e0d530ca82886916d05342cfc7546aa33f93d99ffc2ac0c79f64c10a8600d755

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 21:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Size

148KB
MD5

1ce8afbfdcc164926ec336289a269040
SHA1

414f3f9bd023c8c5fb6c4151346b2b9d365b438f
SHA256

e0d530ca82886916d05342cfc7546aa33f93d99ffc2ac0c79f64c10a8600d755
SHA512

56897f751b972edc7e16a832595aad8ce696e5f3af958728e79e33b8ba44ea071c35238f745410271fe7ee79ae578055edd8479939bed219471419d037255a13
SSDEEP

1536:GJo0IHgL2AHfb1mzaFXg+xsukl4Y17jsgS/jHagQNuXGpeVTV:mx6AHjYzaFXg+w17jsgS/jHagQg19V

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Kazekage.exesystem32.exesmss.exeGaara.execsrss.exe1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe"	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe"	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

system32.exe1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exesmss.exeGaara.execsrss.exeKazekage.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	system32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Gaara.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Kazekage.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exesmss.exeGaara.execsrss.exeKazekage.exesystem32.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Gaara.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Kazekage.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	system32.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

smss.exeGaara.execsrss.exeKazekage.exesystem32.exe1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Gaara.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Kazekage.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe

Disables RegEdit via registry modification 6 IoCs

evasion

Processes:

1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exesmss.exeGaara.execsrss.exeKazekage.exesystem32.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Gaara.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Kazekage.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	system32.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Drops file in Drivers directory 24 IoCs

Processes:

system32.exeKazekage.exe1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exesmss.execsrss.exeGaara.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\Kazekage.exe	system32.exe
File created	C:\Windows\SysWOW64\drivers\system32.exe	Kazekage.exe
File opened for modification	C:\Windows\SysWOW64\drivers\system32.exe	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\system32.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\drivers\system32.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\drivers\system32.exe	Kazekage.exe
File opened for modification	C:\Windows\SysWOW64\drivers\system32.exe	system32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Kazekage.exe	smss.exe
File created	C:\Windows\SysWOW64\drivers\Kazekage.exe	Kazekage.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Kazekage.exe	Kazekage.exe
File created	C:\Windows\SysWOW64\drivers\system32.exe	system32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Kazekage.exe	csrss.exe
File created	C:\Windows\SysWOW64\drivers\system32.exe	smss.exe
File created	C:\Windows\SysWOW64\drivers\Kazekage.exe	Gaara.exe
File created	C:\Windows\SysWOW64\drivers\system32.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\drivers\system32.exe	Gaara.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Kazekage.exe	system32.exe
File created	C:\Windows\SysWOW64\drivers\Kazekage.exe	smss.exe
File created	C:\Windows\SysWOW64\drivers\system32.exe	Gaara.exe
File created	C:\Windows\SysWOW64\drivers\Kazekage.exe	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Kazekage.exe	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\system32.exe	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Kazekage.exe	Gaara.exe
File created	C:\Windows\SysWOW64\drivers\Kazekage.exe	csrss.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

smss.execsrss.exe1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exesystem32.exeKazekage.exeGaara.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe"	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe"	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del"	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe"	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe"	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del"	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe"	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del"	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe"	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del"	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del"	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe"	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del"	smss.exe

Executes dropped EXE 30 IoCs

Processes:

smss.exesmss.exeGaara.exesmss.exeGaara.execsrss.exesmss.exeGaara.execsrss.exeKazekage.exesmss.exeGaara.execsrss.exeKazekage.exesystem32.exesmss.exeGaara.execsrss.exeKazekage.exesystem32.exesystem32.exeKazekage.exesystem32.execsrss.exeKazekage.exesystem32.exeGaara.execsrss.exeKazekage.exesystem32.exe

pid	process
2724	smss.exe
2740	smss.exe
2540	Gaara.exe
2988	smss.exe
1396	Gaara.exe
2316	csrss.exe
1252	smss.exe
1664	Gaara.exe
1760	csrss.exe
1620	Kazekage.exe
332	smss.exe
560	Gaara.exe
708	csrss.exe
580	Kazekage.exe
1860	system32.exe
2480	smss.exe
2392	Gaara.exe
828	csrss.exe
1340	Kazekage.exe
1768	system32.exe
1948	system32.exe
772	Kazekage.exe
1296	system32.exe
1932	csrss.exe
2948	Kazekage.exe
1512	system32.exe
784	Gaara.exe
2416	csrss.exe
468	Kazekage.exe
888	system32.exe

Loads dropped DLL 63 IoCs

Processes:

pid	process
2228	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
2228	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
2724	smss.exe
2724	smss.exe
2740	smss.exe
2724	smss.exe
2724	smss.exe
2540	Gaara.exe
2540	Gaara.exe
2540	Gaara.exe
2988	smss.exe
2540	Gaara.exe
1396	Gaara.exe
2540	Gaara.exe
2540	Gaara.exe
2316	csrss.exe
2316	csrss.exe
1252	smss.exe
2316	csrss.exe
1664	Gaara.exe
1760	csrss.exe
2316	csrss.exe
2316	csrss.exe
1620	Kazekage.exe
332	smss.exe
1620	Kazekage.exe
560	Gaara.exe
1620	Kazekage.exe
708	csrss.exe
1620	Kazekage.exe
1620	Kazekage.exe
1620	Kazekage.exe
1620	Kazekage.exe
1860	system32.exe
2480	smss.exe
1860	system32.exe
2392	Gaara.exe
1860	system32.exe
828	csrss.exe
1860	system32.exe
1860	system32.exe
1860	system32.exe
1860	system32.exe
2316	csrss.exe
2316	csrss.exe
2540	Gaara.exe
2540	Gaara.exe
2540	Gaara.exe
2540	Gaara.exe
2724	smss.exe
1932	csrss.exe
2724	smss.exe
2724	smss.exe
2724	smss.exe
2724	smss.exe
2228	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
784	Gaara.exe
2228	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
2416	csrss.exe
2228	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
2228	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
2228	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
2228	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

csrss.exesystem32.exeKazekage.exe1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exesmss.exeGaara.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 24 - 5 - 2024\\Gaara.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "24-5-2024.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 24 - 5 - 2024\\smss.exe"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "24-5-2024.exe"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 24 - 5 - 2024\\smss.exe"	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "24-5-2024.exe"	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "24-5-2024.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 24 - 5 - 2024\\smss.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 24 - 5 - 2024\\Gaara.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 24 - 5 - 2024\\smss.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 24 - 5 - 2024\\Gaara.exe"	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe"	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "24-5-2024.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 24 - 5 - 2024\\Gaara.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 24 - 5 - 2024\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 24 - 5 - 2024\\Gaara.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 24 - 5 - 2024\\smss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "24-5-2024.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 24 - 5 - 2024\\Gaara.exe"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe"	Kazekage.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exesmss.exeGaara.execsrss.exeKazekage.exesystem32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Gaara.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Kazekage.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system32.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

