Malware Analysis Report

2025-03-15 08:22

Sample ID 241020-2wr6rsxajr
Target 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34
SHA256 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34
Tags
discovery evasion persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34

Threat Level: Known bad

The file 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34 was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware trojan

UAC bypass

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies visibility of file extensions in Explorer

Disables use of System Restore points

Disables RegEdit via registry modification

Event Triggered Execution: Image File Execution Options Injection

Drops file in Drivers directory

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Enumerates connected drives

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in System32 directory

Drops autorun.inf file

Sets desktop wallpaper using registry

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies Control Panel

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 22:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 22:56

Reported

2024-10-20 22:58

Platform

win7-20241010-en

Max time kernel

149s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A

Disables use of System Restore points

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification D:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created \??\W:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\O:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\H:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\M:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File created \??\T:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File created \??\B:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\U:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File created \??\M:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File created \??\X:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File created \??\P:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\K:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\J:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\S:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\20-10-2024.exe C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File created C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2956 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2956 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2956 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2956 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2724 wrote to memory of 2900 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2724 wrote to memory of 2900 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2724 wrote to memory of 2900 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2724 wrote to memory of 2900 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2724 wrote to memory of 528 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2724 wrote to memory of 528 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2724 wrote to memory of 528 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2724 wrote to memory of 528 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 528 wrote to memory of 1268 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 528 wrote to memory of 1268 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 528 wrote to memory of 1268 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 528 wrote to memory of 1268 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 528 wrote to memory of 2520 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 528 wrote to memory of 2520 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 528 wrote to memory of 2520 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 528 wrote to memory of 2520 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 528 wrote to memory of 3056 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 528 wrote to memory of 3056 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 528 wrote to memory of 3056 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 528 wrote to memory of 3056 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 3056 wrote to memory of 2492 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 3056 wrote to memory of 2492 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 3056 wrote to memory of 2492 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 3056 wrote to memory of 2492 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 3056 wrote to memory of 2032 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 3056 wrote to memory of 2032 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 3056 wrote to memory of 2032 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 3056 wrote to memory of 2032 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 3056 wrote to memory of 1988 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 3056 wrote to memory of 1988 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 3056 wrote to memory of 1988 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 3056 wrote to memory of 1988 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 3056 wrote to memory of 2316 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3056 wrote to memory of 2316 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3056 wrote to memory of 2316 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3056 wrote to memory of 2316 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2316 wrote to memory of 1760 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2316 wrote to memory of 1760 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2316 wrote to memory of 1760 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2316 wrote to memory of 1760 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2316 wrote to memory of 872 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2316 wrote to memory of 872 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2316 wrote to memory of 872 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2316 wrote to memory of 872 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2316 wrote to memory of 1848 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2316 wrote to memory of 1848 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2316 wrote to memory of 1848 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2316 wrote to memory of 1848 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2316 wrote to memory of 2180 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2316 wrote to memory of 2180 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2316 wrote to memory of 2180 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2316 wrote to memory of 2180 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2316 wrote to memory of 1068 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2316 wrote to memory of 1068 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2316 wrote to memory of 1068 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2316 wrote to memory of 1068 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1068 wrote to memory of 1652 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 1068 wrote to memory of 1652 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 1068 wrote to memory of 1652 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 1068 wrote to memory of 1652 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe

"C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp

Files

memory/2956-0-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\20-10-2024.exe

MD5 6e0a5bad73ddf8b05ea69aa6775df2a3
SHA1 7185cfa795b13bfca5213af466aacc0ff4145968
SHA256 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34
SHA512 58646b0234fd5377b5942eef4430bb9ac2187e802cfdd156cdd258940dbcb5951b91dc5882062d5f108f6e0900f6a3c5fcd6352940b4fa41318a8c3f9833b83b

C:\Windows\system\msvbvm60.dll

MD5 5343a19c618bc515ceb1695586c6c137
SHA1 4dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA256 2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512 708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

