Malware Analysis Report

2024-09-23 04:41

Sample ID 240614-ckf7pa1fnh
Target a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59
SHA256 a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59
Tags
evasion persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59

Threat Level: Known bad

The file a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59 was found to be: Known bad.

Malicious Activity Summary

evasion persistence ransomware trojan

Modifies WinLogon for persistence

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

UAC bypass

Disables use of System Restore points

Drops file in Drivers directory

Sets file execution options in registry

Disables RegEdit via registry modification

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Drops desktop.ini file(s)

Enumerates connected drives

Adds Run key to start application

Sets desktop wallpaper using registry

Drops autorun.inf file

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious use of SetWindowsHookEx

System policy modification

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Runs ping.exe

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Modifies Control Panel

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 02:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 02:07

Reported

2024-06-14 02:10

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A

Disables use of System Restore points

evasion

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 6 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-6-2024.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 6 - 2024\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-6-2024.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-6-2024.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-6-2024.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 6 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-6-2024.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 6 - 2024\\smss.exe" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 6 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-6-2024.exe" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 6 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created F:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification F:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created \??\T:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created \??\I:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created \??\V:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created \??\I:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created \??\N:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\W:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created \??\S:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created \??\K:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created \??\V:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\L:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\V:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\W:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created \??\J:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created \??\O:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created \??\Z:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created \??\R:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created D:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created \??\B:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created \??\H:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\14-6-2024.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\14-6-2024.exe C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\14-6-2024.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Windows\SysWOW64\14-6-2024.exe C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\14-6-2024.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\14-6-2024.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\14-6-2024.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3576 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 3576 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 3576 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 3116 wrote to memory of 1716 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 3116 wrote to memory of 1716 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 3116 wrote to memory of 1716 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 3116 wrote to memory of 4848 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 3116 wrote to memory of 4848 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 3116 wrote to memory of 4848 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 4848 wrote to memory of 2540 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 4848 wrote to memory of 2540 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 4848 wrote to memory of 2540 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 4848 wrote to memory of 1484 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 4848 wrote to memory of 1484 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 4848 wrote to memory of 1484 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 4848 wrote to memory of 3368 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 4848 wrote to memory of 3368 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 4848 wrote to memory of 3368 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 3368 wrote to memory of 800 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 3368 wrote to memory of 800 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 3368 wrote to memory of 800 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 3368 wrote to memory of 2424 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 3368 wrote to memory of 2424 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 3368 wrote to memory of 2424 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 3368 wrote to memory of 4080 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 3368 wrote to memory of 4080 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 3368 wrote to memory of 4080 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 3368 wrote to memory of 3924 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3368 wrote to memory of 3924 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3368 wrote to memory of 3924 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3924 wrote to memory of 372 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 3924 wrote to memory of 372 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 3924 wrote to memory of 372 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 3924 wrote to memory of 1188 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 3924 wrote to memory of 1188 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 3924 wrote to memory of 1188 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 3924 wrote to memory of 4692 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 3924 wrote to memory of 4692 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 3924 wrote to memory of 4692 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 3924 wrote to memory of 2156 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3924 wrote to memory of 2156 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3924 wrote to memory of 2156 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3924 wrote to memory of 3880 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3924 wrote to memory of 3880 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3924 wrote to memory of 3880 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3880 wrote to memory of 2948 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 3880 wrote to memory of 2948 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 3880 wrote to memory of 2948 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 3880 wrote to memory of 3516 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 3880 wrote to memory of 3516 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 3880 wrote to memory of 3516 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 3880 wrote to memory of 4896 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 3880 wrote to memory of 4896 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 3880 wrote to memory of 4896 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 3880 wrote to memory of 5040 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3880 wrote to memory of 5040 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3880 wrote to memory of 5040 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3880 wrote to memory of 4588 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3880 wrote to memory of 4588 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3880 wrote to memory of 4588 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3368 wrote to memory of 4912 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3368 wrote to memory of 4912 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3368 wrote to memory of 4912 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4848 wrote to memory of 4008 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe

"C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp

Files

memory/3576-0-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\System\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe

MD5 846b0d97db3e92497bc981ec3c0a40fa
SHA1 5759cffcece11b5ae208b715ea9f9e5f25bc2f01
SHA256 674626568fb4d8173ebc4b03a853901ed7ed47ae8d753e8285ba7d4910f2f4d6
SHA512 aadd38cc5b587d6edeb7c5324b473beeee37cf006f37a7bb2bf3cc4a5d94b26cda9f349da676344ff7c7a65442512a67d098cc03061a7beed03b3a9740d4174c

memory/3116-32-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe

MD5 49c3f7c408ddb7bccc0ba459542ed4ca
SHA1 5c5425b0f8f7504f2e3984145bfe2b9c73f08a2e
SHA256 148dda3289e7d83c0fcff636ef958b8fb2fb95a06e8f7c314bffd0cfe59599a4
SHA512 9b0eacc854c9d9300aeb8335cb4d78c6a5efc72b7fba57e27c72644948231e81e0eb9d722877089ed11fcafe91b1b53eb8b8ea7926d611f296f2e57082e37c5a

C:\Windows\SysWOW64\14-6-2024.exe

MD5 9a4ab05bf3add0750ad885c627b2395e
SHA1 fcfed20ba15995f0b9962d59730ba0d4a48df77c
SHA256 43d23532368cce1701f3f460868864019f3b92e94f0df165bc2072cb37926cb2
SHA512 ca088758f56dfb9e3030cff4b5b44e444b6cfcd499c9516c28754a7e56342bf9cd7e7be3d924d9d46137caf12903cd80439cb37110b94377fa53b1e89c11fb47

C:\Windows\SysWOW64\drivers\system32.exe

MD5 70cbbcd17a979d6009bd55e9b8f3e10e
SHA1 a5c17e7498bbdac3d02b9f770d63d2f98b5a598f
SHA256 500d5ec44d211271b2e16e45ea608ce2ab73d1d334a44db80a79a397e768e6a8
SHA512 2f7295bf5131a57792d041990ffca6e2251f542f60eb9a01b78fd05db99416bf71dc8fe0c4d4c272675f56fbfbcf753090ef064c1805006bf438784d905086c7

memory/1716-70-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1716-77-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4848-78-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\SysWOW64\drivers\system32.exe

MD5 3be9c115b7b099772fb2ae2323d9c3a1
SHA1 b9a70a6c000e4dcabfbd671cc52e8b47feeb7e8b
SHA256 b71a2cb1f6ab33263cde4c69a1fcc0e6648aa5310bfc8a2e9189390db0a37577
SHA512 df9eb20186a6028d3583fdaedc38f05af1503aad78b913b685b0edaa24119f8a20b8903e0e1d7b842c813c5e7799bc746fc91916b823511c0d00dfad21e35789

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 c45bcd161c8d7ea3a08b628a20929a86
SHA1 3790b9c74a03d7f9a08ad137a58184eb33a3d078
SHA256 6cd85b4632f3a9355dc380f7f8e27d446eef2c8325ffc6abeede9a2b0b67d432
SHA512 3c64cb448a5dda0fb6098eabdb0e687f1eb81cef3e161e5a5071f3632cd5df4a137a3ab92f55b32765b6705f3c1cc4eb9375474c8a4f064c8f22c967357b6345

memory/2540-111-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\14-6-2024.exe

MD5 292a24d82ea017e29363f5e284d6070c
SHA1 d94b39c7260cbc01d4749b672fa51b3d7c5786a1
SHA256 c9fb0c1268080dc563c58dd7e3e358254ee913984c287362a2db4212c35081e8
SHA512 8f5ab7053b8c6c25de0ee3c23e8840016da705b755048c15212192f8c8c3aebf314d2d6826090c565a1dd6b286a0a0d22f1bca604fee23ae9989da62f7268340

C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe

MD5 9a1bf828a19c36bed05d86581365b916
SHA1 5537fc3718e3ff8b85945ed53ac370d9ba3ea645
SHA256 f3c6771abed55e65dd5f0bfecd2ae832c04d9b9ca7782124764246419d0c1a63
SHA512 18ab58baf9a792d73836607a4c6b00eb5a6ac2d9d077f894ea1d9fd17d131f8549a9f353168ca925bb14a892bdc3b9a948c302f75eec9cd7d44369cebf37c1ce

memory/2540-114-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1484-117-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3368-120-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 2b48d9bc27d4a45689c8fc892b471a39
SHA1 4d6b84bf7e211b8e424a81c7d98d51586c16210c
SHA256 a3020947043f66aa684a145f83dfd0b94a849b391ab16b112b29975e34ac9b26
SHA512 aa743cc6c57e58ecf9da19395ccf863b412b5011777d514c3cd72abbb91ae9ae76b5470c08e99606c40bbfb6d8aa859d51a88cbaccac4b6047fad9cb2a588604

