Malware Analysis Report

2025-01-22 20:17

Sample ID 241020-crrl1averp
Target d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea
SHA256 d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea
Tags
upx discovery evasion persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea

Threat Level: Known bad

The file d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea was found to be: Known bad.

Malicious Activity Summary

upx discovery evasion persistence ransomware trojan

Modifies WinLogon for persistence

UAC bypass

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Event Triggered Execution: Image File Execution Options Injection

Disables RegEdit via registry modification

Drops file in Drivers directory

Disables use of System Restore points

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Checks whether UAC is enabled

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in System32 directory

Sets desktop wallpaper using registry

UPX packed file

Drops autorun.inf file

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies registry class

System policy modification

Modifies Control Panel

Runs ping.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 02:18

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 02:18

Reported

2024-10-20 02:21

Platform

win7-20241010-en

Max time kernel

90s

Max time network

47s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A

Disables use of System Restore points

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\SysWOW64\drivers\system32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification D:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\system32.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\V:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\H:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File created \??\X:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\J:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File created \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\V:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created D:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\V:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File created \??\I:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File created \??\T:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File created \??\P:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\V:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\A:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\I:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\N:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\A:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File created \??\L:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\E:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File created \??\R:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created D:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\20-10-2024.exe C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2536 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2536 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2536 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2536 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2840 wrote to memory of 2552 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2840 wrote to memory of 2552 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2840 wrote to memory of 2552 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2840 wrote to memory of 2552 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2840 wrote to memory of 2268 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2840 wrote to memory of 2268 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2840 wrote to memory of 2268 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2840 wrote to memory of 2268 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2268 wrote to memory of 2816 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2268 wrote to memory of 2816 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2268 wrote to memory of 2816 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2268 wrote to memory of 2816 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2268 wrote to memory of 2964 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2268 wrote to memory of 2964 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2268 wrote to memory of 2964 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2268 wrote to memory of 2964 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2268 wrote to memory of 3040 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2268 wrote to memory of 3040 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2268 wrote to memory of 3040 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2268 wrote to memory of 3040 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 3040 wrote to memory of 1812 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 3040 wrote to memory of 1812 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 3040 wrote to memory of 1812 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 3040 wrote to memory of 1812 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 3040 wrote to memory of 1920 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 3040 wrote to memory of 1920 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 3040 wrote to memory of 1920 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 3040 wrote to memory of 1920 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 3040 wrote to memory of 2196 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 3040 wrote to memory of 2196 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 3040 wrote to memory of 2196 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 3040 wrote to memory of 2196 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 3040 wrote to memory of 2452 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3040 wrote to memory of 2452 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3040 wrote to memory of 2452 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3040 wrote to memory of 2452 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2452 wrote to memory of 2244 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2452 wrote to memory of 2244 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2452 wrote to memory of 2244 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2452 wrote to memory of 2244 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2452 wrote to memory of 2616 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2452 wrote to memory of 2616 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2452 wrote to memory of 2616 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2452 wrote to memory of 2616 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2452 wrote to memory of 600 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2452 wrote to memory of 600 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2452 wrote to memory of 600 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2452 wrote to memory of 600 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2452 wrote to memory of 996 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2452 wrote to memory of 996 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2452 wrote to memory of 996 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2452 wrote to memory of 996 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2452 wrote to memory of 1428 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2452 wrote to memory of 1428 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2452 wrote to memory of 1428 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2452 wrote to memory of 1428 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1428 wrote to memory of 552 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 1428 wrote to memory of 552 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 1428 wrote to memory of 552 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 1428 wrote to memory of 552 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe

"C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp

Files

memory/2536-0-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 b0dc6f177e107542de822e68deab2fce
SHA1 ab08cabec8fa3351bb9f8468c974ec77382e55b6
SHA256 d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea
SHA512 2f83891a0f803c34fe45c3ce016337c409eb86619ec163a04d93087a7cd3640de6278650fb42fe7eb90a2bea7b715e5fb757b705a31259d144d4192e916dacf9

C:\Windows\system\msvbvm60.dll

MD5 5343a19c618bc515ceb1695586c6c137
SHA1 4dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA256 2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512 708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