MD5 d366728f3533311010818fd568d5a037
SHA1 6d6cf2109bdc0c8aaadd70714ece3370cdec49d7
SHA256 452c0412462dafc7240d94d015b4f95cb9fae3c58c0df2632ff8449c462953b4
SHA512 584c09353e799142d832ec6ee3d1175b76c509595b51f9e43e025bd78defdc7fcb7dfbc48e8feaaefdc2e74a725b5ee93cd118fef1aad3802b2f30f880487c55

memory/2956-32-0x0000000000440000-0x0000000000465000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 f15940eb1d95d53941a0819198280dd4
SHA1 3c7314d9dbb92aa500a12c218a06f7d7c6ea0a72
SHA256 c278c91e4a2b2f2fa837a6cdd75f61462c1b89fb007e0d29bad144939cd29b20
SHA512 525b9b44e808b9900b8c22dac12b109f1b9ef44df56e853d4079e79365ff498e07b0616834c954c0d95be164f0e2aad778bf7f00e2c079a1d83c850dc007caac

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

MD5 a29f5849837c5cf16d9bc7b9b6c2c6d1
SHA1 a483837302f64b8d9df42981c60ee8ce0cdba2de
SHA256 44ac7c7db112c899b9921d67036ec2ae63f36b8d1d456f354fa6d3d75472e62f
SHA512 ed87234170801357f9b6e3c4b5770418b7b51237ff7ac0e18a8ceed545047e1d44cabd30da05ba63b3c7159e5fe1e8c7fde4330e53dc74eb986b845286b87cc2

C:\Windows\SysWOW64\drivers\system32.exe

MD5 b5416bc6811b03d3b8787825c9cb8868
SHA1 da05ec0798d327753b4e85440b010e8ee047d199
SHA256 4947480682ddf46663563410142099a1417a8c0fbeb9a1e781ba406b77993c62
SHA512 1ff66f41b39cc941045b2dee33922e81fd7df71648faaad1268b3a7d45d0ce4d752e2387a2f330a61c959bb1b4fef65311c1b030aac4442992ef56f06ebe5aeb

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 39b9371bd53c9f754b0acd23e67e4d82
SHA1 46c264cc4910e520ec9736ba187a626ff0078715
SHA256 171d5835c5b1ad152bc4bfb5b36e9b93fd19032fa809f48863a5d8e4cfab8d68
SHA512 d5b59b846e46826e6a49584ce43aacd76d9661a8c787ef072c396b34ad45ea11cc05a5bad9a13bb2fde0e29f0bdf8635f90a1d0b2215dc58201f0097625fdaf0

C:\Windows\SysWOW64\20-10-2024.exe

MD5 fbdcc2c9fb41faf4bc4a5714115b0c03
SHA1 399e356fe590f67179611b53ce3323bcb4e7c2ad
SHA256 8217787d9c4b093d8e8b76f4dc635216b145c96ff2f0bcba78eb6b2e29eabb7a
SHA512 dcb7ad69fa5afcf89a73c1624ee576d175ef10bf1d4c969561260581a5ffc065fe7a57804960b98476b7d760a81b4e3c85fd9cf35a5e38bbb48e3685be5af306

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

MD5 e2e24b204e58e16848e4678218173efc
SHA1 6e952126c7f84599f9a7014d979b6d24413c5ace
SHA256 7dfa145b92874212c8de21f5140a0b7924798874deafd1b2a19baaa344e9a164
SHA512 469b7a73638c4d2adfe4193666a70db9c42011572eb728a098829a489c7734750aa71e3c473b107460b91286ff6370044fc44d11d366b0f311746ebbd9d0854e

memory/2900-78-0x0000000000400000-0x0000000000425000-memory.dmp

memory/528-87-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

MD5 844864ae07faca0a236ff2fc17e60ab8
SHA1 522a58c1af85a478fa8b6964fc24dae9f5a15f66
SHA256 791aae2fc70654086f4cb7f31ecde14ac8b1d57ac2f2fc918b2b96518dad84a5
SHA512 6a2e5c9a5bafa5cc79ab28a10cebbcb905ab71b2d2ff9396da7dfc5e3f0b439ec81f5bf019dcd7c11de776a71220fd18960d631caeb2388b59094f6897abd0b7

