee75f331b

memory/2288-32-0x0000000001F20000-0x0000000001F45000-memory.dmp

C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe

MD5 6974497d4faacc81a75342c3d73037ed
SHA1 2b986aab7917ef2571e8ce7438a07468db84ff9b
SHA256 0f7afe03ddccb8ec8775da8693b201a227e8f8d485786405261ff5a40c5b4a0d
SHA512 9659d076b1160d587670ab7b85cbbb7fe1f113f051b9218b85a6864b5aa7cc2c655cb34230935b5020cee907686b3c02b6ffadbd71b79d6e2a5c42fcf29ae61d

C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe

MD5 9fb881c0ab1ecfeab477d60cefc0209e
SHA1 ba497c124a9ae29175f53e374ca027fd16bd6082
SHA256 23cfe7a13de1617b9d0ef5d68debcf921aa53a5e75ffcf0afe3dd2ea262c5f59
SHA512 4b9bd54bc0bcda8bf639efea9c989634e2dc10ac84a50609c398712c29ce9f3babc0e5b81b12d9dce62d4bd0b32f11aa01acc4da70b5b21c36ec1b82c09620a7

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2584-79-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2640-78-0x0000000000430000-0x0000000000455000-memory.dmp

memory/2640-89-0x0000000000430000-0x0000000000455000-memory.dmp

memory/2548-93-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 f58cc148f5626c02440fe0f7fa16e66b
SHA1 1bc7f97965212efc8840c05862fe389d712777f1
SHA256 9e85be4e1eb40d4119b3549ee177936ef9c742320aa4778075dd0f2cb69710ac
SHA512 190baa4e227f3fa3844be36326e17489519ada9d62cc606213c09c87517b76fbbb75091c389e8a4faea160413eb7856f583c5ed8481cdd53de57469532a71670

memory/2548-125-0x0000000000360000-0x0000000000385000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 316ea24907f14ae9cf7882c58461263f
SHA1 4378d9e4872539ca6c21b99a0344dfbce56cab46
SHA256 71304bb8575858f2edd75911b7839a5bd8ec2a7dd65445bc6f2ca0cb29fb9c46
SHA512 b06e0131c980aee50c1661a3c2722b241b622a24ba3195fdfb41c6f9baf4132f8eb0da7fc19f27fc97c8f82f59d09597fabd5ad0a5fcdf9c9496cb66f88fb8e9

C:\Windows\SysWOW64\14-6-2024.exe

MD5 6430675d338382f3501e18849a9f5e06
SHA1 7a1d9c09caacdaccc19990e034c9c7c0d76f31e4
SHA256 455ff8c28324fe017b9d759c4e0298fb4d93fc87e0dd1a9aefc9c51a029dc246
SHA512 547c5d2160f2f15d7bfa5b903fc176f2d1b0b0f1542102b7aa3957db86bf58e8756fedadf439373543f5adf8d12cd5b5b8fcdc3d6ebf70c414a9f15859cea52f

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

memory/2640-90-0x0000000000430000-0x0000000000455000-memory.dmp

memory/2584-82-0x0000000000400000-0x0000000000425000-memory.dmp

\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe

MD5 bf8e0a198afdade9fb9c5bf51f145488
SHA1 d0d59fc14ec60cc90247e816aed89940ae9ac03b
SHA256 48bfe6042dcff0afc16c2b3915ee1359735286f3f0e1d1fa1d12804e2424d104
SHA512 0a2e446db1d6753d7a875fd3a800cddf3594974ee6cffedac3fcc992fa3a0c3121ffd7aa62edfae7ca94126e391b2497cb244a1e400b74f711024dc1bda76b84

memory/3020-143-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2596-175-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2596-179-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2100-199-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2372-220-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1264-225-0x0000000000400000-0x0000000000425000-memory.dmp

memory/600-230-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1268-240-0x0000000000400000-0x0000000000425000-memory.dmp

memory/556-253-0x0000000000400000-0x0000000000425000-memory.dmp

memory/376-260-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2204-272-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3020-271-0x0000000002330000-0x0000000002355000-memory.dmp

memory/2040-279-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2548-278-0x0000000000360000-0x0000000000385000-memory.dmp

