Malware Analysis Report

2025-08-05 19:17

Sample ID 240513-mf7tysbb89
Target b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics
SHA256 58676e386e9d85c29873f52a803cfff142d56820c9213ccf16c9de0170ace24d
Tags
evasion persistence ransomware trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

58676e386e9d85c29873f52a803cfff142d56820c9213ccf16c9de0170ace24d

Threat Level: Known bad

The file b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

evasion persistence ransomware trojan upx

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

UAC bypass

Modifies WinLogon for persistence

Disables RegEdit via registry modification

Drops file in Drivers directory

Disables use of System Restore points

Sets file execution options in registry

Executes dropped EXE

Loads dropped DLL

UPX packed file

Checks whether UAC is enabled

Adds Run key to start application

Drops desktop.ini file(s)

Enumerates connected drives

Drops autorun.inf file

Sets desktop wallpaper using registry

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Runs ping.exe

Suspicious use of SetWindowsHookEx

Modifies Control Panel

System policy modification

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-13 10:25

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-13 10:25

Reported

2024-05-13 10:28

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A

Disables use of System Restore points

evasion

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 13 - 5 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 13 - 5 - 2024\\smss.exe" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "13-5-2024.exe" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 13 - 5 - 2024\\smss.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "13-5-2024.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "13-5-2024.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 13 - 5 - 2024\\smss.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "13-5-2024.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 13 - 5 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "13-5-2024.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 13 - 5 - 2024\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 13 - 5 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 13 - 5 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 13 - 5 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 13 - 5 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 13 - 5 - 2024\\smss.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 13 - 5 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "13-5-2024.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification D:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification F:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\U:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File created \??\I:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\K:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File created \??\J:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File created \??\U:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File created \??\A:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File created \??\H:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File created \??\U:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File created \??\B:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File created \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File created \??\M:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File created \??\S:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File created \??\J:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\G:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\W:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File created \??\P:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File created \??\Q:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\13-5-2024.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\13-5-2024.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\13-5-2024.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\13-5-2024.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\13-5-2024.exe C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\13-5-2024.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\13-5-2024.exe C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File created C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1980 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 1980 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 1980 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 1860 wrote to memory of 3300 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 1860 wrote to memory of 3300 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 1860 wrote to memory of 3300 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 1860 wrote to memory of 3676 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
PID 1860 wrote to memory of 3676 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
PID 1860 wrote to memory of 3676 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
PID 3676 wrote to memory of 4152 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 3676 wrote to memory of 4152 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 3676 wrote to memory of 4152 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 3676 wrote to memory of 1912 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
PID 3676 wrote to memory of 1912 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
PID 3676 wrote to memory of 1912 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
PID 3676 wrote to memory of 3044 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
PID 3676 wrote to memory of 3044 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
PID 3676 wrote to memory of 3044 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
PID 3044 wrote to memory of 2520 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 3044 wrote to memory of 2520 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 3044 wrote to memory of 2520 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 3044 wrote to memory of 1576 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
PID 3044 wrote to memory of 1576 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
PID 3044 wrote to memory of 1576 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
PID 3044 wrote to memory of 1512 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
PID 3044 wrote to memory of 1512 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
PID 3044 wrote to memory of 1512 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
PID 3044 wrote to memory of 5048 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3044 wrote to memory of 5048 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3044 wrote to memory of 5048 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5048 wrote to memory of 1632 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 5048 wrote to memory of 1632 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 5048 wrote to memory of 1632 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 5048 wrote to memory of 392 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
PID 5048 wrote to memory of 392 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
PID 5048 wrote to memory of 392 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
PID 5048 wrote to memory of 864 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
PID 5048 wrote to memory of 864 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
PID 5048 wrote to memory of 864 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
PID 5048 wrote to memory of 2996 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5048 wrote to memory of 2996 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5048 wrote to memory of 2996 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5048 wrote to memory of 3004 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 5048 wrote to memory of 3004 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 5048 wrote to memory of 3004 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3004 wrote to memory of 1292 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 3004 wrote to memory of 1292 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 3004 wrote to memory of 1292 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 3004 wrote to memory of 2468 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
PID 3004 wrote to memory of 2468 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
PID 3004 wrote to memory of 2468 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
PID 3004 wrote to memory of 976 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
PID 3004 wrote to memory of 976 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
PID 3004 wrote to memory of 976 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
PID 3004 wrote to memory of 1204 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3004 wrote to memory of 1204 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3004 wrote to memory of 1204 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3004 wrote to memory of 3860 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3004 wrote to memory of 3860 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3004 wrote to memory of 3860 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3044 wrote to memory of 1288 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3044 wrote to memory of 1288 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3044 wrote to memory of 1288 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3676 wrote to memory of 4428 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe"