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 cc810ac7bd1ad0e33a061dc9586016ab
SHA1 4cdd970f0768005471015527741b7e86ac5a9fc8
SHA256 f23a81db5cd215c5e610a18e42cab87f06d6d47276d1cc904ee2af2d76c56134
SHA512 363208fcca3282a4637cbe2f6ff2c1950cc2cb71d5e16014772ab0fa283e3cba4c7e91bf57aa060932da24edb2b249d7bca0ee39c47f5aa258f3217e26c066b0

C:\Windows\SysWOW64\14-6-2024.exe

MD5 2c39a3ba2abfd9845476107ea2d42e40
SHA1 10d111def2acd5a0a75cce1691e2cc3b4756aaa4
SHA256 c6f710da4bf82c8884e9ed299de5e3c0fbf52f0fc79c5da1d974521678d13c71
SHA512 ea94111a5988761b2ce8b878e908b88dd2ef0e457dbe09e0792b3210213c8cce5bbc9ee8e035f954cdd6a79fe369e5df055966119364e5ab32bd907b910b7a65

memory/2424-153-0x0000000000400000-0x0000000000425000-memory.dmp

memory/800-156-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4080-159-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2424-160-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4080-166-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3924-167-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 39f79bb9bde0ce5a8e10f200d947be82
SHA1 ca9c386f064ca1ed15b1dd68c51f0ecfd6342e6d
SHA256 2f1e8342eb4b9a7a44c95bb730fafd4edafb36eeb8b81a2201ef509ab5d0ee2b
SHA512 d69b3f8a4f11ad9c5ddcb5633195cccc5c9f303531e0ec97ca7c78b47bf2413e00b2f4e72f49b9265e828d4d5d3582573b169876148b5af72f6cfd6783e3e7f8

C:\Windows\SysWOW64\drivers\system32.exe

MD5 e7216c7afd1836733f52412102c28806
SHA1 6d364fd3a8895b2bc63ab43a63f650fbb38bdac0
SHA256 c46ecfb4f03a0e2ee0cb2d7437d84b00af47be1ab7ab160f41c18a301a3dcfbd
SHA512 23070951e704cc73e4a302f403a983a4d7cbadb431b12148df45961a5a687fe54df48ca0b09f02d94b4b93434b29ddf364f03b907f59274e85d6da0b67ecd6dd

memory/1188-197-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4692-202-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2156-208-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3880-209-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\14-6-2024.exe

MD5 0d0b40cb4999f7f5a4b2b002898b8467
SHA1 a2122db0ef2c5263bf7d077ba362498bd1ce9aff
SHA256 9cdd36a3b0909d253d416f9d35a79691df930862534f0f20933b37e9d4920856
SHA512 7ba5d3447a680a1b36b9482b0203a8d85b1aac6481b79e62542b319867006336d663e3700a2c9f9ef6fe86602a5edfd37fd4309cde5cca9883aa371226c67f96

memory/2948-230-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3516-232-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4896-235-0x0000000000400000-0x0000000000425000-memory.dmp

memory/5040-236-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4588-240-0x0000000000400000-0x0000000000425000-memory.dmp

memory/5040-239-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4588-243-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4912-246-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4008-252-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3244-255-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1944-258-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1688-261-0x0000000000400000-0x0000000000425000-memory.dmp

memory/420-264-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2628-267-0x0000000000400000-0x0000000000425000-memory.dmp

memory/380-270-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2972-273-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2304-274-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2972-277-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

F:\Admin Games\Gaara go to Kazekage.exe

MD5 809f1537c1b2eff29f377dc9941abf91
SHA1 db47e7c37d7c105bc90cf3ce12927f3fd34089e2
SHA256 168aace184350f50f4bf021c784201103a1381616d465f85136b746f250ea968
SHA512 415089ffe53e35c8bfc87d60eb70a9457dfb80f62fa4cdd7cc5b12b87bd6002b8fce2c56e7c58ba0ff2b5e83e37bf29bad54e96619ebf6bd6b3621b0663d952e

memory/3576-942-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3116-984-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4848-985-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3368-986-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3924-987-0x0000000000400000-0x0000000000425000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 02:07

