Malware Analysis Report

2025-03-15 08:27

Sample ID 241020-zr8lva1gqm
Target 2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN
SHA256 2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faa
Tags
discovery evasion persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faa

Threat Level: Known bad

The file 2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware trojan

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

UAC bypass

Disables use of System Restore points

Disables RegEdit via registry modification

Event Triggered Execution: Image File Execution Options Injection

Drops file in Drivers directory

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Enumerates connected drives

Drops desktop.ini file(s)

Drops file in System32 directory

Drops autorun.inf file

Sets desktop wallpaper using registry

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

System policy modification

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Modifies Control Panel

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 20:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 20:58

Reported

2024-10-20 21:00

Platform

win7-20240903-en

Max time kernel

130s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A

Disables use of System Restore points

evasion

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification F:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\V:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created \??\K:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\V:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created \??\B:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\L:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\A:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\W:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\I:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\B:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\I:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created \??\H:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\R:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created D:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\J:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created F:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created D:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\V:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\O:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created D:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created D:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\20-10-2024.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2668 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2668 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2668 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2668 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2592 wrote to memory of 2400 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2592 wrote to memory of 2400 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2592 wrote to memory of 2400 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2592 wrote to memory of 2400 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2592 wrote to memory of 1112 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2592 wrote to memory of 1112 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2592 wrote to memory of 1112 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2592 wrote to memory of 1112 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 1112 wrote to memory of 2356 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 1112 wrote to memory of 2356 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 1112 wrote to memory of 2356 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 1112 wrote to memory of 2356 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 1112 wrote to memory of 1104 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 1112 wrote to memory of 1104 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 1112 wrote to memory of 1104 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 1112 wrote to memory of 1104 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 1112 wrote to memory of 2804 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 1112 wrote to memory of 2804 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 1112 wrote to memory of 2804 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 1112 wrote to memory of 2804 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2804 wrote to memory of 556 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2804 wrote to memory of 556 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2804 wrote to memory of 556 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2804 wrote to memory of 556 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2804 wrote to memory of 2792 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2804 wrote to memory of 2792 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2804 wrote to memory of 2792 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2804 wrote to memory of 2792 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2804 wrote to memory of 1632 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2804 wrote to memory of 1632 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2804 wrote to memory of 1632 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2804 wrote to memory of 1632 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2804 wrote to memory of 2384 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2804 wrote to memory of 2384 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2804 wrote to memory of 2384 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2804 wrote to memory of 2384 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2384 wrote to memory of 784 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2384 wrote to memory of 784 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2384 wrote to memory of 784 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2384 wrote to memory of 784 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2384 wrote to memory of 1616 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2384 wrote to memory of 1616 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2384 wrote to memory of 1616 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2384 wrote to memory of 1616 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2384 wrote to memory of 2528 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2384 wrote to memory of 2528 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2384 wrote to memory of 2528 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2384 wrote to memory of 2528 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2384 wrote to memory of 1016 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2384 wrote to memory of 1016 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2384 wrote to memory of 1016 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2384 wrote to memory of 1016 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2384 wrote to memory of 1732 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2384 wrote to memory of 1732 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2384 wrote to memory of 1732 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2384 wrote to memory of 1732 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1732 wrote to memory of 2472 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 1732 wrote to memory of 2472 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 1732 wrote to memory of 2472 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 1732 wrote to memory of 2472 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe

"C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp

Files

memory/2668-0-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\20-10-2024.exe

MD5 6dbe40009804b357c85a299434813aa0
SHA1 58812cb57ffb28323abbc14649bc82bdf9399aad
SHA256 2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faa
SHA512 571eef0bd5b0f9891ff3bc584c4cc6cd15d82dcf09363365f2b96451f15d07b953cc0c25c963bb8fcfef8366a65947d6d9535320650e438b264317e2a6bd3ec4