C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe"

C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe"

C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe"

C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe"

C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe"

C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe"

C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe"

C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4244,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4200 /prefetch:8

C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.184:443 www.bing.com tcp
US 8.8.8.8:53 184.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp

Files

memory/1980-0-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 6f3e0050880d6525738710a877727b05
SHA1 9356ee27a9d08c50120428b5692d186e91e438e6
SHA256 5130857d2c72e3832b77a88096c4c6c4065d518876883575f677f151f90b349d
SHA512 d2575a0e8e12c3421c410abff4007c49fc53ea7975fd2312962157a87a3471bdd9b84c4ab05f58bd9e87fadc157d7fba3c697cdf11d259f26700a5eee73b728e

C:\Windows\System\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

memory/1860-32-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe

MD5 aef2ed7d07d9c6ec77422f17a9ad84ce
SHA1 ba5fa17c159b27fc9762b1632d082a9c96306feb
SHA256 a5bfd4b66dcdfe1a370f1416c8c29883ada56a80a71220b89351e35e867c9665
SHA512 df435998e9b42821c9c8137e871079152521d9ffca316e4feee5f604b060e7dc69c78b708763d4366c79ae5c22cfe4ee3124dc2f45980e3be2c1ef8b73b782e3

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\SysWOW64\drivers\system32.exe

MD5 29eb6ff8a664ad5ce1e461f4043c0fb0
SHA1 081889330cf83b2954504e192fa8a5ff0ee1e649
SHA256 93bcaaf56727c23a5d7841c4607ca843ecfdeacde638eed3ebb891e3ccddaaaf
SHA512 0adbfb03789575f12ddbf9c0d2e2a700c98b3b231b1fa8736d364b92513f0afd814344b8b5e2c1a69390d9ce76308d2a234048214e992e20249b49a762eaea02

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 eec64ee5175c599f800568f62ec93b00
SHA1 6046c5b9ae52821a00fdfb5e6dd4624c813534d5
SHA256 2421994bff990382f0b701ef31dca567aa1f4f9fe99d46c157504c079fc07f93
SHA512 7101761e2a51acb6ca8608470626e41cd4a4403c0d680fbc6b0fe0ed15d67eab832ed9beef3c4eb0bcedf5eec4dbb3cbce1bb0a4e72da85f0a33063f40012ebf

memory/3300-72-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Windows\SysWOW64\13-5-2024.exe

MD5 f38b1e193390c463ca2ab3c6a149b034
SHA1 d467ad54d7ad482413f22543442696d6936b1bc5
SHA256 4072fe1c253d8d02dbdd58435d28f208d96a29a1c50c79dc10499e9b3fe06278
SHA512 bd9367a379a30748202bf9e13825d48e247277608020506b0fc69aeb28edc8892eed8350f053cae86f8c82f8bda77741ac999de4d6059fcc589d23e45ddb5dbe

C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe

MD5 ecbd72e83c6526f8b04c7499c3e063c9
SHA1 2c36e51dc6d655c98463b6b9171f040506ecfdc2
SHA256 73050ecb18a3899ee43081ba6f4aa7556647c6bfbf186fc147f9ed584d103b3e
SHA512 972d7634427234f625c2bc8b75f6848c4b6310f9f7ba77e984490698f922b5b4c6f4b0ebfc93aec4cf7cb1f91bad4612507f6e4051fcfefd626a18dd4c73d924

C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe

MD5 fa4d516270abf380423c8e3520597775
SHA1 94ed2ed01408c8d8193dabdebae246090a41bd13
SHA256 c1659bad99d3de2d7bff99a1a02b9ae3fe8269b7e495f35d849ba3d654f80488
SHA512 24d3934e33dd2ec58d611035acf4148ebc5948b81b72bec91a9eb7404b53a3a0300693a93b97b61e9196d04d04ec8a0dfec23e06f30ec669f5221e764194f1bb

memory/3300-77-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3676-75-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Windows\SysWOW64\13-5-2024.exe

