Malware Analysis Report

2025-03-15 08:25

Sample ID 241020-zpcrdszbma
Target 2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN
SHA256 2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faa
Tags
discovery evasion persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faa

Threat Level: Known bad

The file 2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware trojan

Modifies WinLogon for persistence

UAC bypass

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Drops file in Drivers directory

Event Triggered Execution: Image File Execution Options Injection

Disables use of System Restore points

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Drops desktop.ini file(s)

Enumerates connected drives

Sets desktop wallpaper using registry

Drops autorun.inf file

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies Control Panel

Modifies Internet Explorer settings

System policy modification

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 20:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 20:53

Reported

2024-10-20 20:55

Platform

win7-20240903-en

Max time kernel

119s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Disables use of System Restore points

evasion

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\B:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\J:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created \??\O:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\H:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\L:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\G:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\U:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\K:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\U:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\T:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created \??\A:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created D:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\E:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created \??\L:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\S:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\I:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\N:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created D:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created D:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\B:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification D:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created \??\G:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\L:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\20-10-2024.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2532 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2532 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2532 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2532 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2316 wrote to memory of 2744 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2316 wrote to memory of 2744 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2316 wrote to memory of 2744 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2316 wrote to memory of 2744 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2316 wrote to memory of 2884 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2316 wrote to memory of 2884 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2316 wrote to memory of 2884 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2316 wrote to memory of 2884 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2884 wrote to memory of 660 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2884 wrote to memory of 660 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2884 wrote to memory of 660 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2884 wrote to memory of 660 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2884 wrote to memory of 852 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2884 wrote to memory of 852 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2884 wrote to memory of 852 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2884 wrote to memory of 852 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2884 wrote to memory of 2420 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2884 wrote to memory of 2420 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2884 wrote to memory of 2420 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2884 wrote to memory of 2420 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2420 wrote to memory of 1312 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2420 wrote to memory of 1312 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2420 wrote to memory of 1312 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2420 wrote to memory of 1312 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2420 wrote to memory of 1644 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2420 wrote to memory of 1644 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2420 wrote to memory of 1644 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2420 wrote to memory of 1644 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2420 wrote to memory of 1872 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2420 wrote to memory of 1872 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2420 wrote to memory of 1872 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2420 wrote to memory of 1872 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2420 wrote to memory of 2952 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2420 wrote to memory of 2952 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2420 wrote to memory of 2952 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2420 wrote to memory of 2952 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2952 wrote to memory of 288 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2952 wrote to memory of 288 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2952 wrote to memory of 288 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2952 wrote to memory of 288 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2952 wrote to memory of 2700 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2952 wrote to memory of 2700 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2952 wrote to memory of 2700 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2952 wrote to memory of 2700 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2952 wrote to memory of 1792 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2952 wrote to memory of 1792 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2952 wrote to memory of 1792 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2952 wrote to memory of 1792 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2952 wrote to memory of 444 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2952 wrote to memory of 444 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2952 wrote to memory of 444 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2952 wrote to memory of 444 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2952 wrote to memory of 2200 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2952 wrote to memory of 2200 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2952 wrote to memory of 2200 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2952 wrote to memory of 2200 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2200 wrote to memory of 1920 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2200 wrote to memory of 1920 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2200 wrote to memory of 1920 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2200 wrote to memory of 1920 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe

"C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp

Files

memory/2532-0-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\system\msvbvm60.dll

MD5 5343a19c618bc515ceb1695586c6c137
SHA1 4dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA256 2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512 708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

memory/2532-38-0x0000000000370000-0x0000000000395000-memory.dmp

memory/2532-37-0x0000000000370000-0x0000000000395000-memory.dmp

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

MD5 3bd90d60caf8374c5c9308fb5cb7546e
SHA1 566e325260ced8aa91a8a93a30bb13a4ca80d0e8
SHA256 175132a39fd49332a3625db28210df0f1961c94b3fbe1842b101b88d9e288f71
SHA512 e93cad4ef3beffb05c718f4cae628da6cc00092e0bcf49010e82c7788faef856c71d27a5f3946ef0fb20b791ff7a9ef5511b6f2925c274662cb671d9c88f8dc6

