Analysis
-
max time kernel
149s -
max time network
127s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/05/2025, 11:01
Behavioral task
behavioral1
Sample
2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe
Resource
win11-20250410-en
General
-
Target
2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe
-
Size
8.3MB
-
MD5
ba4cb72149f95e29237ceeed16cf5f2c
-
SHA1
2f002c6912923d4bc11ac8b392009e414de7e0bb
-
SHA256
cab5015c0365402d482e6d68f8f2384d70c390d1eb6104ee8ba8c461fc13415a
-
SHA512
b0cff24f87cd636e3ca2c5fbd3cead5b58fade69ae425079c3cc6574550a255a02b34af664bc1fe4e7fb695ae3bcc83585965d2acb13ccb367e9c59daeef2afb
-
SSDEEP
49152:hGyqWyWy0GyqWyWyMRPC1eHc785diLvQ8b1gtj:hGyqWyWy0GyqWyWyMRPC1eHL5dGYSW
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe -
UAC bypass 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Gaara.exe -
Executes dropped EXE 30 IoCs
pid Process 3824 smss.exe 1464 smss.exe 2060 Gaara.exe 4736 smss.exe 3860 Gaara.exe 992 csrss.exe 3184 smss.exe 2604 Gaara.exe 2504 csrss.exe 3748 Kazekage.exe 2340 smss.exe 1084 Gaara.exe 900 csrss.exe 3908 Kazekage.exe 3388 system32.exe 1152 smss.exe 2900 Gaara.exe 4876 csrss.exe 1028 Kazekage.exe 1872 system32.exe 1692 system32.exe 948 Kazekage.exe 3752 system32.exe 416 csrss.exe 1480 Kazekage.exe 2220 system32.exe 2564 Gaara.exe 4820 csrss.exe 476 Kazekage.exe 2788 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 3824 smss.exe 1464 smss.exe 2060 Gaara.exe 4736 smss.exe 3860 Gaara.exe 992 csrss.exe 3184 smss.exe 2604 Gaara.exe 2504 csrss.exe 2340 smss.exe 1084 Gaara.exe 900 csrss.exe 1152 smss.exe 2900 Gaara.exe 4876 csrss.exe 416 csrss.exe 2564 Gaara.exe 4820 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\Y:\Desktop.ini 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification \??\G:\Desktop.ini Kazekage.exe File opened for modification \??\E:\Desktop.ini system32.exe File opened for modification \??\R:\Desktop.ini system32.exe File opened for modification \??\S:\Desktop.ini Kazekage.exe File opened for modification \??\J:\Desktop.ini smss.exe File opened for modification \??\H:\Desktop.ini system32.exe File opened for modification \??\A:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini smss.exe File opened for modification \??\M:\Desktop.ini 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification \??\X:\Desktop.ini 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification F:\Desktop.ini 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification \??\P:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini Kazekage.exe File opened for modification \??\W:\Desktop.ini 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification \??\A:\Desktop.ini Gaara.exe File opened for modification \??\P:\Desktop.ini 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification \??\N:\Desktop.ini Gaara.exe File opened for modification \??\G:\Desktop.ini 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification \??\Z:\Desktop.ini Kazekage.exe File opened for modification \??\O:\Desktop.ini smss.exe File opened for modification \??\Z:\Desktop.ini Gaara.exe File opened for modification \??\U:\Desktop.ini smss.exe File opened for modification \??\H:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini Gaara.exe File opened for modification \??\P:\Desktop.ini Kazekage.exe File opened for modification \??\Z:\Desktop.ini csrss.exe File opened for modification \??\X:\Desktop.ini smss.exe File opened for modification \??\J:\Desktop.ini 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification \??\L:\Desktop.ini 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification \??\T:\Desktop.ini csrss.exe File opened for modification \??\V:\Desktop.ini Gaara.exe File opened for modification \??\L:\Desktop.ini smss.exe File opened for modification \??\Y:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini system32.exe File opened for modification F:\Desktop.ini Gaara.exe File opened for modification \??\G:\Desktop.ini smss.exe File opened for modification \??\H:\Desktop.ini smss.exe File opened for modification \??\W:\Desktop.ini Kazekage.exe File opened for modification \??\V:\Desktop.ini system32.exe File opened for modification D:\Desktop.ini csrss.exe File opened for modification \??\E:\Desktop.ini csrss.exe File opened for modification \??\H:\Desktop.ini csrss.exe File opened for modification \??\S:\Desktop.ini 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification \??\V:\Desktop.ini 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification \??\U:\Desktop.ini csrss.exe File opened for modification \??\R:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini smss.exe File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification \??\E:\Desktop.ini smss.exe File opened for modification C:\Desktop.ini system32.exe File opened for modification C:\Desktop.ini csrss.exe File opened for modification \??\G:\Desktop.ini Gaara.exe File opened for modification \??\O:\Desktop.ini Gaara.exe File opened for modification \??\P:\Desktop.ini csrss.exe File opened for modification \??\Z:\Desktop.ini system32.exe File opened for modification \??\K:\Desktop.ini csrss.exe File opened for modification \??\T:\Desktop.ini Gaara.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\P:\Desktop.ini smss.exe File opened for modification \??\Q:\Desktop.ini smss.exe File opened for modification \??\K:\Desktop.ini system32.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened (read-only) \??\X: Gaara.exe File opened (read-only) \??\S: system32.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\K: Gaara.exe File opened (read-only) \??\T: 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\U: Kazekage.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\G: system32.exe File opened (read-only) \??\N: system32.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\W: 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\L: csrss.exe File opened (read-only) \??\R: 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened (read-only) \??\W: csrss.exe File opened (read-only) \??\Q: 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened (read-only) \??\R: Gaara.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\Y: Kazekage.exe File opened (read-only) \??\K: system32.exe File opened (read-only) \??\B: Kazekage.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\A: Kazekage.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\H: Gaara.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\E: Kazekage.exe File opened (read-only) \??\P: 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened (read-only) \??\T: Gaara.exe File opened (read-only) \??\I: Kazekage.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\B: 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\M: smss.exe File opened (read-only) \??\V: smss.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\J: 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened (read-only) \??\S: Gaara.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\L: Gaara.exe File opened (read-only) \??\V: Kazekage.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\L: 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened (read-only) \??\O: 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\S: 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\Q: system32.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\Y: 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened (read-only) \??\W: Gaara.exe File opened (read-only) \??\J: Gaara.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\I:\Autorun.inf Gaara.exe File opened for modification \??\U:\Autorun.inf Gaara.exe File created \??\E:\Autorun.inf csrss.exe File opened for modification \??\K:\Autorun.inf csrss.exe File opened for modification \??\G:\Autorun.inf Kazekage.exe File opened for modification \??\U:\Autorun.inf csrss.exe File created \??\B:\Autorun.inf 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification \??\E:\Autorun.inf 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification \??\E:\Autorun.inf Gaara.exe File created \??\O:\Autorun.inf csrss.exe File created \??\N:\Autorun.inf Kazekage.exe File opened for modification \??\X:\Autorun.inf 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File created \??\M:\Autorun.inf Gaara.exe File opened for modification \??\L:\Autorun.inf csrss.exe File created \??\B:\Autorun.inf Kazekage.exe File opened for modification \??\P:\Autorun.inf system32.exe File created \??\M:\Autorun.inf smss.exe File opened for modification \??\L:\Autorun.inf Kazekage.exe File opened for modification \??\A:\Autorun.inf system32.exe File opened for modification \??\G:\Autorun.inf system32.exe File created \??\B:\Autorun.inf smss.exe File opened for modification \??\L:\Autorun.inf smss.exe File created \??\L:\Autorun.inf smss.exe File created \??\P:\Autorun.inf smss.exe File created \??\A:\Autorun.inf Gaara.exe File created \??\N:\Autorun.inf 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification \??\L:\Autorun.inf 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification \??\N:\Autorun.inf 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File created \??\U:\Autorun.inf 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File created \??\B:\Autorun.inf system32.exe File created \??\H:\Autorun.inf system32.exe File created \??\N:\Autorun.inf smss.exe File created \??\Z:\Autorun.inf Gaara.exe File created \??\T:\Autorun.inf csrss.exe File created \??\I:\Autorun.inf Kazekage.exe File created \??\T:\Autorun.inf smss.exe File created \??\R:\Autorun.inf Gaara.exe File opened for modification \??\V:\Autorun.inf csrss.exe File opened for modification \??\B:\Autorun.inf Kazekage.exe File opened for modification C:\Autorun.inf Kazekage.exe File opened for modification F:\Autorun.inf system32.exe File created \??\V:\Autorun.inf system32.exe File created \??\B:\Autorun.inf Gaara.exe File opened for modification \??\M:\Autorun.inf csrss.exe File opened for modification \??\Z:\Autorun.inf Kazekage.exe File created \??\X:\Autorun.inf Gaara.exe File created \??\I:\Autorun.inf system32.exe File opened for modification \??\Q:\Autorun.inf 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification C:\Autorun.inf Gaara.exe File created \??\Q:\Autorun.inf system32.exe File created \??\B:\Autorun.inf csrss.exe File created \??\L:\Autorun.inf Kazekage.exe File opened for modification \??\R:\Autorun.inf smss.exe File created \??\W:\Autorun.inf 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File created \??\Z:\Autorun.inf 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification \??\B:\Autorun.inf Gaara.exe File created \??\H:\Autorun.inf Gaara.exe File created \??\Y:\Autorun.inf Gaara.exe File created \??\J:\Autorun.inf system32.exe File opened for modification \??\K:\Autorun.inf system32.exe File opened for modification \??\I:\Autorun.inf smss.exe File opened for modification \??\B:\Autorun.inf 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File created \??\M:\Autorun.inf 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File created \??\V:\Autorun.inf 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File created C:\Windows\SysWOW64\2-5-2025.exe 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File created C:\Windows\SysWOW64\mscomctl.ocx 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe system32.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe csrss.exe File created C:\Windows\SysWOW64\Desktop.ini 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe -
resource yara_rule behavioral2/memory/960-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x004600000002b050-11.dat upx behavioral2/files/0x001c00000002b04e-31.dat upx behavioral2/memory/3824-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002b04f-76.dat upx behavioral2/memory/2060-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002b053-89.dat upx behavioral2/files/0x001900000002b053-90.dat upx behavioral2/files/0x001c00000002b054-93.dat upx behavioral2/files/0x001900000002b055-97.dat upx behavioral2/memory/3860-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/992-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x004600000002b050-120.dat upx behavioral2/files/0x001900000002b053-130.dat upx behavioral2/files/0x001900000002b055-138.dat upx behavioral2/memory/3184-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001c00000002b054-172.dat upx behavioral2/memory/3908-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002b055-217.dat upx behavioral2/files/0x001900000002b053-225.dat upx behavioral2/memory/1028-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/948-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/476-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/992-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/992-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/992-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/992-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-541-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File opened for modification C:\Windows\mscomctl.ocx 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe system32.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File created C:\Windows\WBEM\msvbvm60.dll 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll system32.exe File opened for modification C:\Windows\ 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\The Kazekage.jpg 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\mscoree.dll 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe smss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe system32.exe File opened for modification C:\Windows\ system32.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe smss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Gaara.exe File created C:\Windows\mscomctl.ocx 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File created C:\Windows\msvbvm60.dll 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe Gaara.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File created C:\Windows\system\msvbvm60.dll 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe csrss.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe system32.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe smss.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File opened for modification C:\Windows\system\msvbvm60.dll 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll Gaara.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 36 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2452 ping.exe 3656 ping.exe 1416 ping.exe 1704 ping.exe 4916 ping.exe 4300 ping.exe 952 ping.exe 3224 ping.exe 4816 ping.exe 3576 ping.exe 3936 ping.exe 3372 ping.exe 2972 ping.exe 3528 ping.exe 2952 ping.exe 4716 ping.exe 4084 ping.exe 2916 ping.exe 5052 ping.exe 3936 ping.exe 4732 ping.exe 4872 ping.exe 4716 ping.exe 5008 ping.exe 1856 ping.exe 636 ping.exe 2416 ping.exe 1916 ping.exe 408 ping.exe 4944 ping.exe 1916 ping.exe 3440 ping.exe 5032 ping.exe 1104 ping.exe 556 ping.exe 980 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop\WallpaperStyle = "2" 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Key created \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Key created \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Control Panel\Desktop 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Internet Explorer\Main 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe -
Modifies registry class 51 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe -
Runs ping.exe 1 TTPs 36 IoCs
pid Process 2972 ping.exe 4916 ping.exe 1704 ping.exe 4732 ping.exe 1104 ping.exe 4816 ping.exe 4716 ping.exe 5008 ping.exe 2916 ping.exe 4872 ping.exe 3656 ping.exe 3224 ping.exe 1916 ping.exe 5032 ping.exe 2452 ping.exe 2952 ping.exe 3936 ping.exe 556 ping.exe 5052 ping.exe 4300 ping.exe 952 ping.exe 4944 ping.exe 1856 ping.exe 636 ping.exe 2416 ping.exe 3372 ping.exe 1916 ping.exe 408 ping.exe 3440 ping.exe 1416 ping.exe 980 ping.exe 3936 ping.exe 3528 ping.exe 3576 ping.exe 4716 ping.exe 4084 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3388 system32.exe 3388 system32.exe 3388 system32.exe 3388 system32.exe 3388 system32.exe 3388 system32.exe 3388 system32.exe 3388 system32.exe 3388 system32.exe 3388 system32.exe 3388 system32.exe 3388 system32.exe 3388 system32.exe 3388 system32.exe 3388 system32.exe 3388 system32.exe 3388 system32.exe 3388 system32.exe 3388 system32.exe 3388 system32.exe 3388 system32.exe 3388 system32.exe 3388 system32.exe 3388 system32.exe 2060 Gaara.exe 2060 Gaara.exe 2060 Gaara.exe 2060 Gaara.exe 2060 Gaara.exe 2060 Gaara.exe 2060 Gaara.exe 2060 Gaara.exe 2060 Gaara.exe 2060 Gaara.exe 2060 Gaara.exe 2060 Gaara.exe 2060 Gaara.exe 2060 Gaara.exe 2060 Gaara.exe 2060 Gaara.exe 960 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe 960 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe 960 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe 960 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe 960 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe 960 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe 960 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe 960 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe 960 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe 960 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe 960 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe 960 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe 960 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe 960 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe 960 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe 960 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe 960 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe 960 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe 960 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe 960 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe 960 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe 960 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe 960 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe 960 