memory/1100-286-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1632-289-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2320-291-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2320-294-0x0000000000400000-0x0000000000425000-memory.dmp

memory/876-301-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1724-305-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2296-308-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1724-304-0x0000000000400000-0x0000000000425000-memory.dmp

memory/876-300-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2472-297-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1632-290-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1100-285-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2640-282-0x0000000000430000-0x0000000000455000-memory.dmp

memory/1356-277-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1356-276-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2204-273-0x0000000000400000-0x0000000000425000-memory.dmp

memory/356-268-0x0000000000400000-0x0000000000425000-memory.dmp

memory/356-267-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1268-266-0x0000000000320000-0x0000000000345000-memory.dmp

memory/1948-263-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2504-257-0x0000000000400000-0x0000000000425000-memory.dmp

memory/556-254-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 33c272b0ac35145e4cf38b4860429e88
SHA1 dbb505db728c4e216aacc8a3add9172c1ff12af0
SHA256 7eae583512e4a99649e3fb7974cf6f6da4742365c758ea7bcddff6c7fde30902
SHA512 ae9e44650f8ae21b99789d5fc7c6d9de86f02f0c07f5279b5bfe14336deded558ffc152a03cadffe89c8a35139fad087c95ca3265a93cf16bedd7455a7cde317

memory/2100-234-0x00000000002A0000-0x00000000002C5000-memory.dmp

memory/600-233-0x0000000000400000-0x0000000000425000-memory.dmp

memory/536-228-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1264-224-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2372-221-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\14-6-2024.exe

MD5 79bc835c4025795d03b09dc17f4a03d2
SHA1 cc316ce01c430923cbca9cefe46b2d8ea3515fe3
SHA256 cc768b7b2fde84f8eeac3ffd5ab915f05a9975f27b8a85cce4d9bce7b3d07448
SHA512 f4c46041e58b0e96753773bf6ddbf40a8cd6e698a5b01c48b6ba6f9b9af74a7737112a23064376047f25795cc5b1dd97700941e43aa121e7c57163754b06360f

memory/1592-193-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1592-190-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2216-185-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3020-173-0x0000000002330000-0x0000000002355000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 09270a7ea5765a642259a7ca30be4633
SHA1 daededc44b0e865c1e60b36583ed73d5e27ff436
SHA256 830065ed9646576060e16a0b7e5d428c5e79c141dbb640de7396622c1a81c656
SHA512 6532d8c378857700a2c7ff3f7698ff32b5d6cae9863a44055fe3bd575606379d524bae462b740da054e3127a512cd679f2a987a34cb63899ed78488bcf45fc23

memory/3000-134-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3000-130-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

C:\Admin Games\Anbu Team Sampit (Nothing).exe

MD5 0482d80d0c3b28793b9347a2a930274b
SHA1 73d56025b8beedf32791d2f274821f678edd21a4
SHA256 5426fb858c28670d308d6d87d3a55d45f3c06566d0a2479743504540fb3c3a6d
SHA512 290585226fd9962449eeac3c71dea25eba6d10c0ead560ad43300ef23eb4f759caa09230bdb04cbec6b4b9312a222d8114847a68aecc78485c2e03b01770a1e2

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

memory/2288-806-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2640-807-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2640-808-0x0000000000430000-0x0000000000455000-memory.dmp

memory/2548-810-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2640-809-0x0000000000430000-0x0000000000455000-memory.dmp

memory/2548-811-0x0000000000360000-0x0000000000385000-memory.dmp

memory/3020-812-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3020-813-0x0000000002330000-0x0000000002355000-memory.dmp

C:\Windows\mscomctl.ocx

MD5 a764cfe60103e3d738925df8578a6569
SHA1 28e0a8c2c3e75420cbb1d7fa6db384d41396c955
SHA256 ad4b4713591f0b7e4e63e691dbc0f6af1876c49586e18b0897e2679355267688
SHA512 0c5df3170ea7331afd639be0463ecb15e3361cdf08553748724d1ffbfb576a050631c62c75fdcbf24b5c324d23f63b4dbe688702190726f711f470714c357866