MD5 4245607b10555ae6dc2a09c393c24570
SHA1 5c469a3cd6252cdbbfd12601a58cf7295a91ad36
SHA256 4090c7bcae7b528ac496c02390988bc7d88cc37d236fe1eea1d9009d4f3d1944
SHA512 bcecf6b57195428d7b4865d193425b32ac57306fd4f6497df90cb3b6fae53aa890ac341b319045d2bb4b9787bb05827242b82e42b04fc31bdaecc1114e337e89

C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe

MD5 fe32c87dfb13528bb8befa1edcfcd4e4
SHA1 a817c88790c85184f122d9091ca16f57fc0dfdb3
SHA256 3008c6068b2f99c38dc5c26cef3f72f490e3de9ca47a6e8be32e31e9c269decf
SHA512 0bc22664fa8bdd069681792e4c3b445d50ff161eb8207ff81149c1e971d756ae2fc596782e5021e9af15e0d17ab150bb8b6e2f986e8687824f1bf5f34ddb3e4e

C:\Windows\SysWOW64\drivers\system32.exe

MD5 432bf4990c150c818b09e5d1ff317264
SHA1 0615a5b7f477b0d058bd07b78f33f1e809272665
SHA256 c09866674246250f52ca9a3552d7eb90d324161e559b2af85efac87d439dc218
SHA512 4c29e992743056bb5133a935391cf6ecd9d27d9674b4fb45e2c0f2920f79ade69271880852b7a7cbc7eff600781561147c27ff182f5ed3f7af0fa12f9d9dd5ec

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 075e0ad1c8298e7b03b1e76c90e45222
SHA1 3f360c145156f87c0b51c545cd6023a181c2c2c6
SHA256 4cd918f25a2e895a0ed7ffddb46bffce87d7196f7ea11361aebfad1662b84049
SHA512 6235e12b45187489b7b78993c915782c4382e6312a4142d22d54cf80a9c39b81782413d91d37705bff624f783756f388c3b57503c4aeb0c5a1d7be68607424fd

memory/4152-111-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1912-115-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4152-114-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1912-120-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3044-122-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 456d1e63e88a0f18f118bc965faf7cfa
SHA1 9e0c05689583f56cd01e4f303a29ae39520ed445
SHA256 03e25226168cdcae6a9c0e14b753eccc979028089562375d6a4e3845b8155f15
SHA512 740529570e6f0485c78370f0e73c10db88aca9955f1a1fc958b04c4f0379434ac8819c74260d7440a560b705ce4abd2c068da113d97e7f5da1b2279ddbebb0f1

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 2e4fb84b11fdefca70dde890e60baa9c
SHA1 a2f4d9d079fe3a69fbc004b953a65f3065f36e88
SHA256 1e5b2c8c11cfae0bb53be7fbda633778c6efecd6e18eb368c7bb40b3fc4066b0
SHA512 488acc2a2c28c4b4ee7aa208ea2bce30125e53a635efa16de0f8a6c5589602701f4445155bfaa607784deebf8e844ceaac86022a6cd28a6cfc21f3064929e190

C:\Windows\SysWOW64\13-5-2024.exe

MD5 1cf439ee0548aebc9508337d4f27c170
SHA1 c2cbcf4c4ad37850dbcc40c8b49a9266deccd3a0
SHA256 3c3b3b16fd964743a83f3c0f22617184bcde80e89e4649c7ba8fa1cfe9b5d920
SHA512 a528c4b58e3f473def09f98bdd9b9d285b3dcb7eda69b8c1a9bbf7704d7e68e07d351ae857119e0d111ab08621031be75377cfb01b267163741859c05105a7d3

memory/2520-150-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1576-159-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1512-160-0x0000000000400000-0x000000000043B000-memory.dmp

memory/5048-167-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1512-168-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1980-166-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 b1cf06d4594906680d71c5f11e05614b
SHA1 3b6abd6cc8c71340f386e3b973eb0f85e1011f42
SHA256 120a5394cac4089d28977d3ddf9a4708b29e785a247719ea7b7eedbb0e5bb9c9
SHA512 1fcd62e17f3a28bb0e78766d99ebd42fa20ae4d5e3f512de5a4e4a529e741e88fa029958fb37915e2381811f01466ed523bdc7c8e6ca0e8641d4f63ead37cb04