memory/2316-40-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

MD5 9282cb96a81b717856654b58155868b2
SHA1 755455f9bf2e3d21b42aaf6c4ada103ff2d5f72d
SHA256 0c7ff96075ce7a60b72ba913c348294d6d6da29af837fff2c58e2daebb5572eb
SHA512 527f19c86af0f830c9dd0d9a24699db0703990073b646ca5a143fd257aef202d24c49394df55ed390e0cfa2f9240171ab2cd9aaad662b9694a6fa502475e403f

memory/2316-88-0x00000000004B0000-0x00000000004D5000-memory.dmp

memory/2316-83-0x00000000004B0000-0x00000000004D5000-memory.dmp

memory/2744-80-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 4fbcacc1094eac2e1bc582757dd7591d
SHA1 bd5be326b1fe7bd41c2b869fc57c27572aadde1e
SHA256 23be4170635ec5f14154a668e1e1fddffa84cd1e810d5bb5f9fe45e6cfc074e5
SHA512 978550d37ef7941f5d7969509d6c2634cca0b940881deedd18efb5c1a973a296fdb443daf4dc4e20adfeb3c17629de2a9c09bf20f2ed418134ef45c243ca67ca

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 db2e2332d20dde5949830da95c35e451
SHA1 dd9b5c09ea65e06aba32db0e09bb66e12e3a6e74
SHA256 b2ca65c3c85384507cff61cfea5f0e02c12e48c7b61b4a41143065967edd7739
SHA512 9bd6b58d1c43966082e2e7cca37c6a7a3ea1a255d89333ec08ffd9d2c4c8f7c48c2d9a81b3a2c0ab19771d10c09cda971bbf91ec4aab2fec7efca28468345f79

memory/2884-123-0x0000000000300000-0x0000000000325000-memory.dmp

memory/660-128-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2884-138-0x0000000000300000-0x0000000000325000-memory.dmp

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

MD5 fb6bdd76dcdd868e5f6ffb6f6f0d36a9
SHA1 fe29842c5702b65677bb7eb6f5200445b7a10c7f
SHA256 4a50285c826fda586d302b12a8c8e2bb9c30782c27ae30fa60f1b29e46b16d77
SHA512 e5c3731f3abd7acf9b2b5a8f55723b0b6297d31d5af1d6f37c2ed55cc57a4656100c14d9f2604aa821b178e89c80f10006b58bd6b30c88bf59f9408451770851

memory/2420-170-0x0000000001DD0000-0x0000000001DF5000-memory.dmp

memory/1644-184-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2952-196-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 efcc6533e2ae1e6aa8c868fe7ed4e787
SHA1 cb7c307c52d03da5262abda43153f642dc3a8d79
SHA256 0a12724cdea3644a47d7afd29c866eeb8c42cf6880bcb61d81b75ce2b5a66646
SHA512 57081df986b2de7fe6b493bc3cfe4c9662a3c59d00cf3a0916a14def6b56df4f2cda9e897dd8737e5f09040c39073a115cded5333db1c0fd1fef68eccc2a770f

C:\Windows\SysWOW64\20-10-2024.exe

MD5 8379b7845884038d98981b8ef1925784
SHA1 abd5df562b24dad2c3466e4685d2e78178add471
SHA256 8a90adc8c781daf93a352224b4ba3f378a600dba34559769cf99ebfe13a6cc4e
SHA512 57f1e32c626ac9f66dad24da6dfc4fc3b6bed12c0af0c0c03805c3aa53c9f9be5587308aaf892fc72223c632676cc18d63ccd2ee2b5dd656e022bedbcedaa33a

memory/288-218-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2952-215-0x0000000000290000-0x00000000002B5000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1792-223-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 212bc7206f0cc0959fde47a7a154f4a2
SHA1 0180abc3866cddc27762a53ced108a870cc6e64d
SHA256 6adb01c65cebac4f29d9d1982d78edf4209727d817738543bc157e39e6b8459b
SHA512 4541359346ef98af136e01329496ab28a8a4acf58f2a34e6a46f8cdff1644f5c16b38c4e43adfb17345bb7ed28ab498adbedf1261a77986d893de6cc2b0a2957

memory/1500-249-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1920-246-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1972-253-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1320-255-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2492-259-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1548-258-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3048-265-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3032-272-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2568-275-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1648-278-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2328-282-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1840-284-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2296-287-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1880-290-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2316-269-0x00000000004B0000-0x00000000004D5000-memory.dmp