C:\Windows\SysWOW64\drivers\system32.exe

MD5 2fd5b59c2ef085d3a83cb24371360fd2
SHA1 12fa8fe4474e063eb5dc8bea2cd74f591eefe87b
SHA256 8017052e03410378ae138abfe646da642cb433119207f78ad6e8fb36f24a621b
SHA512 1fc4a0f45c5bbeb9b61b34ffb59b0224f28bda969652b2d22107f5bb24e8a574bdcaa54d3192358b5b713f91cf070c66f3b61512f6c7ff238b6413158b2362a9

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 4b5538130b031062f82947403b9cb9d3
SHA1 ca29a91fb5ddf4414f34469a359523f9d8715fe7
SHA256 06fd06548b9f40a582a01e63e1cb4aa4f712247fb2887c344553828ae6e9d83d
SHA512 a8106ac10d6a69e89ce0fd88800b7b8b41f95f995e28b24d009e9231dd405b5e795d28a19b60151c63e150ba36a859827f3658d800c29403d3c5a3261d7718f9

C:\Windows\SysWOW64\20-10-2024.exe

MD5 f87361bce6160b18368208e13a7b0faa
SHA1 5905a2c4d1cca58ce4d9f121d9753cdde4dde174
SHA256 71c828fbc172ab3fa5c2aae65896dbd20096f9c6c1942890bc12f8be5cf494a9
SHA512 787a1b65f0cd5f6aafbc3649561d1475d00027d950a344369064aa4a19199a257a40f9251d750caa59cdd3ed213085fd166c958abee8e5f6e46db758003682cc

memory/528-120-0x0000000000430000-0x0000000000455000-memory.dmp

memory/528-118-0x0000000000430000-0x0000000000455000-memory.dmp

memory/2520-128-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1268-127-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3056-139-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2520-137-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\20-10-2024.exe

MD5 c9507bc981d027da82011957485749bd
SHA1 2bc0b5a4948039fa6ed5b85f1d3700396f0ac4db
SHA256 841207a3b710c1413bba975b183878053841e5f2ea64f33d622460549ef4360b
SHA512 b9c2c4bdad1fc482d81eafea8dc0ef713471ab968dad569084ab70a07d34bbdd41662bd70479663b3b27d000185989f1d48627ba194acacc5a1ef04f8d6870fc

C:\Windows\SysWOW64\drivers\system32.exe

MD5 163a4e40fe2fbbef5c322cbfd26aa0bf
SHA1 a48278bba568f025164eb7632eede4ebe15681ed
SHA256 7beb1cf4ae9e7b360af6a5cb4ab68fa0d725c4783460b4d99bb8c5fb357c66b0
SHA512 89a4048307ae5b7d2b3684a1542952f65c5031830c0a53a17e9c43015eb195be626d04f0b295cfefc4845d58c4c038a6a256b45da1d99cbdecf983be66d73c7f

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 7d6c6e4b4f05c5df7686c20deb07e8e7
SHA1 55b9382d83b12dbef782ada33ec1ea981f298419
SHA256 72fec5c7d15b13c32c5cc1de3baffa28e2b23251fa9cdfddfe0d811b529c1cd4
SHA512 cc3ba46e7beac4497fe5ed49959a4524e3cc4e67f54d367e9eff649fcac72ca0770e142d0eedd2d9d9e1e2307ebc78c4d33392284c6df9518313248bc2304bee

memory/2492-169-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2492-174-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2032-180-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2316-191-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1988-185-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 79f3856873ee41659442bf14f498c9cb
SHA1 51fce9d06ece6a23f262559918744785fe463734
SHA256 41631be670bbc8aa957c590b6938e14c424f2141db945973c109ae13538466e3
SHA512 fe433bf426f9f9a2dc4b15b90dc9d341c39ac5c94ef6f29ceed962ac4c49872ed347274eeaa594b36ff481d0129945211108b5d218d16e2a2d474cbd8538bb90

memory/1848-220-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2180-223-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1068-228-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1068-243-0x0000000000500000-0x0000000000525000-memory.dmp