C:\Windows\SysWOW64\13-5-2024.exe

MD5 a35d894e122d876b6c4cb7805ff63d44
SHA1 71bb98d70826372fd13435d296328811ddc74f27
SHA256 2b82f98f439c4c8b1aaadabf65efc0c7a85965565941b6fceb4d16bd8641bf06
SHA512 bcf8e628c5fb3b61108a328f0914579a02cd95e0a311da18b99f92a1b1bbf3ead6c170be8d8b83183bd8000c3ba8815f98642a910309bcf346b3932a39757108

memory/1860-191-0x0000000000400000-0x000000000043B000-memory.dmp

memory/392-201-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3676-200-0x0000000000400000-0x000000000043B000-memory.dmp

memory/864-205-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3004-212-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2996-211-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\13-5-2024.exe

MD5 fda515d9a49cbe696bf31c76b3c8999d
SHA1 ca00877268d2b048eec820685d45898f73c38fbf
SHA256 6bf56dc0d66b90c9944850f4dc7a55e11655faef443d247b03b477a1024b4759
SHA512 916dc635c7140c5468a198f105d4459cc439a84a41f4f6264c41f008e41b908adb8e21a111b1a477da388615ce3442522ad7127ee65db512aff84b95fc528163

memory/3044-230-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2468-237-0x0000000000400000-0x000000000043B000-memory.dmp

memory/976-238-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1204-239-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1204-242-0x0000000000400000-0x000000000043B000-memory.dmp

memory/5048-243-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3860-246-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1288-249-0x0000000000400000-0x000000000043B000-memory.dmp

memory/820-255-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4428-256-0x0000000000400000-0x000000000043B000-memory.dmp

memory/820-259-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3004-262-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4040-265-0x0000000000400000-0x000000000043B000-memory.dmp

memory/5000-266-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4408-269-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1892-272-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2476-275-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1200-278-0x0000000000400000-0x000000000043B000-memory.dmp