MD5 bdfad1d69afc00087d13d28b10e476f5
SHA1 09c0c0c5e1023ddecca4db3dd20a0681ce75aa1c
SHA256 d0b8f7fe4d6e5759785e5db30c48b055a09ced33a9e357700f1b385d0d171006
SHA512 25578c66e4c444f5d6e47f7003b5d47ca0a93205ac40d8a47d4bef56d3dcc8c54f94feefd9544b6c7413ebffa15a68892cf5ec46773c591696da1eca17ed5270

memory/2536-32-0x0000000000430000-0x000000000045A000-memory.dmp

memory/2536-37-0x0000000000430000-0x000000000045A000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

MD5 eb8e55c84a914cc988fc0f445df7e42f
SHA1 dcae2048a88cf84505797d072aad8f36f4de81fd
SHA256 7679cb33301e9dec8170e709516f3d962c0a61e5d2825ed633d92c109bd37743
SHA512 3be13b3f9d80631b7c945d3b68cf85302ceddf9ac5ab02b99a3c48f0a927e09db4bd2f5e4d8310da1a787d4913afaf6bfa935054335c43466842036e6667bab0

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 226abee429427c1eb121d6c9213caa4e
SHA1 f70be84bc926e135d6ed6c11b7b46bd3e5dafa40
SHA256 cc697c8c062554b383e51594333f09a61f3f12b5e823151330f18d5ff13b864b
SHA512 e5f63232e42899f6066b666e81ea174f31e2c1ded528c95d9051304f7aff0872779f40e44d272b8a49ad11bab0f0181ba07e7cedabd4a8bc272db3ef5e432168

C:\Windows\SysWOW64\drivers\system32.exe

MD5 d0db69ba531fed8231cd6dbe279fc136
SHA1 416bed0555fa8d82a59526603a9d0de16dd18754
SHA256 d7d3255527d46e356440703ef9301d53e6d3865faa7d2afc1c056a8d9ecb88c5
SHA512 dcb3f0c552e163cd2e5aca1eb397a421adf4986b89c4a6cde8e12ee754804fe94920c8d02685513959e2a4cfab44ad4e8ddbbc3a9b6b76c99baa0568fb149688

C:\Windows\SysWOW64\20-10-2024.exe

MD5 768b4c13afeceef85953771f70afbc4f
SHA1 e8ed9e00e5434a05be1e2282ad5b6cd10a2ca3b8
SHA256 a09d279ba66bbb3ba6a0157cd7c100d5cc2a770b80d3608d4f4633825fd80c50
SHA512 70bfbf6a9dc74db1430b05976c81346aa32e95d9681a25d518b77ee48aea11c063a87a8cd7679daf44e01d8f11feee61d12d3ea1791d03fdca10d697c1631a5a

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

MD5 e16eca0547ed5a0f54a1286a45e46f5d
SHA1 6b86512e01531e1bba560b145a5bc45009ee4889
SHA256 3cc39b5bfbe179ba4e0d73107c2f97139c47195df27566cdf2b55be2e74b171d
SHA512 66002f567df75feeacc01e7535b7bd3cad336d7d0d57345a27d0bf4c1465e0eef92ba7d4714bfa34132149c25cc3f71308df295f120e534a59952404ed541e6e

memory/2552-78-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2840-86-0x0000000001CE0000-0x0000000001D0A000-memory.dmp

memory/2268-89-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2840-81-0x0000000001CE0000-0x0000000001D0A000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\drivers\system32.exe

MD5 e29fba6eb3b80984829bda3b2e17b115
SHA1 d00199ef6d068531195ea895200a385f7dd8df92
SHA256 d56238295effe0262b174d594084fd17d04d265f11b9940624ea3f4d0cd551fa
SHA512 68149ef21fd9073f0c8ea9606261c4cc6b476854fff8838240a23ff312b150cd297f0a00e5f31eecccfea1995b4e860ae7bf915ffc1e02c4ba17f690753976a2

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 c1bb2a84b09bd089bbc5ff809f79d38b
SHA1 d908056ef3a5ddf84522219a05d9a0891b01fed3
SHA256 ce76e24b68b8a04e0cd331ee9386f8eb722a22aa7d813229f2e08bf0bdfb6f40
SHA512 c06d53c0db7e35f2096ef1420917fb1f507c0ed267a37528383423c5b7d59151b0f30dbce10a8858c10a70f8409615c2a6400dc6b014a7af29c41839272dd897

memory/2816-123-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\20-10-2024.exe