csrss.exeKazekage.exe1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exesmss.exeGaara.exesystem32.exe

description	ioc	process
File opened for modification	\??\V:\Desktop.ini	csrss.exe
File opened for modification	\??\Z:\Desktop.ini	csrss.exe
File opened for modification	F:\Desktop.ini	Kazekage.exe
File opened for modification	\??\H:\Desktop.ini	Kazekage.exe
File opened for modification	\??\H:\Desktop.ini	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened for modification	\??\H:\Desktop.ini	smss.exe
File opened for modification	\??\W:\Desktop.ini	Gaara.exe
File opened for modification	\??\L:\Desktop.ini	csrss.exe
File opened for modification	\??\V:\Desktop.ini	Gaara.exe
File opened for modification	\??\X:\Desktop.ini	csrss.exe
File opened for modification	\??\N:\Desktop.ini	Kazekage.exe
File opened for modification	\??\X:\Desktop.ini	system32.exe
File opened for modification	C:\Desktop.ini	csrss.exe
File opened for modification	\??\E:\Desktop.ini	csrss.exe
File opened for modification	\??\I:\Desktop.ini	csrss.exe
File opened for modification	\??\G:\Desktop.ini	system32.exe
File opened for modification	\??\B:\Desktop.ini	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened for modification	\??\R:\Desktop.ini	Gaara.exe
File opened for modification	\??\S:\Desktop.ini	Gaara.exe
File opened for modification	\??\N:\Desktop.ini	system32.exe
File opened for modification	\??\V:\Desktop.ini	system32.exe
File opened for modification	\??\W:\Desktop.ini	system32.exe
File opened for modification	\??\J:\Desktop.ini	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened for modification	\??\B:\Desktop.ini	Gaara.exe
File opened for modification	\??\Z:\Desktop.ini	Gaara.exe
File opened for modification	\??\H:\Desktop.ini	system32.exe
File opened for modification	F:\Desktop.ini	smss.exe
File opened for modification	\??\Y:\Desktop.ini	smss.exe
File opened for modification	\??\P:\Desktop.ini	system32.exe
File opened for modification	\??\P:\Desktop.ini	Gaara.exe
File opened for modification	\??\Y:\Desktop.ini	Gaara.exe
File opened for modification	\??\B:\Desktop.ini	csrss.exe
File opened for modification	\??\J:\Desktop.ini	csrss.exe
File opened for modification	\??\W:\Desktop.ini	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened for modification	\??\Y:\Desktop.ini	csrss.exe
File opened for modification	D:\Desktop.ini	Kazekage.exe
File opened for modification	\??\I:\Desktop.ini	Kazekage.exe
File opened for modification	\??\I:\Desktop.ini	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened for modification	\??\M:\Desktop.ini	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened for modification	\??\N:\Desktop.ini	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened for modification	\??\T:\Desktop.ini	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened for modification	\??\U:\Desktop.ini	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened for modification	C:\Desktop.ini	Kazekage.exe
File opened for modification	\??\Y:\Desktop.ini	Kazekage.exe
File opened for modification	\??\Y:\Desktop.ini	system32.exe
File opened for modification	\??\R:\Desktop.ini	Kazekage.exe
File opened for modification	\??\B:\Desktop.ini	system32.exe
File opened for modification	D:\Desktop.ini	system32.exe
File opened for modification	\??\S:\Desktop.ini	system32.exe
File opened for modification	\??\G:\Desktop.ini	smss.exe
File opened for modification	\??\K:\Desktop.ini	smss.exe
File opened for modification	\??\L:\Desktop.ini	Gaara.exe
File opened for modification	\??\M:\Desktop.ini	Kazekage.exe
File opened for modification	\??\T:\Desktop.ini	system32.exe
File opened for modification	\??\V:\Desktop.ini	smss.exe
File opened for modification	\??\M:\Desktop.ini	Gaara.exe
File opened for modification	\??\O:\Desktop.ini	Kazekage.exe
File opened for modification	D:\Desktop.ini	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened for modification	\??\E:\Desktop.ini	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened for modification	C:\Desktop.ini	smss.exe
File opened for modification	\??\Y:\Desktop.ini	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened for modification	D:\Desktop.ini	csrss.exe
File opened for modification	\??\G:\Desktop.ini	csrss.exe
File opened for modification	\??\H:\Desktop.ini	csrss.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

system32.exeGaara.exeKazekage.exesmss.execsrss.exe1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe

description	ioc	process
File opened (read-only)	\??\G:	system32.exe
File opened (read-only)	\??\I:	system32.exe
File opened (read-only)	\??\I:	Gaara.exe
File opened (read-only)	\??\I:	Kazekage.exe
File opened (read-only)	\??\V:	Kazekage.exe
File opened (read-only)	\??\T:	system32.exe
File opened (read-only)	\??\I:	smss.exe
File opened (read-only)	\??\P:	system32.exe
File opened (read-only)	\??\R:	system32.exe
File opened (read-only)	\??\U:	csrss.exe
File opened (read-only)	\??\O:	system32.exe
File opened (read-only)	\??\Q:	system32.exe
File opened (read-only)	\??\B:	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened (read-only)	\??\Z:	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened (read-only)	\??\B:	csrss.exe
File opened (read-only)	\??\X:	Gaara.exe
File opened (read-only)	\??\M:	csrss.exe
File opened (read-only)	\??\S:	csrss.exe
File opened (read-only)	\??\O:	Kazekage.exe
File opened (read-only)	\??\M:	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened (read-only)	\??\L:	Gaara.exe
File opened (read-only)	\??\R:	Gaara.exe
File opened (read-only)	\??\O:	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened (read-only)	\??\N:	smss.exe
File opened (read-only)	\??\T:	smss.exe
File opened (read-only)	\??\O:	Gaara.exe
File opened (read-only)	\??\V:	Gaara.exe
File opened (read-only)	\??\K:	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened (read-only)	\??\G:	smss.exe
File opened (read-only)	\??\Q:	smss.exe
File opened (read-only)	\??\M:	Kazekage.exe
File opened (read-only)	\??\W:	smss.exe
File opened (read-only)	\??\A:	Gaara.exe
File opened (read-only)	\??\N:	csrss.exe
File opened (read-only)	\??\S:	Gaara.exe
File opened (read-only)	\??\Y:	Gaara.exe
File opened (read-only)	\??\R:	Kazekage.exe
File opened (read-only)	\??\Y:	Kazekage.exe
File opened (read-only)	\??\K:	system32.exe
File opened (read-only)	\??\I:	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened (read-only)	\??\Y:	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened (read-only)	\??\J:	Gaara.exe
File opened (read-only)	\??\N:	system32.exe
File opened (read-only)	\??\V:	system32.exe
File opened (read-only)	\??\H:	smss.exe
File opened (read-only)	\??\N:	Gaara.exe
File opened (read-only)	\??\N:	Kazekage.exe
File opened (read-only)	\??\L:	csrss.exe
File opened (read-only)	\??\A:	system32.exe
File opened (read-only)	\??\Z:	Kazekage.exe
File opened (read-only)	\??\L:	smss.exe
File opened (read-only)	\??\K:	Gaara.exe
File opened (read-only)	\??\K:	csrss.exe
File opened (read-only)	\??\N:	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened (read-only)	\??\A:	Kazekage.exe
File opened (read-only)	\??\T:	Kazekage.exe
File opened (read-only)	\??\U:	system32.exe
File opened (read-only)	\??\I:	csrss.exe
File opened (read-only)	\??\X:	system32.exe
File opened (read-only)	\??\Q:	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened (read-only)	\??\S:	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened (read-only)	\??\B:	Gaara.exe
File opened (read-only)	\??\U:	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened (read-only)	\??\L:	system32.exe