C:\Windows\Fonts\Admin 20 - 10 - 2024\MSVBVM60.dll

MD5 5343a19c618bc515ceb1695586c6c137
SHA1 4dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA256 2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512 708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

memory/2668-38-0x0000000000430000-0x0000000000455000-memory.dmp

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

MD5 f18b197fc2fd174dced1aae03d71d2b9
SHA1 4b678f082e95cab659f9b5072194419b7f6aac1f
SHA256 ed42dd1d82c6a45b1820c42812ec841a098fec379509f6727e95a2406533d23c
SHA512 f228c7d48c438f22b5a497fa8be31c6caf8969bf5a5fedff4976f2a3dd72d4b6586cf5ceed0b95de83ae533c33174b06d0d8999bdb161c02d921d5e80d716038

memory/2400-79-0x0000000000400000-0x0000000000425000-memory.dmp

\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

MD5 318606527663841f606b00709cd95fad
SHA1 4250a07a25d29e33d45cab522716b66aac3ea5fd
SHA256 780710b0ace253b7282858fc92b8d5adc49d73e45b9f6cd7b67767e4776f336d
SHA512 cb4ecfa9fe570b571ac083f3d7c20173896f10220f016217a009e7716fc8222a467c4351c509cc9748c5f038cec3a33376dc5226d65319b4e704d542650a3c74

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\drivers\system32.exe

MD5 10a1b88f02667391b15300534846e53c
SHA1 697a232dc0ea1a3ce4915e75a5db071c90005bbb
SHA256 e885c876267befe9dca64f81d716ec6bf6fea408dc0cc965d0e9d5351de1da95
SHA512 23ceb68be188665837a3466fa848f48194b3b23d0e02917e906a32127557b2ec00470928102c288c924f32d1387f625e101f8f9a8e33fdee65afc6cb00ac4e2e

memory/2356-125-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

MD5 ca78c3b71604711787cb542b5a558202
SHA1 40118c668548b8d9fe508cfa9e2e3dd6bdeab0af
SHA256 0d9bf3410500deba3c4583e0e91f940e45ad40050d02ba6bc8341e558d1f8798
SHA512 523f5b1f17a0a604ea250f1192c6927d635158d95698c62f2479135867e8f428e105909fbbcf6e85ae8315cfff76db8e479f821e842b51dac063c372b7edc29c

memory/1112-133-0x0000000001E80000-0x0000000001EA5000-memory.dmp

memory/1104-140-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2804-169-0x00000000003C0000-0x00000000003E5000-memory.dmp

memory/2804-176-0x00000000003C0000-0x00000000003E5000-memory.dmp

memory/556-178-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2792-182-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2384-195-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 6ccd47610ecc548738abd06cde3328e3
SHA1 7e891c6154696e506de2a4c76e4e0247e52b539c
SHA256 2d04cf3fa3067516af9acfd43426d77ac43ea18d4f2bc98f10e362dc6c35c4f1
SHA512 8c9bf12bcf205c52ec93d3bdd0f03b4951c3fb41aac2a22d0814ab87a06763ee02d7a7b4df61cea85a9890bbf57b2add98f9f13ceb24d2ab7d118bc6b1926c97

memory/2384-214-0x00000000023C0000-0x00000000023E5000-memory.dmp

memory/784-217-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2384-218-0x00000000023C0000-0x00000000023E5000-memory.dmp

memory/1616-221-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2528-225-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2384-224-0x00000000023C0000-0x00000000023E5000-memory.dmp

memory/2384-233-0x00000000023C0000-0x00000000023E5000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 c80417b6a8eabca2fb97110bfce2c779
SHA1 ede6273f14c74ff172244be3004b10d912885cd4
SHA256 ef87e08f9e88654657de70e62aa249700298f81956fb200d502997ecc250246c
SHA512 b42fbf0b2d77c27405fb344048b5eb55fb13acc31e7ce77d238e1fc1d039b6b6b74b75eef39d426e21829cc020c0a7f466391ca2c584d2f9656517771e395d91

memory/1016-228-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1732-252-0x00000000003B0000-0x00000000003D5000-memory.dmp

memory/2156-255-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2084-258-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2064-261-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2316-264-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2300-267-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3016-270-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1092-280-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1748-283-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2860-292-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2152-289-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1520-286-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1768-277-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2592-276-0x00000000004B0000-0x00000000004D5000-memory.dmp

memory/2100-273-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1884-251-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2472-248-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1632-189-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 a8c113efafed57fadbea8efa96b3df29
SHA1 9d8cc245f6b6b0e37f7e5c52f03bdb8d2b4805e4
SHA256 4cebdc768cd7bfa0703e917b24e5e2d3adb78682c1820667ed5ae2661fb67338
SHA512 b2b3d8be8b9164c8717654c4c94221ba9e87dc1729501a110231949c727b6e040298e275f947b60a67b9eafefdf41619a3184ccd30896dbd93902ff5de4d1c7a