Reported

2024-06-14 02:10

Platform

win7-20240508-en

Max time kernel

150s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A

Disables use of System Restore points

evasion

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 6 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-6-2024.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-6-2024.exe" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-6-2024.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 6 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 6 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 6 - 2024\\smss.exe" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 14 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-6-2024.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 6 - 2024\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 6 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-6-2024.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 14 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "14-6-2024.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\H:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification F:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification D:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification \??\X:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created \??\I:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\R:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created \??\R:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created \??\M:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\U:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\L:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification D:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created \??\V:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created \??\G:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created C:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created D:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created \??\K:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created \??\P:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\B:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\E:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\M:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created \??\A:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\A:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\14-6-2024.exe C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Windows\SysWOW64\14-6-2024.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\14-6-2024.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\14-6-2024.exe C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\14-6-2024.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Windows\SysWOW64\14-6-2024.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Windows\SysWOW64\14-6-2024.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File opened for modification C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created C:\Windows\Fonts\Admin 14 - 6 - 2024\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1384 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 1384 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 1384 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 1384 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 1452 wrote to memory of 2700 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 1452 wrote to memory of 2700 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 1452 wrote to memory of 2700 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 1452 wrote to memory of 2700 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 1452 wrote to memory of 2588 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 1452 wrote to memory of 2588 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 1452 wrote to memory of 2588 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 1452 wrote to memory of 2588 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 2588 wrote to memory of 2600 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 2588 wrote to memory of 2600 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 2588 wrote to memory of 2600 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 2588 wrote to memory of 2600 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 2588 wrote to memory of 2620 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 2588 wrote to memory of 2620 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 2588 wrote to memory of 2620 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 2588 wrote to memory of 2620 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 2588 wrote to memory of 2856 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 2588 wrote to memory of 2856 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 2588 wrote to memory of 2856 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 2588 wrote to memory of 2856 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 2856 wrote to memory of 1688 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 2856 wrote to memory of 1688 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 2856 wrote to memory of 1688 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 2856 wrote to memory of 1688 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 2856 wrote to memory of 1508 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 2856 wrote to memory of 1508 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 2856 wrote to memory of 1508 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 2856 wrote to memory of 1508 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 2856 wrote to memory of 1480 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 2856 wrote to memory of 1480 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 2856 wrote to memory of 1480 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 2856 wrote to memory of 1480 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 2856 wrote to memory of 2300 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2856 wrote to memory of 2300 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2856 wrote to memory of 2300 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2856 wrote to memory of 2300 N/A C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2300 wrote to memory of 2304 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 2300 wrote to memory of 2304 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 2300 wrote to memory of 2304 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 2300 wrote to memory of 2304 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 2300 wrote to memory of 540 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 2300 wrote to memory of 540 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 2300 wrote to memory of 540 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 2300 wrote to memory of 540 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe
PID 2300 wrote to memory of 648 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 2300 wrote to memory of 648 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 2300 wrote to memory of 648 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 2300 wrote to memory of 648 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe
PID 2300 wrote to memory of 2940 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2300 wrote to memory of 2940 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2300 wrote to memory of 2940 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2300 wrote to memory of 2940 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2300 wrote to memory of 1568 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2300 wrote to memory of 1568 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2300 wrote to memory of 1568 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2300 wrote to memory of 1568 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1568 wrote to memory of 1640 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 1568 wrote to memory of 1640 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 1568 wrote to memory of 1640 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe
PID 1568 wrote to memory of 1640 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe

"C:\Users\Admin\AppData\Local\Temp\a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp

Files

memory/1384-0-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe

MD5 df4209842d006b123314b9f213d180e5
SHA1 fed0674f0ef0d86b3179bd8acc5464c6be294612
SHA256 a3c0c493ce3824dc77c342eccbc0cec9633e8c183e7c976b7103ce8445b33b59
SHA512 ab082cf90ccbb499858fa08fc17cfb69e9f09b0afd170d88c6f0de367bd8828deeb739b1a02b6deeaba5e385342447de9cb7fbc9c7edf919b27136f3fbd08003