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 960 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe 3824 smss.exe 1464 smss.exe 2060 Gaara.exe 4736 smss.exe 3860 Gaara.exe 992 csrss.exe 3184 smss.exe 2604 Gaara.exe 2504 csrss.exe 3748 Kazekage.exe 2340 smss.exe 1084 Gaara.exe 900 csrss.exe 3908 Kazekage.exe 3388 system32.exe 1152 smss.exe 2900 Gaara.exe 4876 csrss.exe 1028 Kazekage.exe 1872 system32.exe 1692 system32.exe 948 Kazekage.exe 3752 system32.exe 416 csrss.exe 1480 Kazekage.exe 2220 system32.exe 2564 Gaara.exe 4820 csrss.exe 476 Kazekage.exe 2788 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 960 wrote to memory of 3824 960 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe 78 PID 960 wrote to memory of 3824 960 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe 78 PID 960 wrote to memory of 3824 960 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe 78 PID 3824 wrote to memory of 1464 3824 smss.exe 79 PID 3824 wrote to memory of 1464 3824 smss.exe 79 PID 3824 wrote to memory of 1464 3824 smss.exe 79 PID 3824 wrote to memory of 2060 3824 smss.exe 80 PID 3824 wrote to memory of 2060 3824 smss.exe 80 PID 3824 wrote to memory of 2060 3824 smss.exe 80 PID 2060 wrote to memory of 4736 2060 Gaara.exe 81 PID 2060 wrote to memory of 4736 2060 Gaara.exe 81 PID 2060 wrote to memory of 4736 2060 Gaara.exe 81 PID 2060 wrote to memory of 3860 2060 Gaara.exe 82 PID 2060 wrote to memory of 3860 2060 Gaara.exe 82 PID 2060 wrote to memory of 3860 2060 Gaara.exe 82 PID 2060 wrote to memory of 992 2060 Gaara.exe 83 PID 2060 wrote to memory of 992 2060 Gaara.exe 83 PID 2060 wrote to memory of 992 2060 Gaara.exe 83 PID 992 wrote to memory of 3184 992 csrss.exe 84 PID 992 wrote to memory of 3184 992 csrss.exe 84 PID 992 wrote to memory of 3184 992 csrss.exe 84 PID 992 wrote to memory of 2604 992 csrss.exe 85 PID 992 wrote to memory of 2604 992 csrss.exe 85 PID 992 wrote to memory of 2604 992 csrss.exe 85 PID 992 wrote to memory of 2504 992 csrss.exe 86 PID 992 wrote to memory of 2504 992 csrss.exe 86 PID 992 wrote to memory of 2504 992 csrss.exe 86 PID 992 wrote to memory of 3748 992 csrss.exe 87 PID 992 wrote to memory of 3748 992 csrss.exe 87 PID 992 wrote to memory of 3748 992 csrss.exe 87 PID 3748 wrote to memory of 2340 3748 Kazekage.exe 88 PID 3748 wrote to memory of 2340 3748 Kazekage.exe 88 PID 3748 wrote to memory of 2340 3748 Kazekage.exe 88 PID 3748 wrote to memory of 1084 3748 Kazekage.exe 89 PID 3748 wrote to memory of 1084 3748 Kazekage.exe 89 PID 3748 wrote to memory of 1084 3748 Kazekage.exe 89 PID 3748 wrote to memory of 900 3748 Kazekage.exe 90 PID 3748 wrote to memory of 900 3748 Kazekage.exe 90 PID 3748 wrote to memory of 900 3748 Kazekage.exe 90 PID 3748 wrote to memory of 3908 3748 Kazekage.exe 91 PID 3748 wrote to memory of 3908 3748 Kazekage.exe 91 PID 3748 wrote to memory of 3908 3748 Kazekage.exe 91 PID 3748 wrote to memory of 3388 3748 Kazekage.exe 92 PID 3748 wrote to memory of 3388 3748 Kazekage.exe 92 PID 3748 wrote to memory of 3388 3748 Kazekage.exe 92 PID 3388 wrote to memory of 1152 3388 system32.exe 93 PID 3388 wrote to memory of 1152 3388 system32.exe 93 PID 3388 wrote to memory of 1152 3388 system32.exe 93 PID 3388 wrote to memory of 2900 3388 system32.exe 94 PID 3388 wrote to memory of 2900 3388 system32.exe 94 PID 3388 wrote to memory of 2900 3388 system32.exe 94 PID 3388 wrote to memory of 4876 3388 system32.exe 95 PID 3388 wrote to memory of 4876 3388 system32.exe 95 PID 3388 wrote to memory of 4876 3388 system32.exe 95 PID 3388 wrote to memory of 1028 3388 system32.exe 96 PID 3388 wrote to memory of 1028 3388 system32.exe 96 PID 3388 wrote to memory of 1028 3388 system32.exe 96 PID 3388 wrote to memory of 1872 3388 system32.exe 97 PID 3388 wrote to memory of 1872 3388 system32.exe 97 PID 3388 wrote to memory of 1872 3388 system32.exe 97 PID 992 wrote to memory of 1692 992 csrss.exe 98 PID 992 wrote to memory of 1692 992 csrss.exe 98 PID 992 wrote to memory of 1692 992 csrss.exe 98 PID 2060 wrote to memory of 948 2060 Gaara.exe 99 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-02_ba4cb72149f95e29237ceeed16cf5f2c_black-basta_elex_luca-stealer.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:960 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3824 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1464
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2060 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4736
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3860
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:992 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3184
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2604
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2504
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3748 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2340
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1084
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:900
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3908
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3388 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1152
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2900
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4876
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1028
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1872
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3936
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5052
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4732
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4084
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:952
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5032
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3576
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4716
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2416
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1916
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3440
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4300
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1692
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4816
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3224
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1856
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:636
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4872
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4916
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:948
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3752
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:980
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2452
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4944
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5008
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:408
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3528
-
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:416
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1480
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2220
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1416
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3656
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3936
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4716
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2972
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1916
-
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2564
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4820
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:476
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2788
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1104
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:556
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1704
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2952
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2916
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4164
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4760
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4780
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4744
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3456
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3428
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3452
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3460
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4872
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:952
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3024
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:5040
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4472
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3936
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4844
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1088
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4180
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3236
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4852