memory/1480-268-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2492-263-0x0000000000400000-0x0000000000425000-memory.dmp

memory/444-226-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2952-228-0x0000000000290000-0x00000000002B5000-memory.dmp

memory/1872-188-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1312-175-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 65c606eea5b6744e45e0fcce0ca6b77d
SHA1 8d1ea48c5a51793c64564d940820b7b2345c8840
SHA256 7576031c986ab138b061eb01bdaa218e6b57b92d79884722b7d423a85de2fc7e
SHA512 a3f5d804c27048ca7e9d4b25cd5e127c875de1978e235b76848e0590dbd77e4ef6c703ccca36ceb09af6d44eb7a4b154aa510347a1319a27073a9725f38d15e2

C:\Windows\SysWOW64\20-10-2024.exe

MD5 a6e0bc844a16ca3db35709e5e95e34ae
SHA1 4bb668c25b40c0e72cf8764a61b155d5402de315
SHA256 9b1e9709b17ccb17c6e48004b2fcac1e73cce041ab1ea46c2d8700a4adf28502
SHA512 978418e674ad67751681135bdf5252cf8fa6bdd9e0b4dc1d3fef872e09bfda2801a35ecbd271c6e592f79317e682bd279beb348c06cb8a4f4f1a284356a418a6

memory/852-133-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\20-10-2024.exe

MD5 73fb0d2d10983fde7328cc3fe5229b24
SHA1 66e344ce6ab2c8a69040fa3662c4d5ad7aa0d691
SHA256 6f16969ae072f587af356e23c3876f4b8add161378a2be977780c785ac34b0e9
SHA512 54856aa4079d257508f0cff68e4c262530b4ce1f6c96876774cc17c63e2a73b7b3f33fb4f631ec0283fca3f6853fad0b669cfc4f2fda28117b9f93b6ee90077c

memory/2532-294-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2316-295-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2884-296-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2420-297-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2420-298-0x0000000001DD0000-0x0000000001DF5000-memory.dmp

memory/2952-299-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Gaara.exe

MD5 6dbe40009804b357c85a299434813aa0
SHA1 58812cb57ffb28323abbc14649bc82bdf9399aad
SHA256 2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faa
SHA512 571eef0bd5b0f9891ff3bc584c4cc6cd15d82dcf09363365f2b96451f15d07b953cc0c25c963bb8fcfef8366a65947d6d9535320650e438b264317e2a6bd3ec4

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

memory/2200-554-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\20-10-2024.exe

MD5 8ada103b31813e2388b427b0ae9aa8d2
SHA1 097ec6673e6d4c89c3d0cbbc729e4eb31904750a
SHA256 1ecf46f286ac895a9d859189dcbdc2c6dd1bf8d71fdeb68e7c75413ef5578b6b
SHA512 9e9f49f6f800c7627af27cb8b3efd21d78669d3dd8c29b2677ca866bb675945218f23f8f344e1f1a38aee49992113d20c58f6090b225ee0bd14ae7c167b683dc

C:\Windows\mscomctl.ocx

MD5 3e435c0dfe3730ec604ba6ecfd5780cc
SHA1 3f65a353ad0e0c42e1296793bed416851a9ece35
SHA256 f3af0d276b88b8a4234db86a8746a616346d5b9e80233d80b8879aee445a5478
SHA512 988f0e9b1207a59c191836755cebeaf7a101d9a2b305902eafb969c3644440b7eb7c78e959862bb7df4c8bd15452e305a25cc52a441554182edbf7860eaedf7c

C:\Windows\SysWOW64\MSCOMCTL.OCX

MD5 82a1de046f224235d91ea9eee64de02a
SHA1 eb9bd7bff44dd873a6c001e3a99dc573e5aa302c
SHA256 baf55f26c65f9b491d2dea5b9f124b22b756361e3684373b2c74beb061039f8d
SHA512 4c2febfad0dce8d8f2cc9169a728cc8e37ca79a815757f99501866f0a70bfa16dbaa0ae71c6117b221ce4f9f808fc38295789546cb0741e0d25700e5b130f7a4