MD5 5a7bb330d5796ca9dfd650d020685d8e
SHA1 9104c828161a989c92bc775ea65122285cb4cfc6
SHA256 aab4a52515ec708bc4115c2b82ad53d69b5d43697afce41b6c430997e07125bb
SHA512 86b286ffdacee42b2a9a2f4603b3a1c352c1c8976a111aa36209df89c1fe798adccd6f903be52c57e8f512ec7904402fc66bf0f35a1ef9bfe8e4e52ca8873280

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

MD5 076ded314a87b34eda56c7b106381238
SHA1 169bbc8ba65b7931472b128a57d9a22df95a4246
SHA256 eead078a0595fd23953a52ad7917998f992be800838b1714eae3353731e6a34b
SHA512 8c6614b0abacb81bfef994189e57c2f86c5cd5d8bfd419f24042ed8526d5d7e256e7006c20caa259ba6e8b43b1fc3b96707da1eb8ff92545334f8223d5217fd1

memory/2268-121-0x0000000001D50000-0x0000000001D7A000-memory.dmp

memory/2536-130-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2816-129-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3040-146-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2840-144-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2536-142-0x0000000000430000-0x000000000045A000-memory.dmp

memory/2268-141-0x0000000001D50000-0x0000000001D7A000-memory.dmp

memory/2964-134-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3040-174-0x00000000002C0000-0x00000000002EA000-memory.dmp

memory/2268-186-0x0000000001D50000-0x0000000001D7A000-memory.dmp

memory/2268-185-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1920-184-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2196-193-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1920-191-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3040-199-0x00000000002C0000-0x00000000002EA000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 606bd1c91bd755fd24afc5bff5e1abdd
SHA1 f25376f069142edc13e8d7b2e4dc230bac1f5f7f
SHA256 66c5df496d2e854a8a55de047d72ee240f1b8b63fa308a72cfe0d1910317e151
SHA512 ecd9293044be8b47d45916666d51dddf4390ccc2e7049e70f81cbc4bf24550536b0d7b48d7a0493d0ac2bf539272e4f7858fb6dc86725c95e92902bbdcb1914a

memory/2244-231-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3040-230-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\system\msvbvm60.dll

MD5 d59546150d62ff1bd62f4d69b43a970a
SHA1 3688f73e9fd18e61df1d59f3153ce88a7f6b37c5
SHA256 5cd7a9848fe89888e660b08c4e1b0169a43d99c8580206d16641f3cc3f097b71
SHA512 d04c325c00b25c4ba2b4f818bd5525c78a085e8fac771f9f280714deac8a406cbaad49f347029be7abb1b65e35cbfdfc027ba7dfc729306e9db82d64294b3585

C:\Windows\SysWOW64\drivers\system32.exe

MD5 b1509de054e3ceef2c298f8b91718c2e
SHA1 93abe9f56c69bfa750b77798b8d1c37d0bb15cc8
SHA256 2e731bda5565adc557b4327c203a9394fc7166244424b7e4791423ae0cee8d2d
SHA512 5a291ada83930c87b66d8357b3b002f76e4aabc2f13eeccfa11e4a9901f84496330d59a39f2cf109373bd3a5f529a90c69b3e0241419f8c73332200b72e6dba0

memory/2244-235-0x0000000000400000-0x000000000042A000-memory.dmp

memory/600-240-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2616-239-0x0000000000400000-0x000000000042A000-memory.dmp

memory/996-246-0x0000000000400000-0x000000000042A000-memory.dmp

memory/600-245-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2452-243-0x00000000004D0000-0x00000000004FA000-memory.dmp

memory/1428-256-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2452-252-0x0000000000400000-0x000000000042A000-memory.dmp

memory/996-251-0x0000000000400000-0x000000000042A000-memory.dmp

memory/552-272-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2196-197-0x0000000000400000-0x000000000042A000-memory.dmp

memory/796-276-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2840-182-0x0000000001CE0000-0x0000000001D0A000-memory.dmp

memory/1428-280-0x00000000002B0000-0x00000000002DA000-memory.dmp

memory/1288-286-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1832-285-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1288-290-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1012-291-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1012-295-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2008-305-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2796-306-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2268-303-0x0000000001D50000-0x0000000001D7A000-memory.dmp