C:\Windows\SysWOW64\20-10-2024.exe

MD5 a12c8b4d74e6ae8ec87f52ac806cf69d
SHA1 c596118c89985744e669bdbbe59341c53e816fdc
SHA256 2562cb79c4bc3d53ba45468e11d332a43ff61ef9dd38a39547137c17166f6267
SHA512 1c514376714b504f27652b15a15c0c5fcd866b2dab28f11f6675bd294aa104d28011f371a3759846a27dc9ba7a6971f542f77a64c45f78606a7ab5c5325136f7

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 41588753d3205ccc91a74b8fa3b4e691
SHA1 6928257080cb74a386c56ef470767a231c91ad10
SHA256 2eae7040e25aae5336c7d7ad44752a0433d3de35dde5b0f89d2a4113fb3866a2
SHA512 c63fa04672c456762e3a29b148c4e521f1ced1f4cb4ca312a7a16742cab6d2e8c752f71ae32ea9e1e3d6b78c69d7ccefba5fd413f0f1d78cd61e0504bef22a8d

C:\Windows\SysWOW64\20-10-2024.exe

MD5 5075a41e7836e4d04ccccd7308f8d662
SHA1 483db406ed7be990a720a321c1af1ebc463a0f48
SHA256 f049a15432d60e2c07ab576ca2ac842736e53a8ad9ec289045fa9d9dabb9ba08
SHA512 f82ef7d1317ccb8578cd7c56374394c276526b4dfbe7c851b8b16223bda72b0e3a8269f9963f2bffdba2bf0f648c721f1901a12f79c0e1addad807fd32f0086d

memory/1112-88-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2592-86-0x00000000004B0000-0x00000000004D5000-memory.dmp

memory/2668-34-0x0000000000430000-0x0000000000455000-memory.dmp

memory/2668-296-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2592-297-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1112-298-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2804-299-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2384-300-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2384-301-0x00000000023C0000-0x00000000023E5000-memory.dmp

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

C:\Windows\mscomctl.ocx

MD5 3d1b4be4c2349e31162119a92b2b5018
SHA1 eb3a4626ae2963e3a67b76b3e8ab955f7a90ae34
SHA256 7f90efcd8739e6c7e12b72e3e2c7dd4b5e03a07eec28bceb31021cead981867a
SHA512 6970a20fd8778ffa9bc71957d838a3450b5a2c75b4369577fca0534950fbffbd8de768bc1d29942b929a413f7822ebfdc0e99f42c66134966d81791ff5dd15c2

C:\Windows\SysWOW64\MSCOMCTL.OCX

MD5 c7dcdf4c54423734f17e851ce5cadebd
SHA1 e721fcfc9fca2fff37b0fa242c8c466252edf908
SHA256 a484808064ff68a6bd04ec145fe40cc14422dd609c66bc29d1f796c96373d50a
SHA512 e59e49795f5a0934406e0f3498720bb8feee6ffa5dca56662448a3564082985e3551a564ad1508d49a7fb0ce2543691dfee9e13b8adbddd941ed2a3d4ea3c8b8

memory/2384-426-0x00000000023C0000-0x00000000023E5000-memory.dmp

memory/2384-550-0x00000000023C0000-0x00000000023E5000-memory.dmp

memory/1732-551-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2668-552-0x0000000000430000-0x0000000000455000-memory.dmp

C:\Windows\mscomctl.ocx

MD5 7db0c2450bb767847e4b5be9b83401af
SHA1 78a11bd8414f9eb3ecc4981d59b940f8a346fb12
SHA256 f0a8b55cc5aa16e82d9f7d39eb4edd28b32f7757389bd7c587e4d2d60f2cc21a
SHA512 08d48582de10f924960dc7d4c1b4ffcc1e5c395e63f14c1aa2c2fb49ba0cfa3ebbf26d4396d26f3042784dd63255cdd89801db58247ae695aae615da900db51d