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:328
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2116
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:2344
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2500
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2916
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:548
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4084
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:5048
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4504
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2788
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4392
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4076
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:832
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1400
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1376
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4004
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1520
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:868
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1392
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1104
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4816
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4132
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:2444
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3640
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:976
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4456
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1920
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3452
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3932
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4852
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3540
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:2548
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3536
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3520
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4352
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2904
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3576
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3616
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:2920
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4036
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2824
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:548
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3236
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:952
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3036
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1328
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3440
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:5052
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:848
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1864
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4772
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1520
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4996
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2880
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1436
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4572
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1068
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4188
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:868
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4136
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3120
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4260
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1416
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1008
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1372
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3712
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3456
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3780
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2296
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:776
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1488
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4080
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2564
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3492
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:900
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2272
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3088
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3876
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4340
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2348
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2364
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3520
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1272
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1916
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3972
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4076
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:2812
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4752
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1736
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1580
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1068
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1684
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1412
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1000
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:2036
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1376
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4744
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3232
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1768
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3524
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4004
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1236
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1860
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:5008
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:560
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2140
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4420
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3908
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1648
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3860
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:240
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2760
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1656
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3884
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4392
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1420
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:836
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4772
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1492
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4748
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2032
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1644
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1136
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4872
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2340
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:5068
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:392
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4128
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1376
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1608
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3460
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1152
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4864
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:5052
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3428
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2568
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4140
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:5040
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3588
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1380
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4456
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1420
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:2904
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4756
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4424
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:556
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:944
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1972
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1880
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1376
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:2428
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2360
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3424
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2392
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1424
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:828