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 20:53

Reported

2024-10-20 20:55

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A

Disables use of System Restore points

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification D:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created \??\G:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\L:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\H:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\L:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\B:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification D:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\A:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\M:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\G:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\R:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\J:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created \??\M:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\V:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\W:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created D:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created D:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\K:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\M:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\V:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\N:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\B:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\20-10-2024.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 728 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 728 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 728 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 1536 wrote to memory of 2820 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 1536 wrote to memory of 2820 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 1536 wrote to memory of 2820 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 1536 wrote to memory of 2436 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 1536 wrote to memory of 2436 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 1536 wrote to memory of 2436 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2436 wrote to memory of 5080 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2436 wrote to memory of 5080 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2436 wrote to memory of 5080 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2436 wrote to memory of 2796 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2436 wrote to memory of 2796 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2436 wrote to memory of 2796 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2436 wrote to memory of 1236 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2436 wrote to memory of 1236 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2436 wrote to memory of 1236 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 1236 wrote to memory of 2268 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 1236 wrote to memory of 2268 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 1236 wrote to memory of 2268 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 1236 wrote to memory of 3080 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 1236 wrote to memory of 3080 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 1236 wrote to memory of 3080 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 1236 wrote to memory of 412 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 1236 wrote to memory of 412 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 1236 wrote to memory of 412 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 1236 wrote to memory of 4648 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1236 wrote to memory of 4648 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1236 wrote to memory of 4648 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4648 wrote to memory of 2636 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 4648 wrote to memory of 2636 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 4648 wrote to memory of 2636 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 4648 wrote to memory of 2068 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 4648 wrote to memory of 2068 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 4648 wrote to memory of 2068 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 4648 wrote to memory of 2424 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 4648 wrote to memory of 2424 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 4648 wrote to memory of 2424 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 4648 wrote to memory of 2776 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4648 wrote to memory of 2776 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4648 wrote to memory of 2776 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4648 wrote to memory of 3652 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4648 wrote to memory of 3652 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4648 wrote to memory of 3652 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3652 wrote to memory of 3100 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 3652 wrote to memory of 3100 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 3652 wrote to memory of 3100 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 3652 wrote to memory of 3880 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 3652 wrote to memory of 3880 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 3652 wrote to memory of 3880 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 3652 wrote to memory of 2832 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 3652 wrote to memory of 2832 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 3652 wrote to memory of 2832 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 3652 wrote to memory of 224 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3652 wrote to memory of 224 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3652 wrote to memory of 224 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3652 wrote to memory of 3508 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3652 wrote to memory of 3508 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3652 wrote to memory of 3508 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1236 wrote to memory of 4524 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1236 wrote to memory of 4524 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1236 wrote to memory of 4524 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2436 wrote to memory of 3400 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe

"C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/728-0-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

MD5 fb6bdd76dcdd868e5f6ffb6f6f0d36a9
SHA1 fe29842c5702b65677bb7eb6f5200445b7a10c7f
SHA256 4a50285c826fda586d302b12a8c8e2bb9c30782c27ae30fa60f1b29e46b16d77
SHA512 e5c3731f3abd7acf9b2b5a8f55723b0b6297d31d5af1d6f37c2ed55cc57a4656100c14d9f2604aa821b178e89c80f10006b58bd6b30c88bf59f9408451770851

C:\Windows\System\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

memory/1536-32-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

MD5 3bd90d60caf8374c5c9308fb5cb7546e
SHA1 566e325260ced8aa91a8a93a30bb13a4ca80d0e8
SHA256 175132a39fd49332a3625db28210df0f1961c94b3fbe1842b101b88d9e288f71
SHA512 e93cad4ef3beffb05c718f4cae628da6cc00092e0bcf49010e82c7788faef856c71d27a5f3946ef0fb20b791ff7a9ef5511b6f2925c274662cb671d9c88f8dc6

C:\Windows\SysWOW64\drivers\system32.exe

MD5 e3b2175793b43cdb395a9b314992cdf5
SHA1 ce28fc662cb9e1571c5a7f63ed23a22d649eb8c2
SHA256 0d4802bbe5fb209fe3d957c5131c08d0a41cba524a556be0c8ed429d5fa162f1
SHA512 4ce906676c2b3698cbad03e8059b95bfa7a99a902568a75b21fac78d0575149c15138a669be7721798405b29828a3bec14dca43e3cf9917e6a02de374631cf73