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 20:58

Reported

2024-10-20 21:00

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A

Disables use of System Restore points

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created \??\B:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\U:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\E:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Y:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\B:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created \??\P:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created D:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created \??\K:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created \??\U:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created D:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\L:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\M:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\L:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created \??\O:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\L:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\B:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created D:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification D:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created \??\B:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\G:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created \??\N:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created \??\X:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created D:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created \??\V:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created \??\P:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\20-10-2024.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\20-10-2024.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3840 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 3840 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 3840 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 1108 wrote to memory of 644 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 1108 wrote to memory of 644 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 1108 wrote to memory of 644 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 1108 wrote to memory of 3960 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 1108 wrote to memory of 3960 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 1108 wrote to memory of 3960 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 3960 wrote to memory of 1664 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 3960 wrote to memory of 1664 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 3960 wrote to memory of 1664 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 3960 wrote to memory of 4372 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 3960 wrote to memory of 4372 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 3960 wrote to memory of 4372 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 3960 wrote to memory of 2140 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 3960 wrote to memory of 2140 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 3960 wrote to memory of 2140 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2140 wrote to memory of 1252 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2140 wrote to memory of 1252 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2140 wrote to memory of 1252 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 2140 wrote to memory of 2308 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2140 wrote to memory of 2308 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2140 wrote to memory of 2308 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 2140 wrote to memory of 4748 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2140 wrote to memory of 4748 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2140 wrote to memory of 4748 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 2140 wrote to memory of 3952 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2140 wrote to memory of 3952 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2140 wrote to memory of 3952 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3952 wrote to memory of 336 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 3952 wrote to memory of 336 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 3952 wrote to memory of 336 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 3952 wrote to memory of 428 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 3952 wrote to memory of 428 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 3952 wrote to memory of 428 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 3952 wrote to memory of 1104 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 3952 wrote to memory of 1104 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 3952 wrote to memory of 1104 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 3952 wrote to memory of 2752 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3952 wrote to memory of 2752 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3952 wrote to memory of 2752 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3952 wrote to memory of 1856 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3952 wrote to memory of 1856 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3952 wrote to memory of 1856 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1856 wrote to memory of 2020 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 1856 wrote to memory of 2020 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 1856 wrote to memory of 2020 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
PID 1856 wrote to memory of 4532 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 1856 wrote to memory of 4532 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 1856 wrote to memory of 4532 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
PID 1856 wrote to memory of 696 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 1856 wrote to memory of 696 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 1856 wrote to memory of 696 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
PID 1856 wrote to memory of 4324 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1856 wrote to memory of 4324 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1856 wrote to memory of 4324 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1856 wrote to memory of 2320 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1856 wrote to memory of 2320 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1856 wrote to memory of 2320 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2140 wrote to memory of 1860 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2140 wrote to memory of 1860 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2140 wrote to memory of 1860 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3960 wrote to memory of 2096 N/A C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe

"C:\Users\Admin\AppData\Local\Temp\2687835ba6a580138dcc67b423b69cb52130da5b7d3c8d6a02cf017ea1fe4faaN.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp

Files

memory/3840-0-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 4a64cb5decf43f5487b361fe59cd7ad1
SHA1 1963a2a1142d823c2847938e9b908b15d1abf1de
SHA256 d3ee9b56ec49bf1b908e02233578574e9aecb8cc732cecc8a3b3b9fb54ca6106
SHA512 cfb27c59575aaa0e3bc63a7e9aecc24484bf2d76544d47ae722622f6b719591e0e23e2ae13e8fcf6131335f12fcdf0b0a193233e11f3ef498ab3d3d8c9cd8619

C:\Windows\System\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

MD5 02708ca74b5d741179a43a96451c7514
SHA1 8f8698da37073218985a0a139b06a4e4314ce232
SHA256 936e1fb6f2efe93b94279fd5083463862fc5fb0efd48dbff34612b1ba0cd380d
SHA512 c0251b684a5d92928846adf5218f1287512ae3944a117ff7568e05c835a18a1d5ea89353acaef43d91da5f8de8f25593e0a376d49bcb9773e28246ce7caccea3

memory/1108-32-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

MD5 5d0cc4c8205b3548b914c9a4e03282e4
SHA1 5bbeb7b0428a534aac3319ab240f4a48059ae6e2
SHA256 f9125a8ca5835442dd3e39f06d7cf11818d5b1bcce3245bf12fade1a0c6861e0
SHA512 a133e986c6189dcf436095fb6ab5564992e94604245df4ead6479acbbedfb97e606a4598c7b17b393b6ec06335264f3853fe6b04c203e4cb2098b53b7b1abd7d

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

MD5 d2a767cce07ddf10e811d3d42e19f1cf
SHA1 5967f323f12c9c4298785dae93442de50397b140
SHA256 f50e6b0dd005c484cb615c0039342ae1be3a336e06cd28b76770d8f552ff01a5
SHA512 152460a8b9948c8f936948e2eceda6f1ced1293e59af6fa9dc231500b85493a739ba1356529f5efc9c31db95c16239933ec30717ee021057e9626c5f368b5653