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3860
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2520
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3736
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4780
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3528
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2648
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4700
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4188
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1412
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2092
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1860
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1480
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3212
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:996
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1184
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1572
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3628
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:2096
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3360
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1772
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:112
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4716
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:2348
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4636
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3012
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:5088
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4912
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:624
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3236
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1192
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4140
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4456
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2196
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1200
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2520
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4424
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2124
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2608
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3380
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3268
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4024
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2140
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1408
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1516
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3536
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4868
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3628
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:836
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:328
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4696
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1744
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2284
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2096
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4532
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1608
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1476
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2000
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2880
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3784
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4572
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2412
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3780
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:2704
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4136
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2316
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1696
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:2916
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2196
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2224
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4420
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:2444
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1492
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:240
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2904
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4872
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:900
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4024
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:692
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:2364
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2632
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1408
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1940
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4304
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2548
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3112
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1104
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1308
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3088
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3936
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2040
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4816
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4728
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1876
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1028
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:2416
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4776
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2164
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4136
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:2936
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3428
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1872
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3424
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:5048
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3416
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:548
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:976
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1868
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1980
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:5012
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4684
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1516
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1420
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3924
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2972
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1044
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4392
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3264
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4696
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1376
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2952
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2548
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3936
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:844
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4712
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3460
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:768
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4908
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4992
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2228
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3616
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4504
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2796
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4128
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1424
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:2620
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1932
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4848
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1844
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1924
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:828
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1672
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1884
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4856
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3004
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1980
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4684
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:692
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:5092
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1400
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4752
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3228
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:328
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3264
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2324
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4320
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1376
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1140