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 048bd18b5c71e09797a78162df0baa6b
SHA1 7addd638af6d9b76494557c202df8e733818f26c
SHA256 27da05338f43dbe2aca0e2cda0f69a3499d5f50af255cd820ae08d4a07d64611
SHA512 b15e782c7ef70ee67023852b64d2efece5362130b3ca9cce122030e6110d03b6557e2ca45254a14983a2554eb0d62ae89b57c48db398e452bee7342bc5d40309

C:\Windows\SysWOW64\20-10-2024.exe

MD5 9bc77e510416dafc360b56339efa34d3
SHA1 d7ad3e95d588db3388c677b6c9e479e28da031a4
SHA256 291f279a9477d40209df62f8c6dae17e82e863499c2b9e36fff538d467df0b38
SHA512 12205ef72ac71ef2f135ec3f8af4a9450745ddf7738e70e77e16f2a153789e55157a618460e2db26eb9b4217ece0586bba181ef85d4cbd09e906eb53c52d5db4

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

MD5 e7ca3bfaca57a3f87eb7ba4eda94465f
SHA1 22b1db95cd9aff53ea17ff0883a39470b0fc3607
SHA256 4136a53f9819a55c3daf3e26fd12922a9d4f5a9aeb4188697ad9940da50e281f
SHA512 4a07d609da84feb0cb6cb5f99ab8ce70d18ec3299995dc44b07ef1dcd0420d93b65d4303cd2f8f97b7ad676033c25ad6c1e6d1a727940f6ba7e6e8c144a60f74

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

MD5 9282cb96a81b717856654b58155868b2
SHA1 755455f9bf2e3d21b42aaf6c4ada103ff2d5f72d
SHA256 0c7ff96075ce7a60b72ba913c348294d6d6da29af837fff2c58e2daebb5572eb
SHA512 527f19c86af0f830c9dd0d9a24699db0703990073b646ca5a143fd257aef202d24c49394df55ed390e0cfa2f9240171ab2cd9aaad662b9694a6fa502475e403f

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

memory/2436-74-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2820-79-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 212bc7206f0cc0959fde47a7a154f4a2
SHA1 0180abc3866cddc27762a53ced108a870cc6e64d
SHA256 6adb01c65cebac4f29d9d1982d78edf4209727d817738543bc157e39e6b8459b
SHA512 4541359346ef98af136e01329496ab28a8a4acf58f2a34e6a46f8cdff1644f5c16b38c4e43adfb17345bb7ed28ab498adbedf1261a77986d893de6cc2b0a2957

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 4ba3309b3ab1f0587f2071599720cf17
SHA1 ccff4590dcdd2b3afb2179027251e120e73830e1
SHA256 d526548d5959aa16a3a5845782d9eeaa913267826990081d4916c0e8cd927115
SHA512 9be89b7485a7c70b358276dc196358aff5bf27d88ed88acbfcc774690a58ea2d3afa663f1ccabcf76d16296816e1cb62210f464f66bf80848871fd21d9fcb208

memory/2796-113-0x0000000000400000-0x0000000000425000-memory.dmp

memory/5080-112-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\20-10-2024.exe

MD5 8379b7845884038d98981b8ef1925784
SHA1 abd5df562b24dad2c3466e4685d2e78178add471
SHA256 8a90adc8c781daf93a352224b4ba3f378a600dba34559769cf99ebfe13a6cc4e
SHA512 57f1e32c626ac9f66dad24da6dfc4fc3b6bed12c0af0c0c03805c3aa53c9f9be5587308aaf892fc72223c632676cc18d63ccd2ee2b5dd656e022bedbcedaa33a

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

MD5 5afb715fbeaac6764831482ff7635167
SHA1 809dde8955de1960e89d28f0465ad863157af855
SHA256 5fc0d8c65ed8315da3a960d189bcdf0ead598fc732b8aa7f634b061db20c955f
SHA512 e9aa7af675ed1490b514aafde204ac1ba8b796912da5ab67e94cd453fda181415d997730fa75fbaab69ddfece509328310525041c7b3018d748cbed5eca8a5c2

memory/1236-121-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2796-120-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\20-10-2024.exe