C:\Windows\SysWOW64\20-10-2024.exe

MD5 41ae05488c933e73035342295abab28f
SHA1 3adf2a10f115701ee9b6693325ef6953862acfce
SHA256 1aeb0d20c4e716a09af8038f53cf63363ebbc6cd82ac6c82f1ed434e04956631
SHA512 623ed529360cf69dd8e42710bf847574c95ebb1565b1eb3aad7b9801ad4bdbe4241313c0ccf356d71404e9fdc78bdb2e2dd4cb6aac6f99c54af08cdcd54b77d7

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 42383c0697cb263c41fff31b72c38608
SHA1 dca3af462d5b6613a3151c61d553368c58497176
SHA256 2e6daa1decac6994c9283cd3d8d2327a5e1e12445893a381f8c033c17af6addf
SHA512 60353363540c80a9d28900f38727bafcb7e4c760daf9c10c140f5f080d6390df6bff3cd3321b034ebfbb41552d6264c051d096a86b9f6d9c75ef05f02edd7441

C:\Windows\SysWOW64\drivers\system32.exe

MD5 6f57e046f585092254f57640ebe06a71
SHA1 d56569ba3d9f6cbf47424aeb72b13ba7e1be411c
SHA256 3ac4bdfed06c0d0a01af02c40ffa6d31f48a19d1bb9f86dd4259fbfc38962aae
SHA512 e317ac088b7846e1b14b5d11bd2be12e6b0c5e936fbb6a55decadae416013694912485db57edc5d560cba2a0ea196305707854b9ef8620d8f2a9957eaa63470a

memory/644-70-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3960-75-0x0000000000400000-0x0000000000425000-memory.dmp

memory/644-80-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\drivers\system32.exe

MD5 d159827a6f2b4a38f74be16068d6f7a6
SHA1 3ade04edfa91e243926f282aa70a39c3855bd0bc
SHA256 3ec6b85376703af3c2bcb1e8f4242920e84dd270f66ecbaa8d0c2822bca8a3f9
SHA512 43c690d47d57c20544f3fb1da688300052b962368ee83de13a4de10085831b5a9ee98a13358e636d6b20c87c99d8798be33f1ea21acedcf259214bd4209939c2

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 0fdec109832c53f49885c20027f9f197
SHA1 a7bab48b280f261af3bb6ddcc9aa46e2e1fbe701
SHA256 65134ecd14eff6ddafe7fb1a20d2a055a41297f504e6f652a49f93eb7d74c5f7
SHA512 bca9ccd443e65f090f69bbee9ade32de271559cb7e70336ce3b884a6d77bb6985d3e60b4ce28cfdce88c704f981a07b196aebc3b8efbc326d0665eb258c8f3b2

C:\Windows\SysWOW64\20-10-2024.exe

MD5 7c2dff6da5b85e60a40d4c18b98c7067
SHA1 ed0e29343585c5789e29c8ee8e65fb4407bffb6b
SHA256 54d660b4740175078422a8733dd0a26101fc602b069699d51819c6f3efab703c
SHA512 f8d243880fa69a078f9d86c07dc1d4bded6190db88eae128f17e3cdf83c77a59f8d5f36960177724952482160c4b983ae46c85fffafd80d1890fe0cdd0237bf6

C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

MD5 4372b4bf07215d2c78fdc010079821ca
SHA1 9945ef74e4a6fe9f132e21d88a6c639c12ea845b
SHA256 132b7bb0aa063de73e029a690654513579efcaf209c0133e2667c04b5bff90d2
SHA512 86e217ef4fe5000f4072894f78e0749b0b575e79938d153d3c969da9470a78c187608c52d3b342483299d970bdc3ca1f3b428cad4f808df6d4977e2a4f10aa38

memory/4372-113-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1664-114-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4372-117-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2140-120-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 2eff77cf11601aa5ff236c74cf083e6c
SHA1 d7477711b4f70e7cf90a6e339a67ec8ba4595547
SHA256 e8a88f28693835560820fd4c266921e9ec139725ad52477e150cb310c6c5ccdb
SHA512 894b092e979afaec83747a5acc83b33aba0e77c97dcf67da2ed27ff8f4ab446c82f036323191f4686ef69e79a6153d0ac1d3d8f97e8c122e39d24ec7646cf574