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3168
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:2328
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4864
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:888
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4456
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:5104
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:560
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1488
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4128
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2556
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:792
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1984
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:648
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3568
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4124
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:756
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1672
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:892
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:900
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3184
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2108
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:2044
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4872
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3640
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4004
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:944
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2436
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1400
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2316
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1912
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1232
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:8
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2416
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1372
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1284
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4352
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3428
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:5052
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1512
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1872
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3216
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1516
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3004
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1844
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4228
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1484
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1884
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3584
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1080
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4860
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3044
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3192
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:328
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4308
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4300
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3972
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4136
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4000
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4128
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4516
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1844
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:2608
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2392
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2140
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4868
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3756
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:5008
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4956
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3156
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:5092
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1484
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2900
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2040
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:964
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4260
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4864
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3332
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4908
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1900
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2556
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3972
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3172
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2220
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1328
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1864
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1696
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3656
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2036
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3428
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1372
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3416
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2592
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1200
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4004
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4736
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2332
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3584
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:868
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:952
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4368
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3820
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3908
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2548
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1048
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1552
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4024
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2452
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2096
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2880
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:2604
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2920
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3572
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4772
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1868
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:560
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2796
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3500
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1028
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4820
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:896
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4636
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4748
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2936
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:5052
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4428
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4848
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2812
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1980
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3680
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3416
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:2580
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3932
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2032
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2344
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3264
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3076
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4228
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:2908
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2584
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:132
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1044
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4712
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2288
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:5080
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1856
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2040
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4864
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2892
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3784
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4756
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4572
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2136
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2616
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:2316
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4776
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3280