memory/1652-244-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1336-248-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1524-247-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2064-251-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1336-252-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1060-256-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2064-255-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1060-259-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3056-260-0x0000000000380000-0x00000000003A5000-memory.dmp

memory/528-263-0x0000000000430000-0x0000000000455000-memory.dmp

memory/648-264-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2000-269-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1920-274-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2332-278-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1252-281-0x0000000000400000-0x0000000000425000-memory.dmp

memory/704-284-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2964-287-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2956-288-0x0000000000440000-0x0000000000465000-memory.dmp

memory/2616-291-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2800-294-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2956-295-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2724-296-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2724-297-0x0000000001D10000-0x0000000001D35000-memory.dmp

memory/528-298-0x0000000000400000-0x0000000000425000-memory.dmp

memory/528-299-0x0000000000430000-0x0000000000455000-memory.dmp

memory/528-300-0x0000000000430000-0x0000000000455000-memory.dmp

memory/528-301-0x0000000000430000-0x0000000000455000-memory.dmp

memory/3056-302-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3056-303-0x0000000000380000-0x00000000003A5000-memory.dmp

memory/2316-304-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

F:\Admin Games\Kazekage.exe

MD5 19554fe2333f590281323d63c7ae9382
SHA1 d9f10ca9a1e1cd65741cd156a98d261c9ef9ade9
SHA256 fc8025c035ea8f57fff5fbddc0231e80df2de34e9cebc8ab6b4e689225d76c1f
SHA512 88f9aae4a067d983363cd2102fd270d36ee9796cb2db70f4b9ef152d53bad61d50c3dec31c9b8ce566f98d1d7ab9eba126e885773b2d342b0468d72de70427be

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

memory/1068-553-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3056-554-0x0000000000380000-0x00000000003A5000-memory.dmp

memory/2724-555-0x0000000001D10000-0x0000000001D35000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 22:56

Reported

2024-10-20 22:58

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A

Disables use of System Restore points

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification F:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\system32.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\K:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\R:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\K:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\N:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\J:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\B:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\V:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\P:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\W:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File created C:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\M:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\U:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\U:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\I:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\H:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\20-10-2024.exe C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2988 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2988 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2988 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 116 wrote to memory of 1196 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 116 wrote to memory of 1196 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 116 wrote to memory of 1196 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 116 wrote to memory of 2076 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 116 wrote to memory of 2076 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 116 wrote to memory of 2076 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2076 wrote to memory of 2436 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2076 wrote to memory of 2436 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2076 wrote to memory of 2436 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2076 wrote to memory of 1936 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2076 wrote to memory of 1936 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2076 wrote to memory of 1936 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2076 wrote to memory of 2276 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2076 wrote to memory of 2276 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2076 wrote to memory of 2276 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2276 wrote to memory of 5056 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2276 wrote to memory of 5056 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2276 wrote to memory of 5056 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2276 wrote to memory of 4216 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2276 wrote to memory of 4216 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2276 wrote to memory of 4216 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2276 wrote to memory of 1752 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2276 wrote to memory of 1752 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2276 wrote to memory of 1752 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2276 wrote to memory of 756 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2276 wrote to memory of 756 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2276 wrote to memory of 756 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 756 wrote to memory of 2228 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 756 wrote to memory of 2228 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 756 wrote to memory of 2228 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 756 wrote to memory of 4928 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 756 wrote to memory of 4928 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 756 wrote to memory of 4928 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 756 wrote to memory of 4944 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 756 wrote to memory of 4944 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 756 wrote to memory of 4944 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 756 wrote to memory of 3232 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 756 wrote to memory of 3232 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 756 wrote to memory of 3232 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 756 wrote to memory of 3608 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 756 wrote to memory of 3608 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 756 wrote to memory of 3608 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3608 wrote to memory of 2176 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 3608 wrote to memory of 2176 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 3608 wrote to memory of 2176 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 3608 wrote to memory of 2308 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 3608 wrote to memory of 2308 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 3608 wrote to memory of 2308 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 3608 wrote to memory of 4576 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 3608 wrote to memory of 4576 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 3608 wrote to memory of 4576 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 3608 wrote to memory of 1668 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3608 wrote to memory of 1668 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3608 wrote to memory of 1668 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3608 wrote to memory of 4400 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3608 wrote to memory of 4400 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3608 wrote to memory of 4400 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2276 wrote to memory of 1896 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2276 wrote to memory of 1896 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2276 wrote to memory of 1896 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2076 wrote to memory of 1688 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe

"C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp

Files

memory/2988-0-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\System\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

MD5 d366728f3533311010818fd568d5a037
SHA1 6d6cf2109bdc0c8aaadd70714ece3370cdec49d7
SHA256 452c0412462dafc7240d94d015b4f95cb9fae3c58c0df2632ff8449c462953b4
SHA512 584c09353e799142d832ec6ee3d1175b76c509595b51f9e43e025bd78defdc7fcb7dfbc48e8feaaefdc2e74a725b5ee93cd118fef1aad3802b2f30f880487c55

memory/116-34-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

MD5 a29f5849837c5cf16d9bc7b9b6c2c6d1
SHA1 a483837302f64b8d9df42981c60ee8ce0cdba2de
SHA256 44ac7c7db112c899b9921d67036ec2ae63f36b8d1d456f354fa6d3d75472e62f
SHA512 ed87234170801357f9b6e3c4b5770418b7b51237ff7ac0e18a8ceed545047e1d44cabd30da05ba63b3c7159e5fe1e8c7fde4330e53dc74eb986b845286b87cc2

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 b4b0b145dd8143af911d7fb35524a6cb
SHA1 cdf3b65281a22165ce240fe7475119d082facb89
SHA256 924ead6b4f68259243dbed55b80e6ff627cdd2d87461478f3307fb07aad6fc78
SHA512 57cf7678b50a236eb0f89549d162b42ade6985aedf2d7c5eef7cf1d01336447e77e82aed4f4851393555acfa99c68833a80ec1f02d716f2259547ee6b723891e

C:\Windows\SysWOW64\drivers\system32.exe

MD5 21b0e664fdf04122801e4ff76652ec77
SHA1 2027555262ae351f1ec7863e6b05e239441a23ba
SHA256 143c54b89586a08ac734dd66ea449b180aa3089fba1cf5cf0acbfdb2739a0ffa
SHA512 96bdb1038b32236de71b700024ce0d8c6e334c0f98848f9292fcc1e18e3c94bffd192e801d403499bdb2689aa3b0a17d80ec11164ad920d52890e29a7fb83af2

memory/1196-70-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\20-10-2024.exe

MD5 e59d46ad56d9bc203ff9f513bd933631
SHA1 d79423bd7d5bc18aa89ebc8eefc8bc942f2176b2
SHA256 8da15410ad5e8f8d96306ae069be3a58f3e7a5cbe2c7886ff075b60d71c7fb1a
SHA512 8c1c7d3c10e3b68392c917be9c5ff4fbebef17973b9560530efdff7b42c7fd20639fbd9980f8f4d9f7bb94d87f54c9373fe99332dccb57a65d0ee84c86573b39

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

MD5 e2e24b204e58e16848e4678218173efc
SHA1 6e952126c7f84599f9a7014d979b6d24413c5ace
SHA256 7dfa145b92874212c8de21f5140a0b7924798874deafd1b2a19baaa344e9a164
SHA512 469b7a73638c4d2adfe4193666a70db9c42011572eb728a098829a489c7734750aa71e3c473b107460b91286ff6370044fc44d11d366b0f311746ebbd9d0854e

memory/2076-75-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1196-79-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 2fd5b59c2ef085d3a83cb24371360fd2
SHA1 12fa8fe4474e063eb5dc8bea2cd74f591eefe87b
SHA256 8017052e03410378ae138abfe646da642cb433119207f78ad6e8fb36f24a621b
SHA512 1fc4a0f45c5bbeb9b61b34ffb59b0224f28bda969652b2d22107f5bb24e8a574bdcaa54d3192358b5b713f91cf070c66f3b61512f6c7ff238b6413158b2362a9