C:\Windows\system\msvbvm60.dll

MD5 5343a19c618bc515ceb1695586c6c137
SHA1 4dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA256 2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512 708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

\Windows\Fonts\Admin 14 - 6 - 2024\smss.exe

MD5 6a9bea7cb62b053474a76c598179e5d7
SHA1 4255b9aacad54a9180c8209e377e567de7732335
SHA256 0ef609178edbb0b55a3a89db418f9c0c02fd95985da0e9402e43507a68c775db
SHA512 4311b37cf4ecfe3e764808a4e8f0c9c31ebda226a55dc6ddb767a77897a78e07c4b95bda5a2d248861b2ae018f532d069f5acc67d351c00c5c3c799905617a75

memory/1452-40-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1384-38-0x00000000004B0000-0x00000000004D5000-memory.dmp

memory/1384-37-0x00000000004B0000-0x00000000004D5000-memory.dmp

memory/1452-78-0x00000000002C0000-0x00000000002E5000-memory.dmp

memory/1452-91-0x00000000002C0000-0x00000000002E5000-memory.dmp

C:\Windows\Fonts\Admin 14 - 6 - 2024\Gaara.exe

MD5 3f43d3cc9d6e5b050aadd16dafd1c677
SHA1 4a7a1a26f7754fb42093e0740888037ad01885e6
SHA256 25f461f984b2703a25e4d580f23188743ab0ae8f7c198fd48f83981fefd0d9bd
SHA512 adc0548aaf4d62b1c1882699c3dd868a335e39fa8faef91cb6cea660157a4a6d68cfd7b90e699d0469dc3d5c58d3c6a30bbb9ab0e0422c5f326557a65278988f

memory/2700-81-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 3db7310ba2ef727b850914a2dc84767e
SHA1 82aab54f91bc6180d958a72e7506ef38c7e00d8c
SHA256 b6b66cae27b50ec1f44add46a18ab6b079b40f98e28104fef97932984aea3ebb
SHA512 d0dd2437e7021bb0c06c44efc7eecd6551fad91ef12febe26c590751a15a42e8910525ec4a30d812f206a7bfa325f2146646dd4f4c9461dd5b721f9f616edac0

memory/2588-93-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 a66530588efb1de0f1c402539fb2316b
SHA1 5909c991d06eaa6ed993edcae004d25364c76704
SHA256 116be062bfba5b4d06c12cb05f9f485fac3821d42bce7869141f73e55440efd0
SHA512 c80ba478192c03b1ad9e4ad6baf9ce997f50cf93d47e0dc77bb9378cf019a8cc3b84b4d1cd8388fd256ccd6996ebbb384e265f6470bef37cbf4621e9ba1c3b09

C:\Windows\SysWOW64\14-6-2024.exe

MD5 6b298165879e1b11f5fefc7909320f38
SHA1 4dd322d2e94ee424da2d5abefbda8faff9113bbb
SHA256 793205cc1f68e4e0af37b12a529d9a59b1c6cc772b5f87ad02fe38aca9080380
SHA512 e2220e7df2ec49b085fd7f727bb65ae98e20dbe49aa6b27b2cba7f611d066d4c8ef2fe3c9b9043e7a726e990c8c7a514272271ebc204ab9de567f4e74d605bf1

C:\Windows\SysWOW64\drivers\system32.exe

MD5 8f312d8a424c919f9cc79fafb2ebceb6
SHA1 199c247326416ad1c1b40882a41986f29efbf21d
SHA256 ee140f79db7c7f19375377704d6df1d963ca630b9f79788b3d8243112cbc545d
SHA512 8c0111937f93de9949ab2ca7ca831d1bdfb249eefc7c68d981a7f72089d1b0afe5d23c8e4123314bd18150e5a6e4c7bd720ec9bbee093f04c5fe8d0a2bff4563

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 80e8779265d423e6ce801284b962cdb7
SHA1 1a29f6c9623e9dbbc5538a461a275428088bc76d
SHA256 5791252435346398015d9c6f7c169b607d0b23a5ecd11a3bf6dae81197855e39
SHA512 b2fd4421fc3d471882767eb47e355ac4463cc5c778dd7a5abeaf631d935aabcb0d770e888dfc1f6fd0598c23ffd59b9c8753e4328b04683d594f1efa5cf28e82