C:\Windows\SysWOW64\MSCOMCTL.OCX

MD5 f6396e6ae33e33b416694f1d564dba42
SHA1 75f0b3b3011ad955cb4c050b1893a19dd88e9ae2
SHA256 c1c0585ab8fed628586fe4ea0b8eb79f184c09aaa0034b94fbcbcceb3b47f9e5
SHA512 baf9e167c24140bab2763201bec7d8da9aeca34c79766fb24a220b06ba86deda2ff0e4f08b7a1b1de7e30826a186f0713fa632cc3947b7b69bd1ce685eb5d702

C:\Windows\SysWOW64\14-6-2024.exe

MD5 857d49d90e5cb720718d4aaf01acc559
SHA1 b0ac0b647e75dad95c1d857a04fa8c87c25213c0
SHA256 71c0a7e1ec70d4aa188cf5269a7918c87f2a8cbf5707b8ecd455a52b31fdfc73
SHA512 ef5ab9213ff361a255a056591b05313b41f391b52aa59c6a6129fadb5f21d62aaa9067a19bdb3d56d1979e1e21a6ce0ba8a742321ecba2232074bd443b0bb7c2

C:\Windows\SysWOW64\14-6-2024.exe

MD5 495411958031f367137dfa73b5cfaa09
SHA1 4f65f1607c1e9b669b061e0ee573c914bc8b62c6
SHA256 dbf1225e50c4e74b1f10d7fb75b481e1dff70cd29147212d75aa4a8c46447fae
SHA512 a755921b276cb05da226f1411e9fb0865226d711cac24cde6efe7107716ff81d22ed5850f227d5b39c5c1bb137e861114303783196a5f2a21210dbc8bef11e8e

C:\Windows\mscomctl.ocx

MD5 dbb5a73c5a7c093bc59723d431d8021a
SHA1 aba0d9f6c35b22fca8ea0c4fe1150b934d51f098
SHA256 545f46e9d7d6a409e95b49a9316612001d16eed0b0d529df3c749e82d4759e8f
SHA512 bc3d464fb53a9730dd1d2efd1ab298c97a1b22f6aa0ceb5fda03fa966175c2b7fbaabf77f577f3f4caa37e0b501788d09d8dbf0d2f1c4f504393f9d81f8cfed6

memory/2100-1050-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1268-1051-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1268-1052-0x0000000000320000-0x0000000000345000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 00:38

Reported

2024-06-14 00:40

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A

Disables use of System Restore points

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 6 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-6-2024.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-6-2024.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 6 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 6 - 2024\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-6-2024.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-6-2024.exe" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 6 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 6 - 2024\\smss.exe" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-6-2024.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-6-2024.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 6 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification F:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\system32.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification \??\G:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File created \??\P:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\I:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\U:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File created \??\X:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\E:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File created \??\P:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File created \??\K:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created \??\N:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created \??\L:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created \??\A:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created \??\J:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created \??\S:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created \??\B:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created \??\U:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created \??\M:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\14-6-2024.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\14-6-2024.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\14-6-2024.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\14-6-2024.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\14-6-2024.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Windows\SysWOW64\14-6-2024.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\14-6-2024.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3648 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 3648 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 3648 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 4384 wrote to memory of 4848 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 4384 wrote to memory of 4848 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 4384 wrote to memory of 4848 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 4384 wrote to memory of 3324 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 4384 wrote to memory of 3324 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 4384 wrote to memory of 3324 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 3324 wrote to memory of 4304 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 3324 wrote to memory of 4304 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 3324 wrote to memory of 4304 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 3324 wrote to memory of 2424 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 3324 wrote to memory of 2424 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 3324 wrote to memory of 2424 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 3324 wrote to memory of 4560 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 3324 wrote to memory of 4560 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 3324 wrote to memory of 4560 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 4560 wrote to memory of 4916 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 4560 wrote to memory of 4916 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 4560 wrote to memory of 4916 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 4560 wrote to memory of 748 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 4560 wrote to memory of 748 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 4560 wrote to memory of 748 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 4560 wrote to memory of 5032 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 4560 wrote to memory of 5032 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 4560 wrote to memory of 5032 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 4560 wrote to memory of 3304 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4560 wrote to memory of 3304 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4560 wrote to memory of 3304 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3304 wrote to memory of 2696 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 3304 wrote to memory of 2696 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 3304 wrote to memory of 2696 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 3304 wrote to memory of 4372 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 3304 wrote to memory of 4372 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 3304 wrote to memory of 4372 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 3304 wrote to memory of 1064 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 3304 wrote to memory of 1064 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 3304 wrote to memory of 1064 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 3304 wrote to memory of 3500 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3304 wrote to memory of 3500 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3304 wrote to memory of 3500 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3304 wrote to memory of 4992 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3304 wrote to memory of 4992 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3304 wrote to memory of 4992 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4992 wrote to memory of 5008 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 4992 wrote to memory of 5008 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 4992 wrote to memory of 5008 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 4992 wrote to memory of 1576 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 4992 wrote to memory of 1576 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 4992 wrote to memory of 1576 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 4992 wrote to memory of 1592 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 4992 wrote to memory of 1592 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 4992 wrote to memory of 1592 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 4992 wrote to memory of 2868 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4992 wrote to memory of 2868 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4992 wrote to memory of 2868 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4992 wrote to memory of 1492 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4992 wrote to memory of 1492 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4992 wrote to memory of 1492 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4560 wrote to memory of 2380 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4560 wrote to memory of 2380 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4560 wrote to memory of 2380 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3324 wrote to memory of 4532 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe