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:836
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1328
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3500
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2676
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1424
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:924
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:548
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4516
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4360
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2760
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4848
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:2648
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2360
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3376
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4180
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4856
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3364
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3076
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:944
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1392
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:132
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3192
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1476
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1400
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1236
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1484
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3724
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1768
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2116
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1856
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2892
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2880
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4036
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3948
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3012
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:5104
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:896
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1912
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4588
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:560
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4128
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1680
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1152
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3736
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4136
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:2564
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4884
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2648
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1420
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:5068
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3416
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2436
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:868
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1516
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1376
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4008
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1408
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1392
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3584
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:5004
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3032
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:5080
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1600
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3024
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2772
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1484
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3456
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3088
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1900
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3588
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3620
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3592
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1412
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3120
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3012
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4156
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1696
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1984
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:5012
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1912
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:548
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1520
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1088
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1680
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2932
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1996
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4852
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:5068
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3168
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4824
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:5028
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:132
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:624
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:2796
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1380
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4532
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2412
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4036
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2556
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2616
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3568
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1272
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3012
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3656
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1464
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4124
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1548
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4128
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:848
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:832
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2472
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3416
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4404
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3436
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2056
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1552
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3620
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3244
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4608
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1408
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2468
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4756
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:480
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4944
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:836
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4712
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2104
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3584
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2608
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:5012
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3972
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4780
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1080
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:652
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2880
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2348
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2316
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3576
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2096
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1876
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4304
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4104
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:888
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4916
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4732
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2468
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4140
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1404
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:5040
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4636
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4516
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1376
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1520
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1868
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2296
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:376
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3164