memory/1428-301-0x00000000002B0000-0x00000000002DA000-memory.dmp

memory/2840-310-0x0000000001CE0000-0x0000000001D0A000-memory.dmp

memory/1588-315-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3040-313-0x00000000002C0000-0x00000000002EA000-memory.dmp

memory/2840-321-0x0000000001CE0000-0x0000000001D0A000-memory.dmp

memory/2268-320-0x0000000001D50000-0x0000000001D7A000-memory.dmp

memory/2660-319-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2268-302-0x0000000001D50000-0x0000000001D7A000-memory.dmp

memory/1428-284-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1564-325-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2856-329-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2992-332-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2868-333-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2536-338-0x0000000000430000-0x000000000045A000-memory.dmp

memory/2116-342-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2840-337-0x0000000001CE0000-0x0000000001D0A000-memory.dmp

memory/1812-180-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2536-343-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2840-344-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2268-345-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2452-347-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3040-346-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1428-348-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2536-349-0x0000000000430000-0x000000000045A000-memory.dmp

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

memory/2840-412-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

memory/2452-497-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1428-539-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2268-542-0x0000000000400000-0x000000000042A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 02:18

Reported

2024-10-20 02:21

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A

Disables use of System Restore points

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification D:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification F:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created \??\L:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created D:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\M:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\S:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\U:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification D:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File created D:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\H:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\M:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\O:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\I:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\N:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File created \??\I:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created D:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\K:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\E:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File created \??\H:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\R:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File created D:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\L:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\20-10-2024.exe C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3144 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 3144 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 3144 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2464 wrote to memory of 3632 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2464 wrote to memory of 3632 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2464 wrote to memory of 3632 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2464 wrote to memory of 3528 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2464 wrote to memory of 3528 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2464 wrote to memory of 3528 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 3528 wrote to memory of 2628 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 3528 wrote to memory of 2628 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 3528 wrote to memory of 2628 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 3528 wrote to memory of 4912 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 3528 wrote to memory of 4912 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 3528 wrote to memory of 4912 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 3528 wrote to memory of 4368 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 3528 wrote to memory of 4368 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 3528 wrote to memory of 4368 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 4368 wrote to memory of 2524 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 4368 wrote to memory of 2524 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 4368 wrote to memory of 2524 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 4368 wrote to memory of 2112 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 4368 wrote to memory of 2112 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 4368 wrote to memory of 2112 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 4368 wrote to memory of 3336 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 4368 wrote to memory of 3336 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 4368 wrote to memory of 3336 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 4368 wrote to memory of 2200 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4368 wrote to memory of 2200 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4368 wrote to memory of 2200 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2200 wrote to memory of 3940 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2200 wrote to memory of 3940 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2200 wrote to memory of 3940 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2200 wrote to memory of 1216 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2200 wrote to memory of 1216 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2200 wrote to memory of 1216 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2200 wrote to memory of 2024 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2200 wrote to memory of 2024 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2200 wrote to memory of 2024 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2200 wrote to memory of 2604 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2200 wrote to memory of 2604 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2200 wrote to memory of 2604 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2200 wrote to memory of 1512 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2200 wrote to memory of 1512 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2200 wrote to memory of 1512 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1512 wrote to memory of 3584 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 1512 wrote to memory of 3584 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 1512 wrote to memory of 3584 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 1512 wrote to memory of 1032 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 1512 wrote to memory of 1032 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 1512 wrote to memory of 1032 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 1512 wrote to memory of 4852 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 1512 wrote to memory of 4852 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 1512 wrote to memory of 4852 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 1512 wrote to memory of 4896 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1512 wrote to memory of 4896 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1512 wrote to memory of 4896 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1512 wrote to memory of 3404 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1512 wrote to memory of 3404 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1512 wrote to memory of 3404 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4368 wrote to memory of 1460 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4368 wrote to memory of 1460 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4368 wrote to memory of 1460 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3528 wrote to memory of 1048 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe

"C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 233.17.178.52.in-addr.arpa udp

Files

memory/3144-0-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\System\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

memory/2464-32-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

MD5 934d5899ad717e8964c0f311b60bbbba
SHA1 92162dd7ab61e54939ccf93727df207827a71d64
SHA256 e0bff0d8906287d87e95caa9ba86cf7d70ae9e73057d5f546c4649c8ab313c79
SHA512 210c77fa28eb63dc40f566b3a55e141fe3c497df87e102b703d3784547aab1f7993a49b9ea0fd0668f36a86774d560f7f202f81f91ddbab268fa86d6e27838c4