memory/5072-281-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-13 10:25

Reported

2024-05-13 10:28

Platform

win7-20240419-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A

Disables use of System Restore points

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 13 - 5 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 13 - 5 - 2024\\smss.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 13 - 5 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 13 - 5 - 2024\\smss.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 13 - 5 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 13 - 5 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 13 - 5 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 13 - 5 - 2024\\smss.exe" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "13-5-2024.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "13-5-2024.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "13-5-2024.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 13 - 5 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "13-5-2024.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "13-5-2024.exe" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "13-5-2024.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 13 - 5 - 2024\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 13 - 5 - 2024\\smss.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 13 - 5 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File created \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File created \??\U:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File created \??\G:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File created \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File created \??\N:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File created \??\X:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File created \??\W:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File created \??\N:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File created \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\P:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File created \??\J:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File created \??\V:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File created \??\G:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File created \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File created \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\V:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File created \??\L:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File created \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\A:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File created \??\E:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\V:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\I:\Autorun.inf C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\13-5-2024.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\13-5-2024.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\13-5-2024.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\13-5-2024.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\13-5-2024.exe C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\13-5-2024.exe C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\13-5-2024.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File created C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 13 - 5 - 2024\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 2904 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 2904 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 2904 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 2676 wrote to memory of 2664 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 2676 wrote to memory of 2664 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 2676 wrote to memory of 2664 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 2676 wrote to memory of 2664 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 2676 wrote to memory of 2488 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
PID 2676 wrote to memory of 2488 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
PID 2676 wrote to memory of 2488 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
PID 2676 wrote to memory of 2488 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
PID 2488 wrote to memory of 1668 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 2488 wrote to memory of 1668 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 2488 wrote to memory of 1668 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 2488 wrote to memory of 1668 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 2488 wrote to memory of 2776 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
PID 2488 wrote to memory of 2776 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
PID 2488 wrote to memory of 2776 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
PID 2488 wrote to memory of 2776 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
PID 2488 wrote to memory of 2580 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
PID 2488 wrote to memory of 2580 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
PID 2488 wrote to memory of 2580 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
PID 2488 wrote to memory of 2580 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
PID 2580 wrote to memory of 1872 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 2580 wrote to memory of 1872 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 2580 wrote to memory of 1872 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 2580 wrote to memory of 1872 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 2580 wrote to memory of 1284 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
PID 2580 wrote to memory of 1284 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
PID 2580 wrote to memory of 1284 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
PID 2580 wrote to memory of 1284 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
PID 2580 wrote to memory of 2276 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
PID 2580 wrote to memory of 2276 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
PID 2580 wrote to memory of 2276 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
PID 2580 wrote to memory of 2276 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
PID 2580 wrote to memory of 2236 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2580 wrote to memory of 2236 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2580 wrote to memory of 2236 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2580 wrote to memory of 2236 N/A C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2236 wrote to memory of 480 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 2236 wrote to memory of 480 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 2236 wrote to memory of 480 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 2236 wrote to memory of 480 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 2236 wrote to memory of 1112 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
PID 2236 wrote to memory of 1112 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
PID 2236 wrote to memory of 1112 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
PID 2236 wrote to memory of 1112 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
PID 2236 wrote to memory of 1488 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
PID 2236 wrote to memory of 1488 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
PID 2236 wrote to memory of 1488 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
PID 2236 wrote to memory of 1488 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
PID 2236 wrote to memory of 1088 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2236 wrote to memory of 1088 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2236 wrote to memory of 1088 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2236 wrote to memory of 1088 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2236 wrote to memory of 1868 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2236 wrote to memory of 1868 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2236 wrote to memory of 1868 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2236 wrote to memory of 1868 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1868 wrote to memory of 2304 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 1868 wrote to memory of 2304 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 1868 wrote to memory of 2304 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
PID 1868 wrote to memory of 2304 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe"

C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe"

C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe"

C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe"

C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe"

C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe"

C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe"

C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe"

C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp

Files

memory/2904-0-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe

MD5 b2739b7f6d1227761aefa9f256ed9970
SHA1 9c3868075147e7815c13008b8e837a387387fa05
SHA256 58676e386e9d85c29873f52a803cfff142d56820c9213ccf16c9de0170ace24d
SHA512 cb9beebf23cad6e45c83de7251dd3bc5f655e0b69ba22d4d5041c0541ad873d3d05a5c279a14452cb0f543f27f32cec34986128c4a37bdaba5bf2c9476c152a5

C:\Windows\system\msvbvm60.dll

MD5 5343a19c618bc515ceb1695586c6c137
SHA1 4dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA256 2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512 708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe

MD5 f3d4477cc0b336f0f6a71dfbeefdf5ec
SHA1 b998524e2a55a4edf14da3c15f8a551b3c000ed3
SHA256 465db24909448ebd7f283e4edbf025ba626ea97d8cbf517d4dbe8906c24bcec0
SHA512 250e5650d29084e7a3c4a8806d62d46139f8f04eddbc29989665ae639f0f613b405e72cc0c56c6dc9b9897c315e4bf7f77eed55534adb3b101be6490bd9622cd

memory/2676-38-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2904-37-0x0000000000520000-0x000000000055B000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe

MD5 3412bfc1bb9be1f9e3b405f1661b18a9
SHA1 6104c05904cd57bf36b593ce338f1499fe5ef0e8
SHA256 f8e5e7efb8a1dc2f4aae56ab917c6665607af13b225ac96bcfc1819ad47ad1a4
SHA512 753f095295e936c4a4267e853869eeff525b21b3ff3caf39e6846b6d5039a79805d67260528fb4a7240c791cb591088bec3f158c3e0be3031c1ba28c2d242e17

C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe

MD5 d68c0b7d15d2af8ace724b582cff672a
SHA1 5ba5d210d609677b4b86d326ccb939e6a3d74b56
SHA256 1139534ac62f937a0707e6200f953ed5e9098880845c569914238e614b69efca
SHA512 2e921ed66fc3f75916979e5c5559b2b0d3c37169a7b65d2bb64834de4315bb228669eb81bbfcd8b65c669039069daeb006ba686c664f4d8133571acb18a90b99