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4696
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3764
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2124
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4008
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:5068
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3264
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4752
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4992
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:980
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1036
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:384
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:5028
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:776
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4308
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4908
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:944
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1744
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1140
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:896
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2116
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:224
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:5104
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3416
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3012
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1380
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1188
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4156
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3112
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1464
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:756
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4636
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:924
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:900
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4928
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3652
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2676
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3120
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1972
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1844
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3264
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1772
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2908
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1996
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:692
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3396
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3572
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2652
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1408
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:2500
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1768
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4824
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4944
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:768
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3752
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1232
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:892
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2772
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4756
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:636
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2380
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:8
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4156
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2396
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:5040
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:2016
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4868
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3680
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:556
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4472
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2236
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2308
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:2036
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:648
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2444
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1652
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
8.3MB
MD583d7346bea97475b0edce9847911d51e
SHA13f2cc3f4328497537e02e4ed2b9acfe589d2ca3d
SHA256616af6264345f5df8db370bd3d3a77596ce3345ae451180faa832f6a4ae6ca30
SHA512fed11b7ad6cefa7844d54573c03d08e01253eac0771087467bdb7aaefb96e917b48d8586407bffc63d044a24954abfebe3af19134d6007f7e7599c7402cdfd9c
-
Filesize
8.3MB
MD5ba4cb72149f95e29237ceeed16cf5f2c
SHA12f002c6912923d4bc11ac8b392009e414de7e0bb
SHA256cab5015c0365402d482e6d68f8f2384d70c390d1eb6104ee8ba8c461fc13415a
SHA512b0cff24f87cd636e3ca2c5fbd3cead5b58fade69ae425079c3cc6574550a255a02b34af664bc1fe4e7fb695ae3bcc83585965d2acb13ccb367e9c59daeef2afb
-
Filesize
8.3MB
MD5d8f5ef6da9a9043a15ae9b519c2edeb8
SHA19cc457b6a9c2916be1537dea02ce5c17ed47dd80
SHA2565c25307ecc6fc40993734fa15a1e41b6aa8dd267aab7e2b0f98ccb51bff0b50c
SHA512e7e05ea8f9d75b7eaeca121c98fa31b9fd463e3bb7b02ba00360790b8dd005c015798bfb0d712087b8c6f318f5fea3dc4e635c586c51ceed6278d21343008286
-
Filesize
8.3MB
MD5cab762401eec42ed9cfeb93ea7d7be5c
SHA1c62a2a1c5c4d43543f0d1c60fd6956b96116c4c3
SHA256c6ec0b609ddb948d100c9faf0ab8f44c536a3d2dbf76da180293d6dd7f7438ba
SHA512ef879dbc2555c2f9fd0752ce7d076bbb3086585391aa7b7c2369185cc37e57635be5290b8f5555b9c770b0abdc9a08b46e66e6a81f3cd32124e4fc76b55cc8b8
-
Filesize
64KB
MD539f79bb9bde0ce5a8e10f200d947be82
SHA1ca9c386f064ca1ed15b1dd68c51f0ecfd6342e6d
SHA2562f1e8342eb4b9a7a44c95bb730fafd4edafb36eeb8b81a2201ef509ab5d0ee2b
SHA512d69b3f8a4f11ad9c5ddcb5633195cccc5c9f303531e0ec97ca7c78b47bf2413e00b2f4e72f49b9265e828d4d5d3582573b169876148b5af72f6cfd6783e3e7f8
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
4.9MB
MD5f3452a588bb2768c04ce7f5e46daca76
SHA1bd77f58e9b8d5bfd08a2706d8de2427d8df0afcb
SHA256ef24fadda77c0252cca7d91cdd7a402541b06972268a9db4a082889463973efa
SHA512036f5d4a0806eb6ac09e2fdc2fb6e967484c4b52fdfcb41efcda2a442a87417dfde9528c96c489d140e902fc0acd7046ef642030e127dd0a37d0c2b4d48cfb72
-
Filesize
8.3MB
MD52a82e2d43a2345ef9680730edad3b922
SHA1e9b01e9cf2455b24453643ed1951fae63e74d914
SHA2566c6e2ef2992faaaf7b0bba92c1e5db324d0acab10c6625f55cafb5ee2dfdf93d
SHA512fd060e64064e1fe5603403bbde786a27ebf30483ddda741d1271fe56cb2d2819f511c8bce5b5db155db615f95b32288b7b94d74116f763427066df013b24b1e2
-
Filesize
5.7MB
MD5b8df5036139482b591afb498709a6f14
SHA129bb317beb6acc9d979a5912bacf93125e647ec2
SHA25606dfd0544e887cc678971405bb79ad36978fc9951d6a6b3cfd10bff80cfe37d7
SHA512cf8860d6c06d94fd9a2a7208a2685861e3afb3f9f2e37b5d265b456053c1063a72b0b47f1ba51fb60894f71f3d93f530c10be8f1e3337eed4458e367c7b8b7a3
-
Filesize
6.4MB
MD5147f9693b73bc5d7af9b49c10f30a8cb
SHA14155727efab7602543510634e6445c4edb566c65
SHA25629824c12d02c37e08c25a08a6290d0f84c3cc523dca027edbf2f05bd3ced5d50
SHA5122d33a37ce192cf472726b1505762c1f4c083b88aac3606456e4ed5802383c99b3f0b59c17b87552529b5090c5c5fccbeabcb0234dfb35234e4a060d208d27259
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
8.3MB
MD56ab806ccbfa84add6fca80696c34b4a5
SHA1ac387d3267f4f10d36c83f1960b5a0bf0b5c9df0
SHA256b2ff9c2541c6cd1a8146cb8b6e2d935009a0806e4b0068cb402f2085c271adbc
SHA5124c744f03dc37514e03ad3d5e5600ed1950c5aad144ea7ce64fc933b9049dc47da3ec868d5778700b7ce656b8e1db18c8cb173e5b243c20c83b28fe9a0acd75ad
-
Filesize
8.3MB
MD55ab03bc441be3a89f78fce6fb2768c81
SHA1896e6222023a28822ac44c3c1644a0bcf1123c68
SHA256a10ce848c9caaed7916b36494a1183fe5298bc015c4e2aebb3f97314899f22b6
SHA512dcc055dc3015e13510f5c7d1fc9a386d344ee1a8221630edf859d5b564c7875329304ae45dfe8f1f27060ee3accaf0082e0d8e8ac90c388ed313da9a39c4b615
-
Filesize
8.3MB
MD573ef16fef2cf258b6bc1130df4f39377
SHA13828d2e27ba62af9b2194e6565e40e2b2bc346f3
SHA256ae85af27cfcaa9765b29faa8b91db38a4b6e1ac04ade20a510e68290d16af0c2
SHA512678df7a52c958409739b0c2b3c613305071283caf4f4224b4325717d0414dc96b793bde2f78af5016d95161bb7e8de467e2807bbbfeb98fa0ba61c65a5c0c977
-
Filesize
8.3MB
MD56eb2cfe2d6e4cb73b17d262149e2b674
SHA1e396a23a0ac6b1e5d9ab7a9607dde8cdb831c846
SHA25611a575562afa2487db06e3bc178e03187235289ede9e502f449688d3c1be940a
SHA5126768efecd3468fda5729e2c011bc22ebc4086619ed4d00fc10779372b72264099f057c0e056373296400a270694ec13365f546cc213069d61cee72156e53a52b
-
Filesize
6.2MB
MD58558795bebe2ea3ee40b5246defb29eb
SHA1201be9a30876131498e378469ab39183e7480944
SHA2563d626bc5924b2d9be0d3ab166f55384bff16a449770eba85a1231660b8d44d64
SHA5124c9eb1b041f6d462734241b6b5a365325deac5bbb06204d86f21a58470c50b2cb0928e2dc721d464ede7b7e11425d5bcecf8000f14da35dc0c72d5f14d145b08
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
63KB
MD53121a783fc1c4c2c6942fe2cae6f1b22
SHA105cf5ce7d797e689d7d1e153ab5941a099aa5336
SHA2569ea03d1d840ce2049d689eccc7e51d122f3c04ad622d278f7cf49ed3b9ea5e1e
SHA5124a3fdc9ac82aa243defb004518900e35be9674728006fe6cb5ff5699bd3aa2827191dd05c5ec8dd432809254c9633916765ff19dc2b561c7bf68ba6c2cb1bea8