C:\Windows\SysWOW64\14-6-2024.exe

MD5 ac2ab9dc1af1107f819f85a6c247ef45
SHA1 6e1bc2a69a936a735f4de1f054b4460192d1dc29
SHA256 dd3418dfb26e77db19f8d67e004e9baf04a24d08d99d2fbbcf21976ee7e84ad8
SHA512 f44d3daa4a28edbf0b45c5b3885ed69d643a01c06a201b82887dd71c10d6c8b9277aa83cbe9a301f6b6ccbc0fbb0c8803c1e545b89c63422994ce83d409b0d9c

C:\Windows\Fonts\Admin 14 - 6 - 2024\csrss.exe

MD5 cb696cc76609d24e33d26c7f6febdc17
SHA1 e83a37a9260cf5bb941868cf5f6f4838b89bc4eb
SHA256 f9959f868ba74e786be5b7204bdf54e4818a3dc787aa03080e5538e9b211a59b
SHA512 deaeebcfc27033fa1128ec91b70ca9bce4df80a17f6aa803b74e3f0dd2d1d4533b57c0d15cf67983032c3f9d138a162fc693b2d87fb275bb972580fe6d92b087

C:\Windows\Fonts\The Kazekage.jpg

MD5 e241720decd8e35038a739c88005d6ee
SHA1 120c4283318453be036c1d3b9dfe7741bac9f2b7
SHA256 798bb647f4832d6cbe0da2ea4a01bca2621625892a668f27ad26b6691250713b
SHA512 2ae98c06917e3a8e7e7c2d7b06117e52505f771da7bbccbda4526a4ed764d083429a3d66b39606828751d9a776461a6de6c4719e38c4328629a5e9baef05a382

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2588-125-0x0000000000290000-0x00000000002B5000-memory.dmp

C:\Windows\msvbvm60.dll

MD5 1973c1ec006757c6f700fc4019be9afe
SHA1 d5b3ca79024a5262bf91f662653c5649020a3f4f
SHA256 07ac6a191bd367e96e5a703b03bf225c68fdfe043aedf7ad49461248bb13e3ae
SHA512 8ca86e8446887abbc7bcadcd713a2b79094c9dbf241a2aca656c946a7087b7c4c39393d1fcfcb7e076e3cb14a18e4194490f2bba311140e02ff2becc5491af8f

memory/2620-131-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2856-144-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 76a0884f6ea44f74214d25f5e5fe449e
SHA1 af02f8ad6dd33aec4501ce6a5bdf0829e00bf585
SHA256 63ac0e29a0b687c7c833899171f7d4ba8743680ab50c12c8847395c5b7d882a5
SHA512 6f69ec8445e39605b6ea3664c2487b090db181e8fe228459ab2208cac2d86957de7d2de23f85b0bd3fb81d0a375a1bef23656a021d6eea20410048ec381dd033

memory/1688-177-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2856-175-0x00000000002D0000-0x00000000002F5000-memory.dmp

memory/1688-179-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 7cc248c85c111a71e483c5bb784fe261
SHA1 df8defd7ef1a7ebd476f7e01265458c50a6ffb2f
SHA256 7d8b0fa51dfc864d0a21223affd9a14e74b51ae1166bdaf0eb0fdffed9b5c2ed
SHA512 ee8e21d59b6ace58f181c687f21648af3a4aa7ce40492336b2ea161f778c2e63b91e1e9fb779b0392d552514b87fb025ef2b0b783e0bc887f6b68952d750f380

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

memory/2300-204-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2304-224-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2300-223-0x0000000000310000-0x0000000000335000-memory.dmp

memory/2304-225-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2940-232-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2300-231-0x0000000000310000-0x0000000000335000-memory.dmp

memory/1568-242-0x0000000000400000-0x0000000000425000-memory.dmp

memory/280-260-0x0000000000400000-0x0000000000425000-memory.dmp

memory/944-267-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2856-271-0x00000000002D0000-0x00000000002F5000-memory.dmp