C:\Windows\SysWOW64\drivers\system32.exe

MD5 86bcafd8b4f12a22a7b333695f5aa11b
SHA1 0a3d3adb360bd5d3b7e5788177a6d2aa3cd2fd19
SHA256 97ccab657d668dbc8ef58f12b67daed7aaa0ad6de6c4fe67297a81fb1e26c3fe
SHA512 3da44e1ad0e0ca0c5123d954ab3181b1fa89b5c28d8873ce29baabf9062045c811cf52e940eb00c66b6f4e67777ea57dc1cce5222c1e24431b01dca2c2f153ab

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 c320553ec5a98b19f78407f41be8d36d
SHA1 7972634ac99a73684288dad4d1482bdeb6ba6b1c
SHA256 8a2608da871830ce2b799951d0d208b82edff3a989735869cc32d32a842ce95d
SHA512 a40f2a93cbc1693a7d2beeb06753c04d5536483ab8017549d194906eac9b5ce8920677b4d454931689085736a55e4ad709a93314341c2df04fce3e50a796dcd5

C:\Windows\SysWOW64\13-5-2024.exe

MD5 59f40d4fe51a2d2431780f1354a9bf51
SHA1 79eec2a7c212d8e7bad704e6899db6e991615d3c
SHA256 3ed047e89bfcc268666682dc6eef25949a060d936b415d82cf3b0fab2348a5b4
SHA512 bcfcf5adabdae58eab6fd597dbf163e9fbea0313a192ee05d3a08bcafd56f4382ab6ea631cc08875f227de1a4c4094b7749c3a72687e56da36a214af4e09cb08

memory/2676-75-0x00000000002E0000-0x000000000031B000-memory.dmp

memory/2664-80-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2488-89-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 c2c313a0141172ae5df5d991b0040bed
SHA1 f5a7c12b93f5cf409ee4977ecdac5add8bcde533
SHA256 7c45ca8df08566c135e30dc1ccb127868270f92381e2f0488221a464408fb3d1
SHA512 397ad7cd7a24a35739fa223af49ddc5eaabf0a9c7637802c41854483b41b8352ffcb0fe4976cc08f68ccc1a20af0f14329add378ee2c59ba93d8265de306ddde

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 af7c143227a33cec83212cde5ee7ac7c
SHA1 4e664c30655419af6272e5fc8bfd7902bc0aa621
SHA256 0c00311d49f0aceedd41e8598ef91848f2e2a2f7373a6cd40a99bcc14fe58aaa
SHA512 94a59d408be551f4f32b37ec98ca2880473f13f03aba4ee5973f1e09f2e9fc4e8794a66de32455ba1d547668f60a83dc92d45dac94825fbbd9c2273666c66caf

C:\Windows\SysWOW64\13-5-2024.exe

MD5 0207eec289123b5c7c4c6d23ba00c025
SHA1 a36fa3753817be724ad4d6e47a639e9f9cf1bb5b
SHA256 d08a100bdd7f577a41431481607943b884289daff678815e8efc71c387e4b1f8
SHA512 cd0740df6f6fbba200a3f89bac79353383d482d628ddde1dceaf04cd24e86ecb96a79a40182153d804157d2fe4248ea1bd94ddab47dd6a908ee9c016a650dc87

memory/1668-126-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2488-125-0x00000000003B0000-0x00000000003EB000-memory.dmp

memory/1668-129-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2488-132-0x00000000003B0000-0x00000000003EB000-memory.dmp

memory/2776-130-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2580-143-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe

MD5 fee973f247e0bbe12884a4c170da8fe9
SHA1 ccf46679479f365db8e7531d829fa3c94e97518f
SHA256 fcd90c5f37b6952bd3f2495a13370cf332df40eb3274c6940bc68a4dc648800e
SHA512 25c8a7be74e14d647bc6f711fe72523f06b79fb00f466b35d00b5d99588cac98c6ee8e5b110d8032cdcf652b185d29308a799647f800f98ccfec15b4e892d4a2

memory/2776-141-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\13-5-2024.exe