Drops autorun.inf file 1 TTPs 64 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

system32.exe1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exeKazekage.exeGaara.execsrss.exesmss.exe

description	ioc	process
File opened for modification	\??\L:\Autorun.inf	system32.exe
File opened for modification	\??\M:\Autorun.inf	system32.exe
File created	\??\J:\Autorun.inf	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File created	\??\T:\Autorun.inf	Kazekage.exe
File created	\??\Z:\Autorun.inf	Kazekage.exe
File opened for modification	\??\T:\Autorun.inf	Gaara.exe
File opened for modification	\??\G:\Autorun.inf	Gaara.exe
File opened for modification	\??\H:\Autorun.inf	Gaara.exe
File created	\??\L:\Autorun.inf	csrss.exe
File opened for modification	\??\O:\Autorun.inf	csrss.exe
File opened for modification	\??\R:\Autorun.inf	csrss.exe
File opened for modification	\??\E:\Autorun.inf	system32.exe
File opened for modification	\??\T:\Autorun.inf	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened for modification	\??\A:\Autorun.inf	smss.exe
File opened for modification	\??\T:\Autorun.inf	Kazekage.exe
File created	\??\U:\Autorun.inf	Gaara.exe
File created	\??\V:\Autorun.inf	Gaara.exe
File opened for modification	\??\X:\Autorun.inf	csrss.exe
File created	\??\Q:\Autorun.inf	system32.exe
File created	\??\V:\Autorun.inf	Kazekage.exe
File opened for modification	D:\Autorun.inf	Gaara.exe
File opened for modification	\??\V:\Autorun.inf	Gaara.exe
File created	\??\X:\Autorun.inf	csrss.exe
File opened for modification	\??\B:\Autorun.inf	system32.exe
File created	\??\B:\Autorun.inf	system32.exe
File opened for modification	F:\Autorun.inf	system32.exe
File opened for modification	\??\U:\Autorun.inf	Kazekage.exe
File created	\??\X:\Autorun.inf	Kazekage.exe
File opened for modification	\??\J:\Autorun.inf	smss.exe
File opened for modification	\??\A:\Autorun.inf	Gaara.exe
File created	\??\I:\Autorun.inf	Gaara.exe
File opened for modification	D:\Autorun.inf	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File created	\??\Y:\Autorun.inf	smss.exe
File opened for modification	\??\M:\Autorun.inf	Gaara.exe
File opened for modification	\??\H:\Autorun.inf	csrss.exe
File opened for modification	F:\Autorun.inf	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File created	\??\P:\Autorun.inf	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File created	\??\P:\Autorun.inf	Kazekage.exe
File opened for modification	\??\X:\Autorun.inf	Kazekage.exe
File opened for modification	\??\B:\Autorun.inf	smss.exe
File created	\??\Z:\Autorun.inf	smss.exe
File created	\??\A:\Autorun.inf	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File created	\??\G:\Autorun.inf	Kazekage.exe
File created	\??\S:\Autorun.inf	Kazekage.exe
File created	F:\Autorun.inf	smss.exe
File opened for modification	\??\G:\Autorun.inf	csrss.exe
File opened for modification	\??\Q:\Autorun.inf	system32.exe
File opened for modification	\??\Q:\Autorun.inf	Gaara.exe
File created	\??\A:\Autorun.inf	system32.exe
File opened for modification	\??\I:\Autorun.inf	smss.exe
File created	\??\S:\Autorun.inf	Gaara.exe
File opened for modification	\??\X:\Autorun.inf	Gaara.exe
File created	\??\V:\Autorun.inf	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened for modification	\??\X:\Autorun.inf	smss.exe
File created	\??\X:\Autorun.inf	smss.exe
File created	\??\M:\Autorun.inf	Gaara.exe
File opened for modification	\??\S:\Autorun.inf	Gaara.exe
File created	\??\T:\Autorun.inf	Gaara.exe
File opened for modification	\??\K:\Autorun.inf	system32.exe
File created	\??\H:\Autorun.inf	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File created	\??\A:\Autorun.inf	smss.exe
File created	\??\Z:\Autorun.inf	csrss.exe
File created	\??\U:\Autorun.inf	system32.exe
File opened for modification	\??\Q:\Autorun.inf	csrss.exe

Drops file in System32 directory 38 IoCs

Processes:

1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exeGaara.execsrss.exeKazekage.exesmss.exesystem32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\24-5-2024.exe	Gaara.exe
File opened for modification	C:\Windows\SysWOW64\mscomctl.ocx	Gaara.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	csrss.exe
File created	C:\Windows\SysWOW64\24-5-2024.exe	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Kazekage.exe
File opened for modification	C:\Windows\SysWOW64\Desktop.ini	smss.exe
File opened for modification	C:\Windows\SysWOW64\Desktop.ini	Kazekage.exe
File opened for modification	C:\Windows\SysWOW64\24-5-2024.exe	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\24-5-2024.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\24-5-2024.exe	Kazekage.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	system32.exe
File opened for modification	C:\Windows\SysWOW64\mscomctl.ocx	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Gaara.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	csrss.exe
File opened for modification	C:\Windows\SysWOW64\	csrss.exe
File opened for modification	C:\Windows\SysWOW64\	smss.exe
File opened for modification	C:\Windows\SysWOW64\Desktop.ini	Gaara.exe
File opened for modification	C:\Windows\SysWOW64\	Gaara.exe
File opened for modification	C:\Windows\SysWOW64\	system32.exe
File opened for modification	C:\Windows\SysWOW64\Desktop.ini	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Gaara.exe
File opened for modification	C:\Windows\SysWOW64\mscomctl.ocx	csrss.exe
File opened for modification	C:\Windows\SysWOW64\mscomctl.ocx	system32.exe
File opened for modification	C:\Windows\SysWOW64\mscomctl.ocx	Kazekage.exe
File opened for modification	C:\Windows\SysWOW64\	Kazekage.exe
File opened for modification	C:\Windows\SysWOW64\24-5-2024.exe	smss.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Kazekage.exe
File opened for modification	C:\Windows\SysWOW64\Desktop.ini	csrss.exe
File opened for modification	C:\Windows\SysWOW64\Desktop.ini	system32.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	system32.exe
File opened for modification	C:\Windows\SysWOW64\24-5-2024.exe	system32.exe
File created	C:\Windows\SysWOW64\Desktop.ini	smss.exe
File opened for modification	C:\Windows\SysWOW64\mscomctl.ocx	smss.exe