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 4b5538130b031062f82947403b9cb9d3
SHA1 ca29a91fb5ddf4414f34469a359523f9d8715fe7
SHA256 06fd06548b9f40a582a01e63e1cb4aa4f712247fb2887c344553828ae6e9d83d
SHA512 a8106ac10d6a69e89ce0fd88800b7b8b41f95f995e28b24d009e9231dd405b5e795d28a19b60151c63e150ba36a859827f3658d800c29403d3c5a3261d7718f9

C:\Windows\SysWOW64\20-10-2024.exe

MD5 f87361bce6160b18368208e13a7b0faa
SHA1 5905a2c4d1cca58ce4d9f121d9753cdde4dde174
SHA256 71c828fbc172ab3fa5c2aae65896dbd20096f9c6c1942890bc12f8be5cf494a9
SHA512 787a1b65f0cd5f6aafbc3649561d1475d00027d950a344369064aa4a19199a257a40f9251d750caa59cdd3ed213085fd166c958abee8e5f6e46db758003682cc

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

MD5 844864ae07faca0a236ff2fc17e60ab8
SHA1 522a58c1af85a478fa8b6964fc24dae9f5a15f66
SHA256 791aae2fc70654086f4cb7f31ecde14ac8b1d57ac2f2fc918b2b96518dad84a5
SHA512 6a2e5c9a5bafa5cc79ab28a10cebbcb905ab71b2d2ff9396da7dfc5e3f0b439ec81f5bf019dcd7c11de776a71220fd18960d631caeb2388b59094f6897abd0b7

memory/1936-113-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2436-115-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1936-121-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2276-122-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 02770ec1a321e19ddd06cdb29d69ffe3
SHA1 d51b0b4d5de7a3c64dd320cfddd06614a2ab7af2
SHA256 72424cc8831eccd132639f5a2b6541c9bb2d638baf4397186a984bc353b7b579
SHA512 d816faa1abdee5c0879a4240b30abd156962a5dabb6d072bfcb84aae1d69d8c50ad8f8519db1db9a6fbdeee8a10c643f110800aed1c84957573501bcae178d4f

C:\Windows\SysWOW64\drivers\system32.exe

MD5 163a4e40fe2fbbef5c322cbfd26aa0bf
SHA1 a48278bba568f025164eb7632eede4ebe15681ed
SHA256 7beb1cf4ae9e7b360af6a5cb4ab68fa0d725c4783460b4d99bb8c5fb357c66b0
SHA512 89a4048307ae5b7d2b3684a1542952f65c5031830c0a53a17e9c43015eb195be626d04f0b295cfefc4845d58c4c038a6a256b45da1d99cbdecf983be66d73c7f

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 7d6c6e4b4f05c5df7686c20deb07e8e7
SHA1 55b9382d83b12dbef782ada33ec1ea981f298419
SHA256 72fec5c7d15b13c32c5cc1de3baffa28e2b23251fa9cdfddfe0d811b529c1cd4
SHA512 cc3ba46e7beac4497fe5ed49959a4524e3cc4e67f54d367e9eff649fcac72ca0770e142d0eedd2d9d9e1e2307ebc78c4d33392284c6df9518313248bc2304bee

C:\Windows\SysWOW64\20-10-2024.exe

MD5 c9507bc981d027da82011957485749bd
SHA1 2bc0b5a4948039fa6ed5b85f1d3700396f0ac4db
SHA256 841207a3b710c1413bba975b183878053841e5f2ea64f33d622460549ef4360b
SHA512 b9c2c4bdad1fc482d81eafea8dc0ef713471ab968dad569084ab70a07d34bbdd41662bd70479663b3b27d000185989f1d48627ba194acacc5a1ef04f8d6870fc

memory/1752-156-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4216-158-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1752-165-0x0000000000400000-0x0000000000425000-memory.dmp

memory/756-163-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 a2c1369c97dc52cc118434b3e077f5b4
SHA1 f66e9efe96a59a1956eefb151a8b1ee467e5fe7b
SHA256 7b1505c50d3453c18c381b505fe5cfd861d906fd1b1609b6a89f826035f662f3
SHA512 da6b4abc636ef4e5ca967ab0d393463a80b092f39554dd6e54019b2c433de09da3d7122d06dee8961647af09052e8abd0acdf6e3f082e850591acac3d7581023