MD5 93dd72a68fe11cf07935171703ffc367
SHA1 65ed0be76d9e5f4bb0e0a1b6434e20e7e05b4419
SHA256 f719bb8ac9caac4dc9ce44e641391a3516d7826596146d7496f27ed367b0fd94
SHA512 525621923e5db1532fa72cc3efb6346504fd005977ee43c9ec74763c6f65484f342305a00da91fb76addd9da5a76aa34c45c4963d490ee6a5577cd960a70fc1e

memory/2580-171-0x00000000003B0000-0x00000000003EB000-memory.dmp

memory/1872-175-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2904-174-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1872-179-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2904-181-0x0000000000520000-0x000000000055B000-memory.dmp

memory/1284-189-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2276-188-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2676-187-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2276-192-0x0000000000400000-0x000000000043B000-memory.dmp

\Windows\SysWOW64\drivers\Kazekage.exe

MD5 eec64ee5175c599f800568f62ec93b00
SHA1 6046c5b9ae52821a00fdfb5e6dd4624c813534d5
SHA256 2421994bff990382f0b701ef31dca567aa1f4f9fe99d46c157504c079fc07f93
SHA512 7101761e2a51acb6ca8608470626e41cd4a4403c0d680fbc6b0fe0ed15d67eab832ed9beef3c4eb0bcedf5eec4dbb3cbce1bb0a4e72da85f0a33063f40012ebf

memory/2676-200-0x00000000002E0000-0x000000000031B000-memory.dmp

memory/2236-201-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 7987b40ff701218579f7328c096842dc
SHA1 b72ecb91bf49140d4801ade8c083c3d65fb1f77c
SHA256 2b9769f8a86c506afa83e2ace724b4149cb86ef1269387c4346bfbf462cddace
SHA512 6af04a6b414b7a8d4ecb557fe5eb6c2b202acb7742043c47a4867a937871a01b541be557aa95d61582c7c93e6ba673db3eb783f00254c6b599d4d7c71ac209b6

C:\Windows\msvbvm60.dll

MD5 0f5d2f66c4e06ebf95ac153f970c0b5a
SHA1 53de34a837cfeb95382c9c6ab709f08a2c76ccac
SHA256 5ef9079a0fd4feac911cfa17da29e339e1b7751772aced34a7edc04162df8918
SHA512 458c962ad4a13e7e3b23955c4195841b2046bd6acf78b51e4b9be62c43350bfa6057eb259d393495e65b07c631060d2d027a023165528b9c59fc9889c3fbe5b0

C:\Windows\system\msvbvm60.dll

MD5 890dbc51ba4bded354d352e815c29b79
SHA1 92c776bf6e9654b90846bb90674e33f71b4a5544
SHA256 8680cc3bad912183370aed028c5b4f210ba346b013105b2334476e17197583f3
SHA512 edc9fb5d22c228347394e593ec4950aee949bce5f7a055e1ba0e3c3ee64d1377e732e139025ffbd2bd2f22759ea100f2df325080dcd3d4220d1602b716ac9e96

memory/2236-224-0x0000000000390000-0x00000000003CB000-memory.dmp

memory/480-226-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2488-227-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2488-231-0x00000000003B0000-0x00000000003EB000-memory.dmp

memory/1112-230-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2236-236-0x0000000000390000-0x00000000003CB000-memory.dmp

memory/1088-235-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1488-234-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1088-240-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1868-245-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2580-244-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2304-260-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2312-263-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2236-264-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1648-267-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1684-270-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2236-271-0x0000000000390000-0x00000000003CB000-memory.dmp

memory/2192-274-0x0000000000400000-0x000000000043B000-memory.dmp

memory/668-278-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1868-277-0x0000000000400000-0x000000000043B000-memory.dmp

memory/668-279-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2404-282-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2488-285-0x00000000003B0000-0x00000000003EB000-memory.dmp

memory/2092-286-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2092-287-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2676-296-0x00000000002E0000-0x000000000031B000-memory.dmp

memory/2156-295-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1704-299-0x0000000000400000-0x000000000043B000-memory.dmp

memory/812-302-0x0000000000400000-0x000000000043B000-memory.dmp

memory/812-303-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2948-306-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2220-309-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1508-312-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2488-313-0x00000000003B0000-0x00000000003EB000-memory.dmp

memory/2676-314-0x00000000002E0000-0x000000000031B000-memory.dmp

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a