"C:\Users\Admin\AppData\Local\Temp\7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp

Files

memory/3648-0-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\System\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe

MD5 7bcd5dcc40b376224b2e749b4314a21e
SHA1 31e63deaec58f37bd8df8aa022e4173d72a5762d
SHA256 1c9e071b10e9ec3ac3f850df752bcd9fa9686b4e83b27e1f9b23bb566bf29e9a
SHA512 a821a01c5e474e7d8bdec808ac6906c7bcbadc02fe7b7c1f3e2fc246ae3b56e981820350c3c51dedbc5bf53f5d4ca25ac5e27256e7b9b0dedb7ce32d94081bd9

memory/4384-34-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\SysWOW64\14-6-2024.exe

MD5 63964d1ac9b93cba982d8c12f5deb60d
SHA1 5fc2813a6fa02e57f7867310aafc8893a90486b5
SHA256 b0e937911b2670b08c04d668cd8f04a4b50d808dd5a8db5a77673f2d4cc87803
SHA512 4bc78516fdb2223f900b8f553bee2e75d612df40ccc5b6b1e4dfd885a7d1d129427ebf111794298b10e8b93d7e18a0fa4852292adbd6e36ccc99602caec0d9db

C:\Windows\SysWOW64\drivers\system32.exe

MD5 09270a7ea5765a642259a7ca30be4633
SHA1 daededc44b0e865c1e60b36583ed73d5e27ff436
SHA256 830065ed9646576060e16a0b7e5d428c5e79c141dbb640de7396622c1a81c656
SHA512 6532d8c378857700a2c7ff3f7698ff32b5d6cae9863a44055fe3bd575606379d524bae462b740da054e3127a512cd679f2a987a34cb63899ed78488bcf45fc23

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 79bc835c4025795d03b09dc17f4a03d2
SHA1 cc316ce01c430923cbca9cefe46b2d8ea3515fe3
SHA256 cc768b7b2fde84f8eeac3ffd5ab915f05a9975f27b8a85cce4d9bce7b3d07448
SHA512 f4c46041e58b0e96753773bf6ddbf40a8cd6e698a5b01c48b6ba6f9b9af74a7737112a23064376047f25795cc5b1dd97700941e43aa121e7c57163754b06360f

C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe

MD5 14dd6251149d0b8268527f1c22f893b5
SHA1 a43b72c0ac59ee1cd9cf7d2a9c342dbb6e3473c9
SHA256 d3c14d6bf66d548b68205a43c37b26c1a0ab4e909394e9057a05e00fe4fd4908
SHA512 e60b775a2cef9e26169e828ee03a11463452b405aa79d4afc2dec1b3d77554c383308387d26e4b63f993bebd7288996ecdb1f4f346ed24856ef57efaefbc152e