C:\Windows\SysWOW64\20-10-2024.exe

MD5 5a38cc5306fd2f6c6bb566f4c48bf4a0
SHA1 f8b31c96b1bc8ac0be33b6cb9cda26d6b034f165
SHA256 aff3aa590488cbe8f966fe484a0dbe5dd37241a142f12364bd50b86c1713e3c7
SHA512 7e7ce6de1f14cfc2b4912dfabc1c280985111229b278e05a75c8ca0f6d9457b02eb02710853479e7566bb45a66003a7d55df24d1a8c3a59aff83695bf09bdb56

memory/2228-192-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4928-197-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4944-201-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3608-206-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3232-208-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\20-10-2024.exe

MD5 c824619f34e794bb0775397576b58737
SHA1 91ef27688e4943faf219a5a597535b9f35268a4d
SHA256 23f4fdc8a856203bf13c721e704c8afc0f65458fdfd890d20aa755d4af5c9037
SHA512 b79856f6d6465610c6bad096cf24d69f8186f1fd7551538296a0be7aa4ef69c7755fc9aa7a77048c147e8f9037de4e071930e134794956ae7b5baaeca9010b1e

memory/2176-228-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2308-231-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4576-234-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1668-237-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4400-240-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1896-244-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1688-249-0x0000000000400000-0x0000000000425000-memory.dmp

memory/956-252-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3364-257-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1660-260-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2432-263-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2936-268-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3944-271-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Gaara.exe

MD5 6e0a5bad73ddf8b05ea69aa6775df2a3
SHA1 7185cfa795b13bfca5213af466aacc0ff4145968
SHA256 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34
SHA512 58646b0234fd5377b5942eef4430bb9ac2187e802cfdd156cdd258940dbcb5951b91dc5882062d5f108f6e0900f6a3c5fcd6352940b4fa41318a8c3f9833b83b

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

memory/2988-526-0x0000000000400000-0x0000000000425000-memory.dmp

memory/116-527-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2076-528-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2276-529-0x0000000000400000-0x0000000000425000-memory.dmp

memory/756-530-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3608-531-0x0000000000400000-0x0000000000425000-memory.dmp

F:\Admin Games\Hokage-Sampit (Nothing).exe

MD5 8bcd1688202333e3f0708c8330394e78
SHA1 b00916f676da65ed698aa5a66fc74023baaadda0
SHA256 8197ceb951644b233a7b0ba93c1c9ece36e17f305e5aed568cb287f89b24f649
SHA512 46b75a316f1a124720649c7819b1c9cd4346e3e93f63d37104afebfed48464346324bac015d566653d81e6b2af665767a972969b6e7e237dfe40ee09e30a94ed

C:\Windows\SysWOW64\20-10-2024.exe

MD5 7293de8d455547acf064895c2ae3f6a0
SHA1 ceafaf5cd50c38beda48e33806d021e9e3cde8cc
SHA256 dd3fabc24c407b50fb49f60b224927809848d4328db567c1d37d016593e6447f
SHA512 4b741fd0dd94a32e30da7b5ccdb391fbe72a093bdca60efcace1a69b0be09b5d050628eaa5fbdbcb5107fa83901c1f7c9e49a5c1d4f4c13d7594ca1b7b0a4508

C:\Windows\SysWOW64\20-10-2024.exe

MD5 6b9438734a95bb6015bcdd55f10823bf
SHA1 ea7beadef020b13106a563776f69bb9649d52162
SHA256 f15e4d241a0561cf731aefdad0748839ce70eb795afb9a5be186a2ebe471dd83
SHA512 cd965d4f83b0172d61d9ec8a045d0d2bd17558206860a9c8b39607e24a1d36f9dba27b6a4514c1ddec94a2c04e9ada9e71200a158d19e75365178659e6329b5c