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 7012d86e36776a7da066bf46232c2f30
SHA1 f3f2188247f399b2e205cf6f54775b22cd936fad
SHA256 7b89a6389c8d4d0a7bcba3f18ce4fb12c5c48e50bef2fa67777204b96cad227a
SHA512 0d5a579b7e434a3dac58f598798c06ebf8061688690652a72045d01d29daa178dc4462da01f73e565369c2af8e9727daa3ec99f57ba8acb8993b4f88d2717410

C:\Windows\SysWOW64\20-10-2024.exe

MD5 83a5cd0bddffd073cf24fd20945c6143
SHA1 3d6ffc9d4cdc8aac5eaf18f9519a415bc3aec0b0
SHA256 6eaec0595d9e132c3003b4eba86c0e6221ed4cb4011799e4069ced8ada50a2cc
SHA512 f772f8bb13bd040edd2a7784b97c37d4000b9450734197224b31ca5f134fde04f33f5da75f55186bc272cdd900bb2fbeae8ea7b3cf05904e9f11c1a33e346c5c

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

MD5 aa6ddf1639a5fa93ded878abd1937023
SHA1 aa14a246febd5e65b1ffdcfd192825d321108ab5
SHA256 9b301b16f0bb2a3ff0581220f3aa9ead7d7728f2374883e598f3bab5a76ea875
SHA512 75dd7cb99f29883085f5dc7e97172ff04a0e02d22942fda6fd1ad5d09351204b15e05323b18da0cf6968b44890f7a445f16f6570cd6e35f5d299855b3cc658f0

memory/3632-70-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

MD5 c182c845aa415d188c65e62548ca3f8d
SHA1 229bd426b0defc241b65a59fcba629c4e4e987f7
SHA256 6fee297a5fedc80f13a44435c939cdcd39f6b6753db10ff54f9f63e2651644dd
SHA512 d23bc82d60afd7914587b102d10e8ecf63adca48c8a8910c688b063ef60bd40c9d36356de3bcdb6e9c8e66eb3ad6e42e22d0e805fd70c6e610f53892c29d1085

memory/3528-75-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3632-81-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 b1509de054e3ceef2c298f8b91718c2e
SHA1 93abe9f56c69bfa750b77798b8d1c37d0bb15cc8
SHA256 2e731bda5565adc557b4327c203a9394fc7166244424b7e4791423ae0cee8d2d
SHA512 5a291ada83930c87b66d8357b3b002f76e4aabc2f13eeccfa11e4a9901f84496330d59a39f2cf109373bd3a5f529a90c69b3e0241419f8c73332200b72e6dba0

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 aa24d3b0093cd5fc3fd31eaeeeaf1b1e
SHA1 42589fdfb114586d6b48ca14147a8287feb3f6b2
SHA256 6718d49fa6317848066e095d7a62b234b0e3f691fc58f02764751182bdd3968d
SHA512 63fd8a2ed4331b652dc8fbc0967a2ffedbe05a04ef0865eaaa81c8fe0d2a0d7a321a41988de2a4d3fb1f57a3ca28bd35a5a0eaff2dd4e803393f6c5d301f9a6a

C:\Windows\SysWOW64\20-10-2024.exe

MD5 65b4a1d1752c8e2a584de087f70c8ac9
SHA1 ca0de370a1331ac3756eb23660865db200c33582
SHA256 b2b8c46b57b5afb6503251d0577de12ef0198331c7080f00bd860a6550c945cc
SHA512 0171a3761bca560d1370c022d0e015f83ba312693e26b22684e9cb709abb4b5ec7b0be0dcaac388f1b5b67161292dfa66264b0f45609da98c417eb9ca96d79ff

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

MD5 ca08da018b5b8a8ea7645d5ff893a73f
SHA1 cd6d8052bcaabc292939fe334fddb398f877f76d
SHA256 a96ec311e183697635dd26b9cc7e7f2864844b85c5eb2e8d4b858337f0ec79da
SHA512 930ae775a32846a4b1ca2e6726fc60d219fbb72cc034d0051cddc730c852385c0c111811870c40443f9372dbe65a2dd43c739112df3cf89d35576b79f0ce51de

memory/2628-114-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4912-118-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4368-121-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\20-10-2024.exe