C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe

MD5 8f02e5c8408f4287757884d07de1218f
SHA1 2ba5d3a98abae1c87c9179d17a378980df8e7396
SHA256 c2d206a799c4e6a516b4d82ab4c2229aee0118b209949d0ac1b3db02276b0ab8
SHA512 7acc69c18c3552bfea678eae5ac48ca61f57adff0b6b2018e235e0203bc2ced62dfdbda8a7baed32eb3997f7ddd6b4aab841c5ae69d0a5d339a8b6d8edd86f21

memory/4848-72-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4848-75-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3324-78-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\drivers\system32.exe

MD5 f2b3b6e6367516b1e767a161f5887852
SHA1 43b6d5a6bffad6ba4529f6b8a3b26b3f6912a456
SHA256 3a05a15914105e88321f85a799738206c0071729b157d95512b86da574226a62
SHA512 dab32d630585dc76f9d39ffe137e1302c27d0c2c46aa2571cffbe0911c692e0cda86a14ff0a0d32bd8f0ba7ef494adb6aaf1b0951d5cfcfc089a0ac19eb70879

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 715cf8ea40c25e8e7dc95fae1de5517e
SHA1 6e1454277613a414e95625e6f87603b357ad59f0
SHA256 2fc0df9a937a4d2e1693b707274e0e7f88280606d8fe32600fa24e70eafda8c4
SHA512 6b9354ad91fdb59dd760c6c31be9c1a85b6ebd3b7f8ae797584b2642e0b691b602ea63ac6a17150694f48faba259633acda177a9302af37a7cc047b24506043c

C:\Windows\SysWOW64\14-6-2024.exe

MD5 d476b91e8d6297a11aca3b11b638f3c8
SHA1 98704ce50770ddf949238c17e6c26c7718ca79f7
SHA256 33dc2464a89793e10beac701e7cec1528fdab24d3d07165e1a411ac719e5a7f7
SHA512 ed27618efebd17da0400e50c0b0b1ab43a4bc0c4070be90df104e9ff8ef2b4fa5f079dbd284c8449408c31d34a5c106fbaae48ce7d62027137c146ba34db0014

C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe

MD5 a9c58f67953158c792b60f3e67ca5730
SHA1 46a7e9e9233f371a3d8864054b5124c39680f595
SHA256 c49560d3857dba715c42b0f97a3e603b69e8372d2fa0c659b0015fc141cf1c5c
SHA512 0499a0ff92c1e15d0b10ea130ba00bc3485864cdb128b3328d99d7c67fe692aeaebaecfc796a69e2df0925831722582236ea4845f98e59fcde95307c49b8d429

memory/4304-109-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2424-118-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4560-120-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 58a15bbd0e7081aae54e29cb87cde968
SHA1 b5565f681614089f7d624779db0541f94951904e
SHA256 59e4e9476e31265945fd50a1dd8a39d4551b6324fa4a01c87d6c5523cdc25413
SHA512 5b4647a6888c362f946e1ded168c8a3abf11bedf933717dae83448285e01e214b8cc3671310036a4ab148c0f271012643ff90522af44888b31e044b5c28f214d

C:\Windows\msvbvm60.dll

MD5 40341a458ab9824c8c1ea123df636617
SHA1 a4636c3fafbb4d74f9e354339c18316071fab9f0
SHA256 6d5961fa8a57dcff0831179523137077fe98496f676acfb197ea913acf6d73b9
SHA512 c51c11bd546ae36ce2aff91752e3ebcd87b0416764f800c788eb4992de220d313538a03c4b17c10ff27ecce00c21359711b972b2183bc72e1978039c9ab504c1

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 349dfb960651c4005f7e57d9c5865ddb
SHA1 13a44073be2fa29d85933a0cd6f090f23a834c63
SHA256 efc7ce50c5915b63e88c6fafc035bc8816e1eca70c33ef7781c86ff7f64d1062
SHA512 fcfcd0dd4f1755adf2e10c43ba374f98e91a2b45f0ea7e2fcd24942dc9b8ed4070680520771d722165f088f4c9d077cff18715823d26f1646a92c99228428878