MD5 ca230a22683fd680caab5cc38404e9a5
SHA1 6164ac26578136b5ab9f8b8612b875f7e9a05a60
SHA256 cc43eb59ebbc3b28adbfa2078be535dd67dc740caf8c6803b9cf634c7567ba67
SHA512 9406453a8bcc46583af4103ef9cb9f67b8193ec72e7d1d900d196a77a9aec16a2c3260e825bdaa2a69f376605b9c731b240a5262c4b57259893ffb6416a86e8f

memory/2268-148-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 ae6b872429870ddff9a45ff8a85f4c5a
SHA1 503e17e1c382bfc9d85801a31d92ce13382362c3
SHA256 d657ae7c1280c0143ce6437c2a4b0935ad9c9c4ee8974b74b956595cb77c13e4
SHA512 7b4b3c955a0530d88002eed35cca122d216af0f66cc721a65c01700f3b2153fa49f8f9573c4b2cedbde00b4d2e63ad0237c95921c30dda27246c672c2b84df0a

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 4c49fd4600a33865575366848b0d8323
SHA1 d8670f0397197b8270b9d2a350e46c5e24fef796
SHA256 c38fd4d88cd6ff49395542f26672cc768562758d47276080ecc39ee6cf4ac6f4
SHA512 dd84201f4cb87c49032f60a7a51e0f2e3695f744d6eeeb017a55cefb3165a059c0df81dcd5b14f06f09720a661a349d44ffb77a828d5c88d6937bc9d9513600c

memory/2268-153-0x0000000000400000-0x0000000000425000-memory.dmp

memory/412-157-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3080-159-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4648-165-0x0000000000400000-0x0000000000425000-memory.dmp

memory/412-164-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 0c127913eac952b44aaaed1affb87eaa
SHA1 1898d3670497d39eff6dd28741d452c5b75dd93b
SHA256 6d0ab9fbeffaa45e7aa525153625e0acc8adda85bdc9b7be26eaca3fe7dc57ee
SHA512 3ba652ede777a748e063921f6b910ff0f48948fd017a7f1f79fa55bc6582fb21e01bb304644c2a5c4708cee36eec09ac18484e0567baf17aa5e43037c6c1b6f9

C:\Windows\SysWOW64\20-10-2024.exe

MD5 abb9d61d22e1d5d7b552e4f32e5488fa
SHA1 4f088674805b2f95cd849cc7dd73a95096100557
SHA256 6d34c903718872a1afd1db3c2eeae7f99b8e06b373477bf9e8bdecb4a44e68ac
SHA512 ba89dfd0d3e6cf9dd7c245550087abd97a47be101e0fc2581386a7c0f2584be224f9462031fe3ce609c115a472d86ee70da200e441a9ee1eb1d22894052882b5

memory/2636-193-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2068-198-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2424-202-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2776-203-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2776-207-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3652-209-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\20-10-2024.exe

MD5 0a5852de08c38d59cb23af7b1c19e247
SHA1 2380030d1f0711e9507cbda9b71a778a2f56a94c
SHA256 68bcaa8bc2bdf20ced846a31f07fd8f9f7a1076917e75687cc05dfb38fb39612
SHA512 bce1be43e1de8fb50806ca677929cbdd4af15b0fac2c5669a431a9afd62bc438bf21dc7c00dcff05ab17d4ae8400464941ec03568c45ecf446a8cb22dd906d5a

memory/3100-230-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3880-233-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2832-236-0x0000000000400000-0x0000000000425000-memory.dmp

memory/224-239-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3508-242-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4524-245-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3400-251-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2028-254-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1228-257-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3036-260-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1404-263-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4636-266-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3528-269-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4356-272-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1412-275-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

C:\Admin Games\Kazekage VS Hokage.exe

MD5 227a734fb82e43494db426a5e2af615a
SHA1 cc6727bca37f39185f3ec062876450cbd0d3c713
SHA256 3da8b70117e04e56d89a38f45332fcd66c9441780cd17099628c3099268c1678
SHA512 7d2a810771c2d1acb9ebfe0ca9f2c6c95b787e6cdc27652c42f9e020b4a5789eb1e6116b7909930be5e729296d572e66a192989ec376610079f68071b67cd2e1

memory/728-530-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1536-531-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2436-532-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1236-533-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4648-534-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3652-535-0x0000000000400000-0x0000000000425000-memory.dmp