Sets desktop wallpaper using registry 2 TTPs 6 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Gaara.execsrss.exeKazekage.exesystem32.exe1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exesmss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	smss.exe

Drops file in Windows directory 64 IoCs

Processes:

system32.exeGaara.exe1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exesmss.execsrss.exeKazekage.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\Admin 24 - 5 - 2024\Gaara.exe	system32.exe
File opened for modification	C:\Windows\mscomctl.ocx	Gaara.exe
File opened for modification	C:\Windows\Fonts\Admin 24 - 5 - 2024\smss.exe	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened for modification	C:\Windows\Fonts\Admin 24 - 5 - 2024\csrss.exe	smss.exe
File created	C:\Windows\Fonts\Admin 24 - 5 - 2024\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\Fonts\Admin 24 - 5 - 2024\smss.exe	csrss.exe
File created	C:\Windows\WBEM\msvbvm60.dll	Kazekage.exe
File opened for modification	C:\Windows\Fonts\Admin 24 - 5 - 2024\smss.exe	system32.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	system32.exe
File opened for modification	C:\Windows\system\mscoree.dll	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened for modification	C:\Windows\Fonts\Admin 24 - 5 - 2024\msvbvm60.dll	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File created	C:\Windows\Fonts\Admin 24 - 5 - 2024\smss.exe	smss.exe
File created	C:\Windows\Fonts\Admin 24 - 5 - 2024\smss.exe	Kazekage.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	Kazekage.exe
File created	C:\Windows\mscomctl.ocx	smss.exe
File opened for modification	C:\Windows\	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened for modification	C:\Windows\Fonts\Admin 24 - 5 - 2024\csrss.exe	Kazekage.exe
File opened for modification	C:\Windows\	Kazekage.exe
File created	C:\Windows\Fonts\Admin 24 - 5 - 2024\Gaara.exe	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File created	C:\Windows\Fonts\Admin 24 - 5 - 2024\msvbvm60.dll	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened for modification	C:\Windows\system\mscoree.dll	smss.exe
File opened for modification	C:\Windows\Fonts\The Kazekage.jpg	Kazekage.exe
File created	C:\Windows\Fonts\Admin 24 - 5 - 2024\Gaara.exe	Kazekage.exe
File opened for modification	C:\Windows\mscomctl.ocx	csrss.exe
File created	C:\Windows\Fonts\Admin 24 - 5 - 2024\csrss.exe	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened for modification	C:\Windows\Fonts\Admin 24 - 5 - 2024\smss.exe	Gaara.exe
File opened for modification	C:\Windows\msvbvm60.dll	Gaara.exe
File created	C:\Windows\Fonts\Admin 24 - 5 - 2024\Gaara.exe	system32.exe
File created	C:\Windows\Fonts\Admin 24 - 5 - 2024\csrss.exe	smss.exe
File opened for modification	C:\Windows\system\mscoree.dll	csrss.exe
File opened for modification	C:\Windows\Fonts\Admin 24 - 5 - 2024\smss.exe	smss.exe
File opened for modification	C:\Windows\Fonts\Admin 24 - 5 - 2024\Gaara.exe	csrss.exe
File opened for modification	C:\Windows\mscomctl.ocx	Kazekage.exe
File opened for modification	C:\Windows\Fonts\The Kazekage.jpg	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened for modification	C:\Windows\Fonts\Admin 24 - 5 - 2024\csrss.exe	Gaara.exe
File opened for modification	C:\Windows\msvbvm60.dll	csrss.exe
File opened for modification	C:\Windows\Fonts\Admin 24 - 5 - 2024\csrss.exe	system32.exe
File opened for modification	C:\Windows\	system32.exe
File opened for modification	C:\Windows\	smss.exe
File created	C:\Windows\WBEM\msvbvm60.dll	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened for modification	C:\Windows\Fonts\The Kazekage.jpg	smss.exe
File opened for modification	C:\Windows\msvbvm60.dll	smss.exe
File created	C:\Windows\Fonts\Admin 24 - 5 - 2024\Gaara.exe	smss.exe
File opened for modification	C:\Windows\mscomctl.ocx	smss.exe
File created	C:\Windows\WBEM\msvbvm60.dll	system32.exe
File opened for modification	C:\Windows\mscomctl.ocx	system32.exe
File opened for modification	C:\Windows\mscomctl.ocx	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened for modification	C:\Windows\Fonts\The Kazekage.jpg	Gaara.exe
File created	C:\Windows\Fonts\Admin 24 - 5 - 2024\msvbvm60.dll	Gaara.exe
File created	C:\Windows\WBEM\msvbvm60.dll	Gaara.exe
File created	C:\Windows\Fonts\Admin 24 - 5 - 2024\msvbvm60.dll	csrss.exe
File opened for modification	C:\Windows\system\mscoree.dll	Kazekage.exe
File created	C:\Windows\Fonts\Admin 24 - 5 - 2024\Gaara.exe	csrss.exe
File opened for modification	C:\Windows\msvbvm60.dll	Kazekage.exe
File opened for modification	C:\Windows\msvbvm60.dll	system32.exe
File created	C:\Windows\Fonts\The Kazekage.jpg	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File opened for modification	C:\Windows\msvbvm60.dll	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File created	C:\Windows\Fonts\Admin 24 - 5 - 2024\Gaara.exe	Gaara.exe
File opened for modification	C:\Windows\Fonts\The Kazekage.jpg	csrss.exe
File created	C:\Windows\Fonts\Admin 24 - 5 - 2024\smss.exe	csrss.exe
File opened for modification	C:\Windows\Fonts\Admin 24 - 5 - 2024\Gaara.exe	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
File created	C:\Windows\Fonts\Admin 24 - 5 - 2024\msvbvm60.dll	Kazekage.exe
File created	C:\Windows\Fonts\Admin 24 - 5 - 2024\smss.exe	system32.exe

Modifies Control Panel 64 IoCs

evasion

Processes:

Kazekage.exesystem32.exesmss.exeGaara.execsrss.exe1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Size = "72"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Speed = "4"	system32.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Size = "72"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1"	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Speed = "4"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Size = "72"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\WallpaperStyle = "2"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Size = "72"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg"	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400"	system32.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0"	system32.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400"	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Speed = "4"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Speed = "4"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\WallpaperStyle = "2"	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Speed = "4"	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0"	Kazekage.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )"	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC"	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Size = "72"	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Size = "72"	Gaara.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Speed = "4"	Kazekage.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