C:\Windows\SysWOW64\14-6-2024.exe

MD5 d1e010dfe6f66f305f673e34fdfeea0b
SHA1 21ce5adca08e33204fcc3e49cb7df82268f44741
SHA256 55318740833d69e56b4435ac3edd00541ed8451cfa678573c77ef1f3553ffcfc
SHA512 598400cb66f70ec9af70cf34eb9307ba3e3a74a2b0f09a725783f43b3fe68dbd9439dece3d610b704cacda58c7f4ce2c44c6d2ca0229f7009a36e6815e283c28

memory/4916-152-0x0000000000400000-0x0000000000425000-memory.dmp

memory/748-157-0x0000000000400000-0x0000000000425000-memory.dmp

memory/5032-158-0x0000000000400000-0x0000000000425000-memory.dmp

memory/5032-162-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3304-164-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 8f056682994ab2c7b00c088d1630a6a8
SHA1 5f662cf48d0526f79487962c83eeca5f53ef38d1
SHA256 054b62fdc3d3a3c4b08ad5a15972ac1beea161f2d74dc98d954f798ada467919
SHA512 338bf3d5ee546e91ef576bc9242cbdfd2054982f3897c408d8db8d1272058ccf04c8aacf07f1b0176b29430bc0c92e98a04349b0fcb19702762e511ab6311565

C:\Windows\SysWOW64\14-6-2024.exe

MD5 63e75ac0d3981437099e308e238f055f
SHA1 e5a8b8e768adbe35112bee195ccb850b902c451d
SHA256 d4de80ffdb17c18cae1d24aa12b3526a64617d6ce6bef54e8bc651973d3f3eb2
SHA512 05a24d97c7c097c7aa663b1a422b7508324f625315b3f5d8c2e48543c18e72e94f59d180e4ad21dccc245a5ebf7033b0a7ad7a1fff6748fdaa42c42b50993105

memory/2696-192-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4372-193-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4372-198-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1064-202-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4992-208-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3500-207-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\14-6-2024.exe

MD5 a0c87c1b4afcf88f1529d2046ac2a987
SHA1 c007f6e9bb8baeca69563a260360ae24fea3bfc1
SHA256 2047d08b6de1cbb3cea14833592576e6d36aacfd88df836b105bac8f12c1bce6
SHA512 0ce6a7b85cda2a04fe8a7e2ae3fec998ca067829a62226d354b04bd9ebb3186b223f6a5d67e2c827a8d9624ecf18bd4c183c3e9f85635efb934a832a6ae5a4d7

memory/5008-229-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1576-232-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2868-236-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1592-235-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2868-240-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1492-239-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1492-243-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2380-249-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4532-252-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1748-255-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4880-258-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4152-261-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2464-264-0x0000000000400000-0x0000000000425000-memory.dmp

memory/388-267-0x0000000000400000-0x0000000000425000-memory.dmp

memory/388-268-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3704-271-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3240-274-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4476-277-0x0000000000400000-0x0000000000425000-memory.dmp

F:\Gaara.exe

MD5 ff2c6a98dd5f397a4368f02de40f5f7a
SHA1 8c2b7c89348b75aff003181945b267d37e03b149
SHA256 7ef000593eb3156d58b7393981230fd73034bd4d4b334ed9f4e75ab975a6117c
SHA512 2c18575aa2a1fc5d23729d7a49a601d1969451b26b52199ed0e064471a05d29470102906504db69f9b0e23eb510624cda2a709c745956ee870d2715d5feda851

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

C:\Windows\mscomctl.ocx

MD5 21c2b04c9705421218440cb8cc6032f7
SHA1 76623be13641a888211944351889d0dd297e616d
SHA256 9a948eba9cadd9d12afeb23a872f888a11daea4414c6432ce3d4de8c6f24261f
SHA512 bec565e0b53a0718fe577f1d6f3a722d5578f29682eefae9e0efbe12027bce4a54cd747948ff40fd8c7d0542beb7e7625397f5d6ca050977258fb49da59e0618

memory/3648-983-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4384-984-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3324-985-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4560-986-0x0000000000400000-0x0000000000425000-memory.dmp