memory/1304-277-0x0000000000400000-0x0000000000425000-memory.dmp

memory/912-282-0x0000000000400000-0x0000000000425000-memory.dmp

memory/912-283-0x0000000000400000-0x0000000000425000-memory.dmp

memory/604-287-0x0000000000400000-0x0000000000425000-memory.dmp

memory/372-294-0x0000000000400000-0x0000000000425000-memory.dmp

memory/372-295-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2396-300-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2888-306-0x0000000000400000-0x0000000000425000-memory.dmp

memory/884-310-0x0000000000400000-0x0000000000425000-memory.dmp

memory/884-309-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1716-303-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2396-299-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1384-298-0x00000000004B0000-0x00000000004D5000-memory.dmp

memory/3000-291-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3000-290-0x0000000000400000-0x0000000000425000-memory.dmp

memory/604-286-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2588-281-0x0000000000290000-0x00000000002B5000-memory.dmp

memory/1304-278-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1644-274-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1168-270-0x0000000000400000-0x0000000000425000-memory.dmp

memory/944-266-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1352-263-0x0000000000400000-0x0000000000425000-memory.dmp

memory/280-259-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1640-256-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2300-241-0x0000000000310000-0x0000000000335000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 540e884f59ed6997bf48ec51951d2333
SHA1 b6e0539478e20fce91bbd89adced744ad6c5735f
SHA256 83524c7a9c60fac268c8977b802e147dccc62623e0371e553676f325f3b79ac5
SHA512 16f134ac8f34a97867a93f74a71941432d9d29f22b2692c43884850e78e695f858b1d6d31851ffe11017fef1258c749997da4575d8d2cfe5b8165d2e89591285

memory/2940-236-0x0000000000400000-0x0000000000425000-memory.dmp

memory/648-230-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2856-196-0x00000000002D0000-0x00000000002F5000-memory.dmp

memory/1480-193-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1480-191-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1508-187-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 ca8609f3eb4c6e461d3582ff9234b309
SHA1 702ccf95aaa1a5de3982d3d8a2d58d95fea3e7a5
SHA256 277d5e607db233f135fd637900124c7f315dc0ce4a86fe5b65ca9d03040e41f3
SHA512 54432d2b7abffbac97d8a1768d081c874120ea86c3e2335e880acf54280f5ec7bca38016e6c51d4dc3115270edb9680c29487895a4d236ee140d8bd73836201d

memory/2588-143-0x0000000000290000-0x00000000002B5000-memory.dmp

memory/2620-135-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2600-129-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

memory/1384-767-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1384-769-0x00000000004B0000-0x00000000004D5000-memory.dmp

memory/1452-770-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1384-768-0x00000000004B0000-0x00000000004D5000-memory.dmp

memory/2588-771-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\mscomctl.ocx

MD5 33b118f3d94fc14e869c97c4fe0cc195
SHA1 647b114649a7edc6a3880c12211a58fa798b07c3
SHA256 655f1d126024a92123c0172099c2248b7656858365130ede51f4ee8d0a82f5f3
SHA512 f5ba1ca3b81410eb0f94121d1b780f25f928555dadb6e4ef463fc8e47a19dfede3967db9e54265d86aa25a89b4d658baa4c045cd94cf99085dc4c25656ceb423

C:\Windows\SysWOW64\MSCOMCTL.OCX

MD5 8e7d0724d20049776759cd88f1ed50c9
SHA1 f82592f469aae0d325bc302943ad1bcfb2666b02
SHA256 08a272c5b45065aaf17fb0f5d6a8de8f2e0a34ed9c28242d325ef6665047640e
SHA512 23cd9bb816402110f12a5c1c18903e6240e403a42736d513b63b1fd3bfd0b77eb1d1d7e16e013840bb258ea675f50ed36af6e0f2cb0070fc89e90085783fb470

C:\Windows\SysWOW64\14-6-2024.exe

MD5 6561049d618938a0e43da1fa6bc535ee
SHA1 ea98b5824edb2a3e2ceaf0b6aa4c60bc11a68391
SHA256 9e91774fe68c33375f3c1fe5dcf26c3cfb8e0023f5e90b4238d331bf1e0c98a8
SHA512 ba17b9b66f78f1387f8cdc6d0ddeffa5dbda2f7eb80d90cac065c3623d1bbc6ffb42d94d5f44b7a2f59eff8e965df459e0dfb346571626c3306b728f7ec25c9a

memory/2856-1012-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2300-1013-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2300-1014-0x0000000000310000-0x0000000000335000-memory.dmp