Processes:

smss.exeGaara.execsrss.exeKazekage.exesystem32.exe1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	Gaara.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	Kazekage.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!"	system32.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!"	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!"	Kazekage.exe

Modifies registry class 48 IoCs

Processes:

csrss.exe1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exeGaara.exesmss.exeKazekage.exesystem32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe"	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe"	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe"	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe"	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0"	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe"	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe"	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe"	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe"	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe"	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	system32.exe

Runs ping.exe 1 TTPs 32 IoCs

Remote System Discovery

T1018

Processes:

ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exe

pid	process
2932	ping.exe
2172	ping.exe
1436	ping.exe
1972	ping.exe
2928	ping.exe
1920	ping.exe
1636	ping.exe
2668	ping.exe
2880	ping.exe
1484	ping.exe
1644	ping.exe
3028	ping.exe
1940	ping.exe
3048	ping.exe
2516	ping.exe
2620	ping.exe
1996	ping.exe
1964	ping.exe
536	ping.exe
2872	ping.exe
2852	ping.exe
888	ping.exe
2624	ping.exe
2992	ping.exe
2252	ping.exe
708	ping.exe
900	ping.exe
2372	ping.exe
2508	ping.exe
892	ping.exe
2828	ping.exe
2384	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exesmss.exeGaara.execsrss.exeKazekage.exesystem32.exe

pid	process
2228	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
2228	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
2228	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
2228	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
2228	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
2228	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
2228	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
2228	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
2228	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
2228	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
2228	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
2228	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
2724	smss.exe
2724	smss.exe
2724	smss.exe
2724	smss.exe
2724	smss.exe
2724	smss.exe
2724	smss.exe
2724	smss.exe
2724	smss.exe
2724	smss.exe
2724	smss.exe
2724	smss.exe
2540	Gaara.exe
2540	Gaara.exe
2540	Gaara.exe
2540	Gaara.exe
2540	Gaara.exe
2540	Gaara.exe
2540	Gaara.exe
2540	Gaara.exe
2540	Gaara.exe
2540	Gaara.exe
2540	Gaara.exe
2540	Gaara.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
1620	Kazekage.exe
1620	Kazekage.exe
1620	Kazekage.exe
1620	Kazekage.exe
1620	Kazekage.exe
1620	Kazekage.exe
1620	Kazekage.exe
1620	Kazekage.exe
1620	Kazekage.exe
1620	Kazekage.exe
1620	Kazekage.exe
1620	Kazekage.exe
1860	system32.exe
1860	system32.exe
1860	system32.exe
1860	system32.exe

Suspicious use of SetWindowsHookEx 31 IoCs

Processes:

1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exesmss.exesmss.exeGaara.exesmss.exeGaara.execsrss.exesmss.exeGaara.execsrss.exeKazekage.exesmss.exeGaara.execsrss.exeKazekage.exesystem32.exesmss.exeGaara.execsrss.exeKazekage.exesystem32.exesystem32.exeKazekage.exesystem32.execsrss.exeKazekage.exesystem32.exeGaara.execsrss.exeKazekage.exesystem32.exe

pid	process
2228	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
2724	smss.exe
2740	smss.exe
2540	Gaara.exe
2988	smss.exe
1396	Gaara.exe
2316	csrss.exe
1252	smss.exe
1664	Gaara.exe
1760	csrss.exe
1620	Kazekage.exe
332	smss.exe
560	Gaara.exe
708	csrss.exe
580	Kazekage.exe
1860	system32.exe
2480	smss.exe
2392	Gaara.exe
828	csrss.exe
1340	Kazekage.exe
1768	system32.exe
1948	system32.exe
772	Kazekage.exe
1296	system32.exe
1932	csrss.exe
2948	Kazekage.exe
1512	system32.exe
784	Gaara.exe
2416	csrss.exe
468	Kazekage.exe
888	system32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exesmss.exeGaara.execsrss.exeKazekage.exesystem32.exe

description	pid	process	target process
PID 2228 wrote to memory of 2724	2228	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe	smss.exe
PID 2228 wrote to memory of 2724	2228	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe	smss.exe
PID 2228 wrote to memory of 2724	2228	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe	smss.exe
PID 2228 wrote to memory of 2724	2228	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe	smss.exe
PID 2724 wrote to memory of 2740	2724	smss.exe	smss.exe
PID 2724 wrote to memory of 2740	2724	smss.exe	smss.exe
PID 2724 wrote to memory of 2740	2724	smss.exe	smss.exe
PID 2724 wrote to memory of 2740	2724	smss.exe	smss.exe
PID 2724 wrote to memory of 2540	2724	smss.exe	Gaara.exe
PID 2724 wrote to memory of 2540	2724	smss.exe	Gaara.exe
PID 2724 wrote to memory of 2540	2724	smss.exe	Gaara.exe
PID 2724 wrote to memory of 2540	2724	smss.exe	Gaara.exe
PID 2540 wrote to memory of 2988	2540	Gaara.exe	smss.exe
PID 2540 wrote to memory of 2988	2540	Gaara.exe	smss.exe
PID 2540 wrote to memory of 2988	2540	Gaara.exe	smss.exe
PID 2540 wrote to memory of 2988	2540	Gaara.exe	smss.exe
PID 2540 wrote to memory of 1396	2540	Gaara.exe	Gaara.exe
PID 2540 wrote to memory of 1396	2540	Gaara.exe	Gaara.exe
PID 2540 wrote to memory of 1396	2540	Gaara.exe	Gaara.exe
PID 2540 wrote to memory of 1396	2540	Gaara.exe	Gaara.exe
PID 2540 wrote to memory of 2316	2540	Gaara.exe	csrss.exe
PID 2540 wrote to memory of 2316	2540	Gaara.exe	csrss.exe
PID 2540 wrote to memory of 2316	2540	Gaara.exe	csrss.exe
PID 2540 wrote to memory of 2316	2540	Gaara.exe	csrss.exe
PID 2316 wrote to memory of 1252	2316	csrss.exe	smss.exe
PID 2316 wrote to memory of 1252	2316	csrss.exe	smss.exe
PID 2316 wrote to memory of 1252	2316	csrss.exe	smss.exe
PID 2316 wrote to memory of 1252	2316	csrss.exe	smss.exe
PID 2316 wrote to memory of 1664	2316	csrss.exe	Gaara.exe
PID 2316 wrote to memory of 1664	2316	csrss.exe	Gaara.exe
PID 2316 wrote to memory of 1664	2316	csrss.exe	Gaara.exe
PID 2316 wrote to memory of 1664	2316	csrss.exe	Gaara.exe
PID 2316 wrote to memory of 1760	2316	csrss.exe	csrss.exe
PID 2316 wrote to memory of 1760	2316	csrss.exe	csrss.exe
PID 2316 wrote to memory of 1760	2316	csrss.exe	csrss.exe
PID 2316 wrote to memory of 1760	2316	csrss.exe	csrss.exe
PID 2316 wrote to memory of 1620	2316	csrss.exe	Kazekage.exe
PID 2316 wrote to memory of 1620	2316	csrss.exe	Kazekage.exe
PID 2316 wrote to memory of 1620	2316	csrss.exe	Kazekage.exe
PID 2316 wrote to memory of 1620	2316	csrss.exe	Kazekage.exe
PID 1620 wrote to memory of 332	1620	Kazekage.exe	smss.exe
PID 1620 wrote to memory of 332	1620	Kazekage.exe	smss.exe
PID 1620 wrote to memory of 332	1620	Kazekage.exe	smss.exe
PID 1620 wrote to memory of 332	1620	Kazekage.exe	smss.exe
PID 1620 wrote to memory of 560	1620	Kazekage.exe	Gaara.exe
PID 1620 wrote to memory of 560	1620	Kazekage.exe	Gaara.exe
PID 1620 wrote to memory of 560	1620	Kazekage.exe	Gaara.exe
PID 1620 wrote to memory of 560	1620	Kazekage.exe	Gaara.exe
PID 1620 wrote to memory of 708	1620	Kazekage.exe	csrss.exe
PID 1620 wrote to memory of 708	1620	Kazekage.exe	csrss.exe
PID 1620 wrote to memory of 708	1620	Kazekage.exe	csrss.exe
PID 1620 wrote to memory of 708	1620	Kazekage.exe	csrss.exe
PID 1620 wrote to memory of 580	1620	Kazekage.exe	Kazekage.exe
PID 1620 wrote to memory of 580	1620	Kazekage.exe	Kazekage.exe
PID 1620 wrote to memory of 580	1620	Kazekage.exe	Kazekage.exe
PID 1620 wrote to memory of 580	1620	Kazekage.exe	Kazekage.exe
PID 1620 wrote to memory of 1860	1620	Kazekage.exe	system32.exe
PID 1620 wrote to memory of 1860	1620	Kazekage.exe	system32.exe
PID 1620 wrote to memory of 1860	1620	Kazekage.exe	system32.exe
PID 1620 wrote to memory of 1860	1620	Kazekage.exe	system32.exe
PID 1860 wrote to memory of 2480	1860	system32.exe	smss.exe
PID 1860 wrote to memory of 2480	1860	system32.exe	smss.exe
PID 1860 wrote to memory of 2480	1860	system32.exe	smss.exe
PID 1860 wrote to memory of 2480	1860	system32.exe	smss.exe