MD5 7616d8bbe830c25c935238dc07aed48d
SHA1 5282acce5f742ea1061c3c67fe7d1cff6369dcd6
SHA256 881f65bb9c32ca12de57bb02b75b583f0c5461d192a36741933aaa83d799e9b5
SHA512 7e7cc96909660bdbc45662c31c2bf40134ed3173028983166323497f8b8cd671036bf3592396787be5d29c2148b6c5db0768ccd23a1b7711ba6dd82f7dbc1afb

C:\Windows\SysWOW64\drivers\system32.exe

MD5 41f23cddf61b10454dd2547babc78a18
SHA1 0294cf2eb5a6eef563056dd5975d9a454bdf05df
SHA256 0ffa16fb553d47194ced97e7aed4ca16b58855b76087e97ff430cf5937e826ab
SHA512 d0ad97c9478778a0242d4c364d055196ed0a697a18ab8117ba003f9815d15ffc560ff9995dfd5afaa9ba77b4cc2510c46f2477c5fd39dc50e69832988050b9c1

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 de2a4687eb4fc20ffbf8cc1646317574
SHA1 b20c9dba933755613820f58f0d88de5bb260fd79
SHA256 54d4deca00cc9100d1c8545df20593d421f57d619a85338646b4c48def2547b1
SHA512 8fba33056d749413b2dfb54a7964f6c11ac4dba9c2b64b5c481a3d7ba23ea4601aa790f226da2e16ef99f55faaaa71ecd22e1984c07852256b0b83ba828138a1

memory/2524-155-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2112-161-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3336-169-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2200-168-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3144-166-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\20-10-2024.exe

MD5 362e13537acb9afa360fb56a06cd76a3
SHA1 7b3c8e4f9a0cee8bb4fb098abb191245cab88e0c
SHA256 07f2f0bbc35bafeb317e62047e7fadc225fcd358e418ac9f62351b3cd37b1a45
SHA512 957cd38334b6fd9c44a2d9b1c6ab54d3e8e8bb6a106180787821942815d40a391bae67faf881b0a86c098918233293b8ed560188cb674cf1dd543e8b28c70c4f

C:\Windows\SysWOW64\drivers\system32.exe

MD5 c3030f35bd25999fbf6d4484f65d3b23
SHA1 f20182d390f2b5a37509206571b4d682a58b0c53
SHA256 26950a076ccd1bbdffb6f2dcfbb064a32281af14dd437b4af48b3257eeb3bd30
SHA512 b362ac5bc71d1c43b96f7eca34ddfaeb4824b431a28264d4d3d9c523888a796fff93ed7206d596aa8c284b7f39074b844505a1107a039b5f981d35f7a0a2bb38

memory/2464-192-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3940-199-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3528-204-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1216-205-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2024-210-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1512-218-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2604-217-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4368-236-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3584-240-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1032-244-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4852-248-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2200-251-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4896-254-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3404-252-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3404-258-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1460-262-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1048-268-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2636-272-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4424-276-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1512-275-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2592-280-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2888-284-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3428-288-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2764-292-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3908-296-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1428-300-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3144-301-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3528-303-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2464-302-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4368-304-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2200-305-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1512-306-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Gaara.exe

MD5 b0dc6f177e107542de822e68deab2fce
SHA1 ab08cabec8fa3351bb9f8468c974ec77382e55b6
SHA256 d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea
SHA512 2f83891a0f803c34fe45c3ce016337c409eb86619ec163a04d93087a7cd3640de6278650fb42fe7eb90a2bea7b715e5fb757b705a31259d144d4192e916dacf9

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

memory/3144-368-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

memory/3528-452-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4368-494-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2200-536-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2464-580-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1512-584-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Admin Games\Gaara games - Naruto.exe

MD5 5a23920559e53f8a5967308e32938097
SHA1 91e49d205a57670541f9b685f80fb157d8330c69
SHA256 cc65abe6f00896cf3868ba5f22a74ce56d6eb58803d84280866638674f03d34d
SHA512 bdcbd005f60d574357e1d2969b3a8232951617a953f4c26ea5fa1b8cbd188ea1ccfab962d70d870021af61319a5986521e059b538b6a1260277d0b04f95ccb60