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 5f1eab42cdc3be07f4e07b84852e9a74
SHA1 36e07361eaaa0125e4c4539c4758177c750aa9d2
SHA256 7cad3464a4c59792cb5de9571b79d9afb8b93ff032126bdd0b8a85e06a393bd2
SHA512 54e95a78629ca29437ccbccfd3be65fcdd6d1bb8fd6dc32bcf588d31096a149262f1f97e6662e043be6d0a2f6ea2d58f5374a36a95daa0e343a637246208bba1

C:\Windows\SysWOW64\20-10-2024.exe

MD5 82fe32532120ff6003085550ec3a6fa5
SHA1 590e68a82ea0a5bb9be8624ec5762291f82f1112
SHA256 6c894a4bb8ec3a7a2b9923cdf1a796654c39c2c90f9fa5268b21ffec0ae0b115
SHA512 0216effa0802587e24014402e8e889e28d2d13ce8600c6c23a8754b6c425824136beaff732fb2cadfd1f523b5b1615afb4b207844e839b4f9d6001ba3cea392f

memory/1252-152-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2308-158-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4748-161-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3952-165-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 39f79bb9bde0ce5a8e10f200d947be82
SHA1 ca9c386f064ca1ed15b1dd68c51f0ecfd6342e6d
SHA256 2f1e8342eb4b9a7a44c95bb730fafd4edafb36eeb8b81a2201ef509ab5d0ee2b
SHA512 d69b3f8a4f11ad9c5ddcb5633195cccc5c9f303531e0ec97ca7c78b47bf2413e00b2f4e72f49b9265e828d4d5d3582573b169876148b5af72f6cfd6783e3e7f8

C:\Windows\SysWOW64\drivers\system32.exe

MD5 260fdc9068ae241d1e4750ba508aec4d
SHA1 19c5ac08415e4e4026540656e7e52bc618e504ac
SHA256 8c46797704a768033832999879d003b0f62670b842d528e6a4465d76fd20947c
SHA512 febb6cb5dd240c529ca43f57728adc9722104e34bd03520978e13853fcb403061d8da0ca2831e1c3f53c9ff1fcf0dd44bc4361344076d5b4ba72014e5d91d760

memory/336-192-0x0000000000400000-0x0000000000425000-memory.dmp

memory/428-197-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1104-200-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2752-204-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 cda447bf27c72b434a0f14dec6b71936
SHA1 3c076eaa0cf25502b5922cae05d1f36fabebadbc
SHA256 0d8b1ca652ef11f818831862805c7193a5b78d3106783f89756e278ed79d921f
SHA512 94a22d52bd4c2c018f91649b32b4f1d3f05672826b7d8af39e07a17efb4ef11cc857af28e0a0bc92e1b0aec2b63b65d5c779517064c8c014e383793444f5eef1

memory/1856-207-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\20-10-2024.exe

MD5 42c932cb3de218bba66480a0a91af8b0
SHA1 ccc250b94e2f2bc123709bbd4510eb5ae735ca92
SHA256 ef127e3766514e6ba427aaa329cc27e7147fd4a44a039725c9b5a7c175bf4e27
SHA512 d9b718ab76373ba450e27784dc3d252abd23f567d99a655ddf49748b11039b9c7206ad4b501beafb51190160c03867b460a47d467df748b5d5ccf18dbf25fd78

memory/4532-230-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4324-233-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4324-236-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2320-239-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1860-242-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2096-248-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1240-251-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4568-254-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1684-257-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2648-259-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1684-261-0x0000000000400000-0x0000000000425000-memory.dmp

memory/5076-264-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2880-267-0x0000000000400000-0x0000000000425000-memory.dmp

memory/464-270-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4424-273-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

memory/3840-528-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1108-529-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3960-530-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2140-531-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3952-532-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1856-533-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\mscomctl.ocx

MD5 ff4ea492be2a52d8530ef6a878d304cc
SHA1 6600f69b008c02c1ba077a89063a3bfba1a17600
SHA256 cfce79f91926d5871e65e0ff919821bdf85d8261244a584862bc467614b924e8
SHA512 61f211c79c87f6794fd95f393ac7ef99b9feeb1a7741fe7fc5f047a72af0fd1ea4f39fc8dcea66f21180f18eb93c8549ffd951fa2ce1d52ca5b0e06f72854b0e