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

Processes:

Kazekage.exesystem32.exe1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exeGaara.execsrss.exesmss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Kazekage.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Gaara.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

C:\Users\Admin\AppData\Local\Temp\1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1ce8afbfdcc164926ec336289a269040_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2228

C:\Windows\Fonts\Admin 24 - 5 - 2024\smss.exe
"C:\Windows\Fonts\Admin 24 - 5 - 2024\smss.exe"
2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2724

C:\Windows\Fonts\Admin 24 - 5 - 2024\smss.exe
"C:\Windows\Fonts\Admin 24 - 5 - 2024\smss.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2740

C:\Windows\Fonts\Admin 24 - 5 - 2024\Gaara.exe
"C:\Windows\Fonts\Admin 24 - 5 - 2024\Gaara.exe"
3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2540

C:\Windows\Fonts\Admin 24 - 5 - 2024\smss.exe
"C:\Windows\Fonts\Admin 24 - 5 - 2024\smss.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2988

C:\Windows\Fonts\Admin 24 - 5 - 2024\Gaara.exe
"C:\Windows\Fonts\Admin 24 - 5 - 2024\Gaara.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1396

C:\Windows\Fonts\Admin 24 - 5 - 2024\csrss.exe
"C:\Windows\Fonts\Admin 24 - 5 - 2024\csrss.exe"
4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2316

C:\Windows\Fonts\Admin 24 - 5 - 2024\smss.exe
"C:\Windows\Fonts\Admin 24 - 5 - 2024\smss.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1252

C:\Windows\Fonts\Admin 24 - 5 - 2024\Gaara.exe
"C:\Windows\Fonts\Admin 24 - 5 - 2024\Gaara.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1664

C:\Windows\Fonts\Admin 24 - 5 - 2024\csrss.exe
"C:\Windows\Fonts\Admin 24 - 5 - 2024\csrss.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1760

C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1620

C:\Windows\Fonts\Admin 24 - 5 - 2024\smss.exe
"C:\Windows\Fonts\Admin 24 - 5 - 2024\smss.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:332

C:\Windows\Fonts\Admin 24 - 5 - 2024\Gaara.exe
"C:\Windows\Fonts\Admin 24 - 5 - 2024\Gaara.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:560

C:\Windows\Fonts\Admin 24 - 5 - 2024\csrss.exe
"C:\Windows\Fonts\Admin 24 - 5 - 2024\csrss.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:708

C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:580

C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1860

C:\Windows\Fonts\Admin 24 - 5 - 2024\smss.exe
"C:\Windows\Fonts\Admin 24 - 5 - 2024\smss.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2480

C:\Windows\Fonts\Admin 24 - 5 - 2024\Gaara.exe
"C:\Windows\Fonts\Admin 24 - 5 - 2024\Gaara.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2392

C:\Windows\Fonts\Admin 24 - 5 - 2024\csrss.exe
"C:\Windows\Fonts\Admin 24 - 5 - 2024\csrss.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:828

C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1340

C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1768

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
7⤵
- Runs ping.exe
PID:2932

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
7⤵
- Runs ping.exe
PID:1972

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
7⤵
- Runs ping.exe
PID:708

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
7⤵
- Runs ping.exe
PID:1484

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
7⤵
- Runs ping.exe
PID:2384

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
7⤵
- Runs ping.exe
PID:1636

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
6⤵
- Runs ping.exe
PID:2252

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
6⤵
- Runs ping.exe
PID:2928

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
6⤵
- Runs ping.exe
PID:1964

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
6⤵
- Runs ping.exe
PID:2172

C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1948

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
5⤵
- Runs ping.exe
PID:2852

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
5⤵
- Runs ping.exe
PID:2508

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
5⤵
- Runs ping.exe
PID:900

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
5⤵
- Runs ping.exe
PID:1920

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
5⤵
- Runs ping.exe
PID:2668

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
5⤵
- Runs ping.exe
PID:536

C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:772

C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1296

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
4⤵
- Runs ping.exe
PID:2872

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
4⤵
- Runs ping.exe
PID:2880

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
4⤵
- Runs ping.exe
PID:892

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
4⤵
- Runs ping.exe
PID:2828

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
4⤵
- Runs ping.exe
PID:1996

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
4⤵
- Runs ping.exe
PID:3028

C:\Windows\Fonts\Admin 24 - 5 - 2024\csrss.exe
"C:\Windows\Fonts\Admin 24 - 5 - 2024\csrss.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1932

C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2948

C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1512

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
3⤵
- Runs ping.exe
PID:1436

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
3⤵
- Runs ping.exe
PID:2372

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
3⤵
- Runs ping.exe
PID:2992

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
3⤵
- Runs ping.exe
PID:3048

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
3⤵
- Runs ping.exe
PID:1644

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
3⤵
- Runs ping.exe
PID:2620

C:\Windows\Fonts\Admin 24 - 5 - 2024\Gaara.exe
"C:\Windows\Fonts\Admin 24 - 5 - 2024\Gaara.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:784

C:\Windows\Fonts\Admin 24 - 5 - 2024\csrss.exe
"C:\Windows\Fonts\Admin 24 - 5 - 2024\csrss.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2416

C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:468

C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:888

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
2⤵
- Runs ping.exe
PID:1940

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
2⤵
- Runs ping.exe
PID:888

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
2⤵
- Runs ping.exe
PID:2516

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
2⤵
- Runs ping.exe
PID:2624

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Admin Games\Readme.txt
Filesize
736B

MD5
bb5d6abdf8d0948ac6895ce7fdfbc151

SHA1
9266b7a247a4685892197194d2b9b86c8f6dddbd

SHA256
5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

SHA512
878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

Download Submit
C:\Autorun.inf
Filesize
196B

MD5
1564dfe69ffed40950e5cb644e0894d1

SHA1
201b6f7a01cc49bb698bea6d4945a082ed454ce4

SHA256
be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184

SHA512
72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

Download Submit
C:\Windows\Fonts\Admin 24 - 5 - 2024\Gaara.exe
Filesize
148KB

MD5
6459f30c5807fd0fd6d198c94c77c13c

SHA1
55db714c8d83c41c3c93da709cafc878f84ef9de

SHA256
976ebd5870b016f9b2ef8519c13b3a99b255968bb6f08ec406ee7647aa51d102

SHA512
f5d2185d55084ad1a15f826e7de570cc442588760a88fd8d84ca83b8fb3cf631e1cda3e2c110cd22656a630fe87cb42afef5a430fdb2d9b5255ebd45c62ed9c0

Download Submit
C:\Windows\Fonts\Admin 24 - 5 - 2024\csrss.exe
Filesize
148KB

MD5
1ce8afbfdcc164926ec336289a269040

SHA1
414f3f9bd023c8c5fb6c4151346b2b9d365b438f

SHA256
e0d530ca82886916d05342cfc7546aa33f93d99ffc2ac0c79f64c10a8600d755

SHA512
56897f751b972edc7e16a832595aad8ce696e5f3af958728e79e33b8ba44ea071c35238f745410271fe7ee79ae578055edd8479939bed219471419d037255a13

Download Submit
C:\Windows\Fonts\Admin 24 - 5 - 2024\csrss.exe
Filesize
148KB

MD5
210733b898082186615efd98031f5804

SHA1
ce80c98405904907908fffe7f97c50ac50f84ea9

SHA256
81d5707b2359345bd964c4a622e2d06091aebfc91281cd48f1892cec10e50415

SHA512
5ec667f8f7fa3757d86dac4fd9d587ae8d1faeefaa9c79678d7f7ad4f5e67615c42900b9a868d84eefcbd3786acb9cbcec8defa91690d3562c598c03ef4d5bdd

Download Submit
C:\Windows\Fonts\Admin 24 - 5 - 2024\csrss.exe
Filesize
148KB

MD5
bd5ab6d21a0d8ecc2dce6f572d215bc9

SHA1
b72bb584faeb9021392543b725f39edc2ff96df5

SHA256
cf0073216c98b2057ff086ed708ffae2b1a2a0bdd4086f62148c1b27d4282c06

SHA512
b5f5a94e47607b6bfdc95e710cb0421cab56bc014b0b262c5acf00c6ab1e863d4f8d3463aa0d0c0896bd151722d78c62a3574c870e1620ab99b4e83f0e90becb

Download Submit
C:\Windows\Fonts\The Kazekage.jpg
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\Fonts\The Kazekage.jpg
Filesize
1.4MB

MD5
d6b05020d4a0ec2a3a8b687099e335df

SHA1
df239d830ebcd1cde5c68c46a7b76dad49d415f4

SHA256
9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

SHA512
78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

Download Submit
C:\Windows\SysWOW64\24-5-2024.exe
Filesize
148KB

MD5
a2afdb153691bde4ceac296cdb8a9688

SHA1
258c5c612caa57c381c1330704078a9894c71263

SHA256
5c3738030f9bfde4550556364e9bb97d79588ffc04e2903f20fc3053b01a22f5

SHA512
d305dcc228cd784c5ac9e10dcd0db8e9c0a29fd7219421c54b66b71e4d1174e9d395e0dd9a1eaa18479d07e618c3e94e7f56ce5178e48c2fb2806db12841f0c4

Download Submit
C:\Windows\SysWOW64\24-5-2024.exe
Filesize
148KB

MD5
fc319a8fa7eb74b4af016d8fcd057f29

SHA1
05ea072f5dae1de80d013a748de8ee9c2196f2af

SHA256
eef94d6ff99576b21deb196bda7957a050e6a0605f8638e4e94a19b141acc0fb

SHA512
97ff7cb4d7d78da2e0f9cfe3722034e9e5672932584036e902a379d4ec33808ff55870fccd92207a3de40df8d9f63865e44c9a56ab2a0b18b200ead82e96e05d

Download Submit
C:\Windows\SysWOW64\24-5-2024.exe
Filesize
148KB

MD5
0abfd78418b8ed215fe1254a830e6a6c

SHA1
3fd22138889b79334d9f87ae0a536014b419739e

SHA256
c7f33b1e7603571749bc614129b339c40b37270b843593f415901381e6a0b524

SHA512
b11519505f535bf3084a737f6e87df7e5d8bde3ad3cf79509b474ec931607b297888af819ebf1effff6ad86d3e41a635c85b95650039d72ca425fac683c56e73

Download Submit
C:\Windows\SysWOW64\Desktop.ini
Filesize
65B

MD5
64acfa7e03b01f48294cf30d201a0026

SHA1
10facd995b38a095f30b4a800fa454c0bcbf8438

SHA256
ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

SHA512
65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

Download Submit
C:\Windows\SysWOW64\drivers\Kazekage.exe
Filesize
148KB

MD5
b0d32ed60138386fb90adce1572cd3bf

SHA1
0814e5add19db8df35f5ad88e96692eacc21bd18

SHA256
a0f14e44fa045381c7f7a5bbadea2c6e02a8d59519946dfe12282880e1faa458

SHA512
651bdcd2c1483421d171eb2837b4286c07d3c6da49d2873807270b74f4c200a9b23e7fde8b55cbcb9c4c967a013599e873013588a6592206a2be974b72571729

Download Submit
C:\Windows\SysWOW64\drivers\Kazekage.exe
Filesize
148KB

MD5
140b98ef047bdc7b56ce7336d2d533b4

SHA1
131a679022740c5155d4827e2567e8042d9ae738

SHA256
bc34d2258ade51b3ca02b3e343e32b9a04477f479ae08c51b0544a7e02427de0

SHA512
c740348f70c2a0ef2e740ab624f1431a774aed314dace1f84ab49ca8b3da43c3ce42e79f04ad07050c9a2c4025b886335f39316bbb62686c1cc86d0b4c794efe

Download Submit
C:\Windows\SysWOW64\drivers\Kazekage.exe
Filesize
148KB

MD5
0605e9014596a0dcdae9f6979f9150ef

SHA1
e3bb303e0d351a7ac21026d4490b89364a04dae4

SHA256
c2ef357826a74da28f87e8e1a560a64955d37d33270ffbde116693ef6fe71e79

SHA512
c22c39b6ff68eed3a3a3183e303585104578db9d1e2aa5a59c98a96b7c5004c82b2705d712345acb9bd55c3067816e5f2cabea0c31a228e5bec9d13e5a37f005

Download Submit
C:\Windows\SysWOW64\drivers\system32.exe
Filesize
148KB

MD5
5c2ae92f2cb131ba4eec1a019d759775

SHA1
1470fd4c80840ea879a08ff27e9358838894c648

SHA256
3f63b3e96428154a6508ef7440409c7efdb42dd5bfdd8be62af42fec04a19d1f

SHA512
4eaa792517b35d3652c6d682c3a0d9973b38d6cbb5ef040d633655f829bcce945f82555e77267761f0f2f8529f1f6821d3b47b872faf9b2508a2b07c25323d11

Download Submit
C:\Windows\SysWOW64\drivers\system32.exe
Filesize
148KB

MD5
fc527a23edfb135318cb066430fefed4

SHA1
8a325233c9efd6b045af9aa3860ce409c7a0c5c0

SHA256
1e3783cde58f8dc520fc3d8a19e25a39e6b3e5aaa58ced408d0ff177bb26e4f4

SHA512
2b420f9755938d2b71205448072aec942eaba65ed7f139ba73808c4580b5119a3722d8c3211d4e268cbdd13b22a4e1474cc4983796166791ee92143989d2243e

Download Submit
C:\Windows\SysWOW64\drivers\system32.exe
Filesize
148KB

MD5
b27aa7738dc2b7c997e87b3af22c3079

SHA1
e4a49309307c36f6abfff77c7888815c3111021f

SHA256
f25d29e8c6f4abbfc187b828bcd01d26c8e46669ff0c513e1a9ebeea27de5e33

SHA512
bd54b884562f246bb860e1d635173b32ac58ac263519bc120b5768c5f58df1a664d525f519072eaf74f9a29e31bdb3f620c944146ab91c524d03981e4bb5e04f

Download Submit
C:\Windows\SysWOW64\drivers\system32.exe
Filesize
148KB

MD5
b2be556cf1d9630006d8587b5003ea14

SHA1
6c62d881cf70c2bd1fb99b00eefadf74787497d8

SHA256
31d3d684b961631cc98e3d7ecfd16f0d2c945a948b7d5bf78d605fcbc0de98a0

SHA512
220edcc93391357e125ede5cbe8ee8cd9f9f578c4b8bab181ebc118d9c564510e7e878060a4cb1986ec36e84562580539a97e707463362757cea8cf4244aa96c

Download Submit
C:\Windows\system\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
F:\Admin Games\Kazekage VS Hokage.exe
Filesize
148KB

MD5
485817c51f089e2d7607344ea3fd2d3e

SHA1
7fc025a513b1b378001e68c7163f3e9862de248c

SHA256
cdea8cbbfc19412f258e7e334c68a9c631ad26dcdf7a48890a213076ec5912c6

SHA512
acf48a275861d68a609ef76be6c5e9e16ea49a84051217de18bc53a271fcc9838744f7c6e2bfcf02465a285e871085be6f8cab37288546f1ce9a722a48437ecd

Download Submit
\Windows\Fonts\Admin 24 - 5 - 2024\smss.exe
Filesize
148KB

MD5
ded0e75e24f7f7570bd98daf18187e51

SHA1
406a7412ae3a33d6f75e40e98e9f09c0bc368faa

SHA256
46133896e8561cb0deaca00dfda51d3922b9844d7007541a2544818df2cfa1a0

SHA512
31fb297a3646f33574c90710dd3a4890e6f7a513da33c0ce839e117fcc586c6b60d454ae41b482c020439afa8c5ccf82d2df195f4a3598e4baa75b179b801be3

Download Submit
memory/332-221-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/560-224-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/560-225-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/580-231-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/708-228-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/772-272-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/784-292-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/828-258-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/888-300-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1252-173-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1252-179-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1296-276-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1296-275-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1340-262-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1340-259-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1396-134-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1512-286-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1512-289-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1620-972-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1620-218-0x00000000005C0000-0x00000000005E5000-memory.dmp

Filesize
148KB

Download
memory/1620-973-0x00000000005C0000-0x00000000005E5000-memory.dmp

Filesize
148KB

Download
memory/1664-182-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1760-190-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1760-185-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1768-265-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1860-974-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1860-249-0x0000000000320000-0x0000000000345000-memory.dmp

Filesize
148KB

Download
memory/1860-236-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1932-282-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1948-268-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1948-269-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2228-719-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2228-37-0x0000000000880000-0x00000000008A5000-memory.dmp

Filesize
148KB

Download
memory/2228-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2316-191-0x0000000000430000-0x0000000000455000-memory.dmp

Filesize
148KB

Download
memory/2316-725-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2316-172-0x0000000000430000-0x0000000000455000-memory.dmp

Filesize
148KB

Download
memory/2316-142-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2392-255-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2416-295-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2480-252-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2540-90-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2540-723-0x00000000005C0000-0x00000000005E5000-memory.dmp

Filesize
148KB

Download
memory/2540-131-0x00000000005C0000-0x00000000005E5000-memory.dmp

Filesize
148KB

Download
memory/2540-122-0x00000000005C0000-0x00000000005E5000-memory.dmp

Filesize
148KB

Download
memory/2540-724-0x00000000005C0000-0x00000000005E5000-memory.dmp

Filesize
148KB

Download
memory/2540-722-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2724-720-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2724-721-0x0000000000340000-0x0000000000365000-memory.dmp

Filesize
148KB

Download
memory/2724-89-0x0000000000340000-0x0000000000365000-memory.dmp

Filesize
148KB

Download
memory/2724-38-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2724-82-0x0000000000340000-0x0000000000365000-memory.dmp

Filesize
148KB

Download
memory/2740-80-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2948-285-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2988-128-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download